From 93be9006f3a90fab0f59037f831e0466ab0203a2 Mon Sep 17 00:00:00 2001
From: pollfly <75068813+pollfly@users.noreply.github.com>
Date: Thu, 30 Jan 2025 09:53:35 +0200
Subject: [PATCH] Add `agent.docker_args_filters` config option (#1019)

---
 docs/clearml_agent/clearml_agent_env_var.md | 1 +
 docs/configs/clearml_conf.md                | 9 +++++++++
 2 files changed, 10 insertions(+)

diff --git a/docs/clearml_agent/clearml_agent_env_var.md b/docs/clearml_agent/clearml_agent_env_var.md
index 1f55bb9c..93c7c6ff 100644
--- a/docs/clearml_agent/clearml_agent_env_var.md
+++ b/docs/clearml_agent/clearml_agent_env_var.md
@@ -23,6 +23,7 @@ but can be overridden by command-line arguments.
 |**CLEARML_CUDNN_VERSION** | Sets the CUDNN version to be used                                                                                                                                                                                                               |
 |**CLEARML_CPU_ONLY** | Force CPU only mode                                                                                                                                                                                                                             |
 |**CLEARML_DOCKER_SKIP_GPUS_FLAG** | Skips the GPUs flag (support for docker V18)                                                                                                                                                                                                     |
+|**CLEARML_AGENT_DOCKER_ARGS_FILTERS**| Set a whitelist of allowed Docker arguments. Only arguments matching the specified patterns can be used when running a task. Use `shlex.split` whitespace-separated format. For example: `CLEARML_AGENT_DOCKER_ARGS_FILTERS="^--env$ ^-e$"`|
 |**CLEARML_AGENT_DOCKER_ARGS_HIDE_ENV** | Hide Docker environment variables containing secrets when printing out the Docker command. When printed, the variable values will be replaced by `********`. See [`agent.hide_docker_command_env_vars`](../configs/clearml_conf.md#hide_docker) |
 |**CLEARML_AGENT_DISABLE_SSH_MOUNT** | Disables the auto `.ssh` mount into the docker                                                                                                                                                                                                  |
 |**CLEARML_AGENT_FORCE_CODE_DIR**| Allows overriding the remote execution code directory to bypass repository cloning and use a repo already available where the remote agent is running. |
diff --git a/docs/configs/clearml_conf.md b/docs/configs/clearml_conf.md
index 859c7bd9..6cb9e210 100644
--- a/docs/configs/clearml_conf.md
+++ b/docs/configs/clearml_conf.md
@@ -134,6 +134,15 @@ Use with care! This might introduce security risks by allowing access to keys/se
 the same argument is passed in both. If set to `False`, a task's docker arguments will override the `extra_docker_arguments`.
 
 ---
+
+**`agent.docker_args_filters`** (*list*)
+
+* Set a whitelist of allowed Docker arguments. Only arguments matching the specified patterns can be used when running
+a task. For example: `docker_args_filters: ["^--env$", "^-e$"]`.
+
+
+---
+
 **`agent.docker_container_name_format`** (*string*)
 
 :::note Compatibility Required