Add agent.docker_args_filters config option (#1019)

2025-01-30 22:18:02 +00:00 · 2025-01-30 09:53:35 +02:00 · 2025-01-30 09:53:35 +02:00 · 93be9006f3
commit 93be9006f3
parent 82cd870812
2 changed files with 10 additions and 0 deletions
--- a/docs/clearml_agent/clearml_agent_env_var.md
+++ b/docs/clearml_agent/clearml_agent_env_var.md
@ -23,6 +23,7 @@ but can be overridden by command-line arguments.
 |**CLEARML_CUDNN_VERSION** | Sets the CUDNN version to be used                                                                                                                                                                                                               |
 |**CLEARML_CPU_ONLY** | Force CPU only mode                                                                                                                                                                                                                             |
 |**CLEARML_DOCKER_SKIP_GPUS_FLAG** | Skips the GPUs flag (support for docker V18)                                                                                                                                                                                                     |
+|**CLEARML_AGENT_DOCKER_ARGS_FILTERS**| Set a whitelist of allowed Docker arguments. Only arguments matching the specified patterns can be used when running a task. Use `shlex.split` whitespace-separated format. For example: `CLEARML_AGENT_DOCKER_ARGS_FILTERS="^--env$ ^-e$"`|
 |**CLEARML_AGENT_DOCKER_ARGS_HIDE_ENV** | Hide Docker environment variables containing secrets when printing out the Docker command. When printed, the variable values will be replaced by `********`. See [`agent.hide_docker_command_env_vars`](../configs/clearml_conf.md#hide_docker) |
 |**CLEARML_AGENT_DISABLE_SSH_MOUNT** | Disables the auto `.ssh` mount into the docker                                                                                                                                                                                                  |
 |**CLEARML_AGENT_FORCE_CODE_DIR**| Allows overriding the remote execution code directory to bypass repository cloning and use a repo already available where the remote agent is running. |
--- a/docs/configs/clearml_conf.md
+++ b/docs/configs/clearml_conf.md
@ -134,6 +134,15 @@ Use with care! This might introduce security risks by allowing access to keys/se
 the same argument is passed in both. If set to `False`, a task's docker arguments will override the `extra_docker_arguments`.

 ---
+
+**`agent.docker_args_filters`** (*list*)
+
+* Set a whitelist of allowed Docker arguments. Only arguments matching the specified patterns can be used when running
+a task. For example: `docker_args_filters: ["^--env$", "^-e$"]`.
+
+
+---
+
 **`agent.docker_container_name_format`** (*string*)

 :::note Compatibility Required