Do not Expose the Docker Daemon Socket

Docker socket /var/run/docker.sock is the UNIX socket that Docker is listening to. This is the primary entry point for the Docker API. The owner of this socket is root. Giving someone access to it is equivalent to giving unrestricted root access to your host.

Do not enable TCP Docker Daemon Socket.

Do not run docker daemon with -H tcp://0.0.0.0:XXX or similar. Otherwise, you are exposing un-encrypted and un-authenticated direct access to the Docker daemon. To secure it, refer "Daemon socket option".

Do not Expose /var/run/docker.sock to other containers.

Do not run your docker image with -v /var/run/docker.sock://var/run/docker.sock or similar. Mounting the socket read-only is not a solution but only makes it harder to exploit. Equivalent in the docker-compose file is something like this: