catalog / docker.io/library/traefik / criteria

traefik — validation criteria

Per-image acceptance criteria for the docker.io/library/traefik profile. Validated against …@sha256:0bd09a37… (tag v3.7), derived by drop-test against the file-provider reverse-proxy invocation — static config via command flags, one routed upstream. Capabilities trim 14 → 1.

Representative workload / correctness check

profiles/workloads/traefik.sh — a request on entrypoint :80 must be routed through a traefik router to an upstream named backend (in the derivation stack, a pinned caddy on the shared in-stack network) and answered with the backend's content: entrypoint → router → service → proxied upstream response, the full proxy path. The dynamic file-provider config is docker-cp'd into /tmp after start (traefik runs with --providers.file.directory=/tmp --providers.file.watch=true and hot-loads it) — a daemon-side write that exercises no capability inside the target, so it cannot pollute the minimum. Probes run from a curl sidecar sharing the target's netns.

capabilities — derived by drop-test

filesystem — derived by drop-test

Scope — the docker-socket variant is deliberately OUT

The popular alternative wiring — --providers.docker with /var/run/docker.sock mounted — is not covered and cannot be: the socket grants root-equivalent control of the host, which is the dominant risk of that deployment shape. No capability minimum addresses it, and this profile must not be read as making a socket-mounted traefik safe. (Socket-scope observation is tracked upstream in csd#110 and is signal-blocked at the pinned gadget set.) If you run the docker provider, treat the socket — not caps — as the thing to mitigate (socket-proxy, read-only API filters, or the file/HTTP providers instead).

Scope (run_config + out-of-band conditions)