> people still expose Docker over the internet -- which is literally a free root-level RCE for anyone who figures out you're hosting it
By default, docker-machine (which sets up internet-accessible docker instances) uses TLS client certificates, so no, this does not give a "free root-level RCE". This is just spreading FUD. (This does not detract from the parent's point that "access to docker.sock" == "root on the host". That part is true.)
I was not referring to docker-machine here, I'm not sure why you think I was referring to it (I didn't even mention it). I was talking about people who do `dockerd -H tcp://:8080` and ignore the warning that tells them this is insecure. This is not a strawman, there were blog posts in the past few months where they mentioned in passing that their firewall was misconfigured and allowed unauthenticated access to their Docker hosts[1].
I didn't mention TLS certificates with -H tcp:// because it wasn't really related to the main point I was making -- yes you can configure it to be secure but again security is not the default. I felt so strongly about this I pushed for having a required flag to allow insecure TCP access[2]. I am more than aware this can be done safely, it just isn't done safely often enough that you see this type of misconfiguration in blog posts.
Security with client certificates is the default using the vendor-supplied tooling for bringing up remote docket hosts, docker-machine. This is why I brought it up. It’s not some 3p whatever, this is the vendor’s tooling and it is not insecure by default.
By default, docker-machine (which sets up internet-accessible docker instances) uses TLS client certificates, so no, this does not give a "free root-level RCE". This is just spreading FUD. (This does not detract from the parent's point that "access to docker.sock" == "root on the host". That part is true.)