I have a requirement where Docker Swarm node needs to run only an approved list of containers instead of any container that the swarm manager schedules on it.

In effect, what I want is control on what dockers can run on a particular swarm node, and that swarm node determines that.

One way, I can accomplish that is bundle all the needed containers on this swarm node, and disconnect it from the registry.

The solution that I am looking for probably is an ACL that says, here are the container IDs that I allow to run on this swarm node, and swarm node owner can determine this list.

Thanks in advance.