How PKI works in swarm modeEstimated reading time: 2 minutes
The swarm mode public key infrastructure (PKI) system built into Docker Engine makes it simple to securely deploy a container orchestration system. The nodes in a swarm use mutual Transport Layer Security (TLS) to authenticate, authorize, and encrypt the communications between themselves and other nodes in the swarm.
When you create a swarm by running
docker swarm init, the Docker Engine
designates itself as a manager node. By default, the manager node generates
itself a new root Certificate Authority (CA) along with a key pair to secure
communications with other nodes that join the swarm. If you prefer, you can pass
--external-ca flag to specify a root CA external to the swarm. Refer to
the docker swarm init CLI
The manager node also generates two tokens to use when you join additional nodes to the swarm: one worker token and one manager token. Each token includes the digest of the root CA’s certificate and a randomly generated secret. When a node joins the swarm, it uses the digest to validate the root CA certificate from the remote manager. It uses the secret to ensure the node is an approved node.
Each time a new node joins the swarm, the manager issues a certificate to the node that contains a randomly generated node id to identify the node under the certificate common name (CN) and the role under the organizational unit (OU). The node id serves as the cryptographically secure node identity for the lifetime of the node in the current swarm.
The diagram below illustrates how worker manager nodes and worker nodes encrypt communications using a minimum of TLS 1.2.
The example below shows the information from a certificate from a worker node:
Certificate: Data: Version: 3 (0x2) Serial Number: 3b:1c:06:91:73:fb:16:ff:69:c3:f7:a2:fe:96:c1:73:e2:80:97:3b Signature Algorithm: ecdsa-with-SHA256 Issuer: CN=swarm-ca Validity Not Before: Aug 30 02:39:00 2016 GMT Not After : Nov 28 03:39:00 2016 GMT Subject: O=ec2adilxf4ngv7ev8fwsi61i7, OU=swarm-worker, CN=dw02poa4vqvzxi5c10gm4pq2g ...snip...
By default, each node in the swarm renews its certificate every three months.
You can run
docker swarm update --cert-expiry <TIME PERIOD> to configure the
frequency for nodes to renew their certificates. The minimum rotation value is 1
hour. Refer to the docker swarm update