Latest dind uses TLS by default (great) which is imposible to configure clients that don't run as root #171
Description
Its great that dockerd is now configured for TLS by default with the required certificates generated automatically.
Unfortunately, I have tried to configure this in our Jenkins environment and found it impossible to make any use of.
I have two containers running in a pod. One, is "dind" and the other is Jenkins JNLP.
A volume is shared between the containers /certs/client. dind runs as root (I assume it must, I did not configure this specifically) and generates certificates as root. The private key gets mode 600.
The client runs as jenkins (UID 10000).
I have tried configuring the fsGroup in the Kubernetes spec but as the mode is 600 and not something else like 640 it is impossible for the Jenkins JNLP docker client to speak to dind using TLS.
I would suggest making everything generated by dockerd mode 640 as the default group is root anyway.