I’ve read the instructions at https://docs.docker.com/docker-for-azure/deploy/ about tunneling the docker client over SSH to the unix socket on the server. However port forwarding to a unix socket is quite niche, and needs a recent version of SSH that isn’t available on our in house systems.
This way we could use more a more standard SSH client (including Java ones) to do continuous deployment from our build system. This isn’t a security risk, because it would still require the private key to connect, same as for a named socket. The alternative would be to run a container that forwarded the TCP port to the socket, but that seems quite clunky, and I’m not even sure if it’s possible for this container to attach to localhost on the container that is running the ssh server.