Is it possible to limit the services that can access secrets created with
docker secret create?
We work on multi-user docker host, with limited ability to restrict user access.
I’d like a way to grant access to the secrets I create only to certain services (mine!)
Are you in the happy position to have a Docker Enterprie subscription? Docker EE includes UCP, which provides a user and ressource managent that allows to restrict access to ressources on a fine grain level even for swarm stack deployments. Each user downloads a client bundle with the connection details to controll the swarm thru UCP.
Without Docker Enterprise, the answer is: nope, everyone who can control docker on a master node will be able to controll all objects, including secrets.
Kuberentes has fine grained RBAC security build in. Swarm byitself does not.
No, I am not in the happy position of having a Docker Enterprise subscription .
Thank you for your guidance, which is very helpful.
So, perhaps we can consider using Kubernetes under our current constraint, instead of Docker Swarm.