I am trying out Docker Swarm to use in production app. My concern here is security, I would love to isolate manager nodes to be somewhat separate (such as not running any application there, only possibly portainer for web interface).
I can restrict all stack components from running on managers using constraints. But even I do that I still see published ports (i.e. 8080) also being exposed on manager nodes. And I can successfully query application through manager nodes.
While routing mesh is a nice feature, I think there should be a way to avoid having ports exposed on absolutely all nodes.
I may have missed some obvious way to do that, will appreciate pointers to docs that describe how to do this.