I have a VM that I want to use to run buildkite on an open source project, both for the master (post-review) and PRs (pre-review), and I would like to offer the dockerization experience to the users via the docker plugin for buildkite, as the project heavily relies on it.
However, I obviously do not want users to escalate privileges in the VM through buildkite builds.
Specifically, I was planning to add a user,
buildkite, to the machine specifically to run buildkite agent daemon. However, doing so and allowing docker requires
sudo usermod -aG docker buildkite
which opens up the Docker daemon attack surface. This would not be a problem if the builds were reviewed prior to run, but PRs are by definition not reviewed, and thus this would open up a large security hole.
Do you have any specific recommendations on this topic?