We will now summarize the checklist for securing a Swarm cluster. The Swarm team is working hard to achieve the goals of preventing attacks on the full stack, but the following rules apply in any case.
The first important step to guarantee security is deciding on how to use CA. When you form a cluster with the first node, it will automatically create a self-signed CA for the whole cluster. After spinning up, it creates CA, signs the certificate itself, adds the certificate for the manager, which is itself, and becomes the ready-to-operate 1-node cluster. When a new node joins, it gets the certificate by providing the correct token. Every node has its own identity which is cryptographically signed. Also, the system has a certificate for each rule, worker, or manager. The role is inside the identity information to tell who a node is. In the case that a manager leaks the root CA, the whole cluster is compromised. Docker Swarm mode supports...