Minimum number of manager nodes have been created in a swarm
Set up the docker integration.
Description
You should ensure that the minimum number of required manager nodes is created in a swarm.
Rationale
Manager nodes within a swarm have control over the swarm and can change its configuration, including modifying security parameters. Having excessive manager nodes could render the swarm more susceptible to compromise. If fault tolerance is not required in the manager nodes, a single node should be elected as a manger. If fault tolerance is required then the smallest odd number to achieve the appropriate level of tolerance should be configured. This should always be an odd number in order to ensure that a quorum is reached.
Audit
Run docker info and verify the number of managers:
docker info --format '{{ .Swarm.Managers }}'
Alternatively, run the command:
docker node ls | grep 'Leader'
If an excessive number of managers is configured, the excess nodes can be demoted to workers using the command docker node demote <ID> where the node ID value of the manager is to be demoted.
Impact
None
Default value
Only a single manager is required to start a given cluster.
References
- https://docs.docker.com/engine/swarm/manage-nodes/
- https://docs.docker.com/engine/swarm/admin_guide/#/add-manager-nodes-for-fault-tolerance
CIS controls
Version 6
5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges
