[Swarm Mode] Separate Portainer Agent out into its own network with Portainer
Opened this issue · 0 comments
cinderblockgames commented
Since Portainer Agent allows for control over the docker socket, it's better not to have it exposed to every container on the network (even if Portainer Agent only allows the first client to connect unless you have an additional secret).
Really, should have three networks:
- portainer, for portainer and portainer agent [isolated]
- traefik, for traefik and portainer [isolated]
- traefik-private, for the cert updater, which doesn't need access to any other containers [not isolated]