Docker Platform Security Technologies

Security in swarm mode

Docker Swarm allows you to cluster multiple Docker hosts and deploy applications declaratively. Every Swarm is comprised of managers and workers that can be Linux or Windows. Managers host the control plane of the cluster and are responsible for configuring the cluster and dispatching work tasks. Workers are the nodes that run your application code as containers.

As expected, swarm mode includes many security features that are enabled out-of-the-box with sensible defaults. These include:

• Cryptographic node IDs
• TLS for mutual authentication
• Secure join tokens
• CA configuration with automatic certificate rotation
• Encrypted cluster store (config DB)
• Encrypted networks

Let’s walk through the process of building a secure swarm and configuring some of the security aspects.

To follow along with the complete set of examples you’ll need at least three Docker hosts running Docker 17.03 or higher. The examples cited use three Docker hosts called mgr1, mgr2, and wrk1. Each one is running Docker 19.03.4. There is network connectivity between all three hosts, and all three can ping each other by name.

Configure a secure Swarm

Run the following command from the node you want to be the first manager in the new swarm. In the example, we’ll run it from mgr1.