使用多租户工具时，大多数假定的关键功能之一是每个租户之间的隔离.他们应该不能看到或管理彼此的容器和/或数据.

One of the key features most assume with a multi-tenancy tool is isolation between each of the tenants. They should not be able to see or administer each others containers and/or data.

docker-ce引擎是开箱即用的sysadmin级工具.可以使用任意选项启动容器的任何人都可以在主机上具有root用户访问权限.有诸如wristlock之类的第三方工具与authz插件接口连接，但它们仅提供粗略的访问控制，整个活动类别(例如启动容器或查看日志)都允许或禁止每个人.为用户提供对TLS端口或Docker套接字的访问权限，会使用户被归为一个类别，对于连接到Docker引擎的用户没有组或命名空间的概念.

The docker-ce engine is a sysadmin level tool out of the box. Anyone that can start containers with arbitrary options has root access on the host. There are 3rd party tools like twistlock that connect with an authz plugin interface, but they only provide coarse access controls, each person is either allowed or disallowed from an entire class of activities, like starting containers, or viewing logs. Giving users access to either the TLS port or docker socket results in the users being lumped into a single category, there's no concept of groups or namespaces for the users connecting to a docker engine.

对于多租户，docker需要添加一种定义用户的方法，并将其放置在仅允许对特定容器和卷执行操作的命名空间中，并限制允许突破容器的选项，例如更改功能或从主机挂载任意文件系统. Docker的企业级产品UCP确实开始通过在对象上使用标签来添加这些功能，但是我还没有时间评估它是否可以提供完整的多租户解决方案.

For multi-tenancy, docker would need to add a way to define users, and place them in a namespace that is only allowed to act on specific containers and volumes, and restrict options that allow breaking out of the container like changing capabilities or mounting arbitrary filesystems from the host. Docker's enterprise offering, UCP, does begin to add these features by using labels on objects, but I haven't had the time to evaluate whether this would provide a full multi-tenancy solution.