For security reasons I would like protect my docker socket with something like docker-socket-proxy, really make it read only.

This works well with Traefik, when both Traefik and docker-socket-proxy are only running on Docker manager nodes and Traefik connects to the proxy via service name.

This does not work when using Portainer, which has agents spread on all nodes, querying the local docker socket for local containers.

Is it possible somehow to have two services like Portainer agent and docker-socket-proxy spread and running on all nodes, where every agent only talks to the local proxy instance?