diff --git a/container/docker/client.go b/container/docker/client.go
index b05724cd..a27bf0c2 100644
--- a/container/docker/client.go
+++ b/container/docker/client.go
@@ -18,9 +18,11 @@
 package docker
 
 import (
+	"net/http"
 	"sync"
 
 	dclient "github.com/docker/engine-api/client"
+	"github.com/docker/go-connections/tlsconfig"
 )
 
 var (
@@ -29,9 +31,32 @@ var (
 	dockerClientOnce sync.Once
 )
 
+// Client creates a Docker API client based on the given Docker flags
 func Client() (*dclient.Client, error) {
 	dockerClientOnce.Do(func() {
-		dockerClient, dockerClientErr = dclient.NewClient(*ArgDockerEndpoint, "", nil, nil)
+		var client *http.Client
+		if *ArgDockerTLS {
+			client = &http.Client{}
+			options := tlsconfig.Options{
+				CAFile:             *ArgDockerCA,
+				CertFile:           *ArgDockerCert,
+				KeyFile:            *ArgDockerKey,
+				InsecureSkipVerify: false,
+			}
+			tlsc, err := tlsconfig.Client(options)
+			if err != nil {
+				dockerClientErr = err
+				return
+			}
+			client.Transport = &http.Transport{
+				TLSClientConfig: tlsc,
+			}
+		}
+		dockerClient, dockerClientErr = dclient.NewClient(*ArgDockerEndpoint,
+			"",
+			client,
+			nil)
+
 	})
 	return dockerClient, dockerClientErr
 }
diff --git a/container/docker/factory.go b/container/docker/factory.go
index d91c2dfb..cdf70c70 100644
--- a/container/docker/factory.go
+++ b/container/docker/factory.go
@@ -41,6 +41,10 @@ import (
 )
 
 var ArgDockerEndpoint = flag.String("docker", "unix:///var/run/docker.sock", "docker endpoint")
+var ArgDockerTLS = flag.Bool("docker-tls", false, "use TLS to connect to docker")
+var ArgDockerCert = flag.String("docker-tls-cert", "cert.pem", "path to client certificate")
+var ArgDockerKey = flag.String("docker-tls-key", "key.pem", "path to private key")
+var ArgDockerCA = flag.String("docker-tls-ca", "ca.pem", "path to trusted CA")
 
 // The namespace under which Docker aliases are unique.
 const DockerNamespace = "docker"
diff --git a/docs/runtime_options.md b/docs/runtime_options.md
index 14946bcc..2fce7a61 100644
--- a/docs/runtime_options.md
+++ b/docs/runtime_options.md
@@ -46,6 +46,10 @@ From [glog](https://github.com/golang/glog) here are some flags we find useful:
 --docker_env_metadata_whitelist="": a comma-separated list of environment variable keys that needs to be collected for docker containers
 --docker_only=false: Only report docker containers in addition to root stats
 --docker_root="/var/lib/docker": DEPRECATED: docker root is read from docker info (this is a fallback, default: /var/lib/docker) (default "/var/lib/docker")
+--docker-tls: use TLS to connect to docker
+--docker-tls-cert="cert.pem": client certificate for TLS-connection with docker
+--docker-tls-key="key.pem": private key for TLS-connection with docker
+--docker-tls-ca="ca.pem": trusted CA for TLS-connection with docker
 ```
 
 ## Housekeeping