Home

Awesome

CaaSa

Container as a Service admin

DemoDocker Hub Docker HubCI

Outsource the administration of a handful of containers to your co-workers.

CaaSa provides a simple web-interface to handle basic container admin tasks:

Restrict permissions per container and user

Getting started

1. Deploy CaaSa

version: '2.4'
services:
  caasa:
    image: knrdl/caasa
    restart: always
    environment:
      ROLES_caasa_admin_basic: info, state, logs, procs, files, files-read
      ROLES_caasa_admin_full: info, info-annotations, state, logs, term, procs, files, files-read, files-write
      AUTH_API_URL: https://identity.mycompany.com/login
      AUTH_API_FIELD_USERNAME: username
      AUTH_API_FIELD_PASSWORD: password
    ports:
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    mem_limit: 150m
    cpu_count: 1

:warning: For production is a reverse-proxy with TLS termination in front of CaaSa highly recommended

Roles are defined via environment variables and might contain these permissions:

2. Authentication

There are 3 methods available:

2.1 Restful authentication

To perform logins CaaSa sends http-post requests to the URL defined in the environment variable AUTH_API_URL. The requests contain a json body with username and password. The json field names are defined via environment variables AUTH_API_FIELD_USERNAME (default: username) and AUTH_API_FIELD_PASSWORD (default: password). A 2XX response code (e.g. 200 OK) represents a successful login.

2.2 Dummy authentication

Set the environment variable AUTH_API_URL=https://example.org. Now you can log in with any username and password combination.

:warning: Only useful for tests and demos. Not suitable for productive usage.

2.3 WebProxy authentication

CaaSa can read the username from a http request header. This header must be supplied by a reverse proxy in front of CaaSa. It can be specified via the environment variable WEBPROXY_AUTH_HEADER. A typical header name is Remote-User.

:warning: The header must be supplied by the reverse proxy. A value provided by a malicious client must be overwritten.

3. Annotate containers

If a container should be visible in CaaSa, it must be annotated with a label defined above as ROLES_<labelname> and list all permitted usernames (or user IDs). Usernames are treated as case-insensitive.

docker run -it --rm --name caasa_demo --label caasa.admin.full=user1,user2 nginx:alpine

In this example the users user1 and user2 are granted the rights of the caasa.admin.full role for the container caasa_demo via CaaSa web interface.

Screenshot

Screenshot