Exposed Docker Socket

# Vulnerable docker-compose.yml
version: '3.8'
services:
  jenkins:
    image: jenkins/jenkins:lts
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock  # DANGEROUS!
      - jenkins_home:/var/jenkins_home
    ports:
      - "8080:8080"
    user: root  # Even worse when combined with root

# Vulnerable docker run command
docker run -d -p 8080:8080 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v jenkins_home:/var/jenkins_home \
  jenkins/jenkins:lts

# Secure docker-compose.yml using Docker-in-Docker (DinD)
version: '3.8'
services:
  jenkins:
    image: jenkins/jenkins:lts
    environment:
      - DOCKER_HOST=tcp://docker:2376
      - DOCKER_CERT_PATH=/certs/client
      - DOCKER_TLS_VERIFY=1
    volumes:
      - jenkins_home:/var/jenkins_home
      - docker-certs-client:/certs/client:ro
    ports:
      - "8080:8080"
    depends_on:
      - docker

  docker:
    image: docker:dind
    privileged: true  # Required for DinD
    environment:
      - DOCKER_TLS_CERTDIR=/certs
    volumes:
      - docker-certs-client:/certs/client
      - docker-certs-ca:/certs/ca
      - jenkins_docker:/var/lib/docker
    networks:
      - jenkins
    expose:
      - "2376"

volumes:
  jenkins_home:
  docker-certs-client:
  docker-certs-ca:
  jenkins_docker:

networks:
  jenkins:

# Using Kaniko for rootless builds
apiVersion: v1
kind: Pod
metadata:
  name: kaniko-build
spec:
  containers:
  - name: kaniko
    image: gcr.io/kaniko-project/executor:latest
    args:
      - "--context=git://github.com/your-repo/project.git"
      - "--destination=your-registry/image:tag"
      - "--cache=true"
    volumeMounts:
    - name: docker-config
      mountPath: /kaniko/.docker
  volumes:
  - name: docker-config
    secret:
      secretName: docker-registry-credentials