Docker swarm and security


I’m writing a thesis about the security of orchestration services like Docker Swarm and have a question about the protocol used for controll and traffic related to swarm services.

According to the documentation:

[…] An overlay network called ingress, which handles control and data traffic related to swarm services. When you create a swarm service and do not connect it to a user-defined overlay network, it connects to the ingress network by default.

But that is for the network-layer… I want to know what protocols are used for exchanging this traffic.

According to Diogo Mónica the security is modeled to withstand:

As a result, it becomes easier to secure clusters against even the most sophisticated attacker models: attackers that control the underlying communication networks or even compromised cluster nodes.

But what if an attacker also controls a certificate in addition to the underlying communications network? Is there a way to man-in-the-middle the control traffic related to swarm services, and by that being able to inject a malicious node into the cluster?

Thank you for your time!