1. Overview

Prisma Cloud lets you control access to Docker commands based on group membership.

Prisma Cloud lets you:

  • Secure access to remote Docker Engine instances.

  • Control access to Docker commands on a user-by-user basis.

After integrating Twistock with Active Directory, OpenLDAP, or SAML, you could create a group called Dev Team. Then in Console, you could grant all users in Dev Team permission to remotely run any Docker commands on hosts in the development environment, but deny permission to create, start, or stop containers on hosts in the production environment.

2. Potential Issues

You cannot run Docker commands

First remove Prisma Cloud from the equation. Verify that you can communicate with Docker locally without Defender in the middle. After you have verified this setup, review the parameters you pass to the docker client.

Your policies are not being properly enforced.

Verify your user is in the AD group by following the below steps on the Docker host(s) where you’re trying to execute a command:

  1. Install ldap-utils:

    $ sudo apt-get install ldap-utils
  2. Query Active Directory to verify that your user belongs to your AD group. Use the same parameters that you specified in your integration configuration.

    $ ldapsearch \
      -x -H [LDAP_URL] \
      -D [LDAP_ADMIN_UPN] \
      -W \
      -b [LDAP_SEARCH_BASE]\
      -s sub (&(userPrincipalName=[UPN])(memberof=[LDAP_GROUP_DN]))

    Where:

    UPN

    User Principal Name of the user

    LDAP_GROUP_DN

    Full DN of the LDAP group. For example: CN=group1,DC=USERS,DC=TWISTLOCK,DC=LOCAL