docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18197 from neersighted/encrypted_swarm_ingress 

engine/swarm/networking: add note about encrypted ingress
This commit is contained in:
David Karlsson 2023-09-15 09:49:42 +02:00 committed by GitHub
parent 0721d8a719 8e2f69a4fa
commit a4c5dc0c3b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
content/engine/swarm/networking.md
View File

@ -227,7 +227,7 @@ If you need more than 256 IP addresses, do not increase the IP block size. You c
endpoint mode with an external load balancer, or use multiple smaller overlay networks. See endpoint mode with an external load balancer, or use multiple smaller overlay networks. See
[Configure service discovery](#configure-service-discovery) for more information about different endpoint modes. [Configure service discovery](#configure-service-discovery) for more information about different endpoint modes.
#### Configure encryption of application data #### Configure encryption of application data {#encryption}
Management and control plane data related to a swarm is always encrypted. Management and control plane data related to a swarm is always encrypted.
For more details about the encryption mechanisms, see the For more details about the encryption mechanisms, see the
@ -239,6 +239,11 @@ network create`. This enables IPSEC encryption at the level of the vxlan. This
encryption imposes a non-negligible performance penalty, so you should test this encryption imposes a non-negligible performance penalty, so you should test this
option before using it in production. option before using it in production.
> **Note**
>
> You must [customize the automatically created ingress](#customize-ingress)
> to enable encryption. By default, all ingress traffic is unencrypted, as encryption
> is a network-level option.
## Attach a service to an overlay network ## Attach a service to an overlay network
@ -294,12 +299,13 @@ round robin (DNSRR). You can configure this per service.
`--endpoint-mode dnsrr` when creating a new service or updating an existing `--endpoint-mode dnsrr` when creating a new service or updating an existing
one. one.
## Customize the ingress network ## Customize the ingress network {#customize-ingress}
Most users never need to configure the `ingress` network, but Docker allows you Most users never need to configure the `ingress` network, but Docker allows you
to do so. This can be useful if the automatically-chosen subnet to do so. This can be useful if the automatically-chosen subnet
conflicts with one that already exists on your network, or you need to customize conflicts with one that already exists on your network, or you need to customize
other low-level network settings such as the MTU. other low-level network settings such as the MTU, or if you want to
[enable encryption](#encryption).
Customizing the `ingress` network involves removing and recreating it. This is Customizing the `ingress` network involves removing and recreating it. This is
usually done before you create any services in the swarm. If you have existing usually done before you create any services in the swarm. If you have existing
@ -425,4 +431,4 @@ $ docker swarm join \
* [Swarm administration guide](admin_guide.md) * [Swarm administration guide](admin_guide.md)
* [Swarm mode tutorial](swarm-tutorial/index.md) * [Swarm mode tutorial](swarm-tutorial/index.md)
* [Networking overview](../../network/index.md) * [Networking overview](../../network/index.md)
* [Docker CLI reference](../reference/commandline/docker.md) * [Docker CLI reference](../reference/commandline/docker.md)