Your 13 Step, Best Practice Checklist to Get Portainer Implemented in a Production Environment

by Neil Cresswell, on December 8, 2021

This is a best practice guide to getting Portainer up and running in a production environment.

For a guided, step-by-step of the process go to our Install guide; 


  1. Prepare the environment where Portainer server will be deployed
    This can be a dedicated VM, running Linux and Docker (or k3s/microk8s), or it can be a dedicated management cluster (swarm or Kubernetes). 
    1. Check – does this node have off-node persistent storage (eg a block storage device or NFS mount); if not, provision this first.
    2. Check – if this is a cluster, is the storage available across all nodes; if not, provision this first
    3. Check – if this is a swarm cluster, is the overlay network functional (create a global service, deploying a nginx container on each node, console into each and try to curl the nginx port on the other nodes); if this fails, check firewall ports and that VXLAN is able to be used.
    4. Check - Ensure you have root access to the Docker host and/or cluster-admin role against Kubernetes; if not, gain the correct permissions.

  2. Deploy Portainer using the instructions that match your environment

  3. On first login, change the admin user to something non-standard
    (eg <companyname>_admin, or <Portainer_admin>, set a complex password for this user (you shouldn’t be logging in as the admin user anyway, so set a complex pass and save it in a password safe).

  4. Add your Portainer license to continue with the Portainer Business deployment (or click get a license to get one).

  5. Add environments; Docker, Swarm, Kubernetes, ACI
    Take a note of all the environments you want to add, Docker, Swarm, Kubernetes, ACI. Click on Environments, add environment, and add each of your remote environments. Add tags (descriptive labels) as appropriate.
    1. Check - if you are using Docker Daemon over TCP, make sure you have the TLS certs
    2. Check – if you are using Docker swarm, make sure you have tested overlay network as per 1c
    3. Check – if you are using Kubernetes, validate if nodeport or Load Balancer is best
    4. Check – if you are deploying Edge agents, ensure Port 8000 is open on your Portainer instance and that your URL is https://

  6. Configure Portainer to use trusted SSL certs
    Click on settings, then scroll down to SSL Certificate. Force SSL on, and upload your REAL SSL Certs, then click save. Reconnect to Portainer using the FDQN specified in your SSL cert.
    1. Check – you may need to merge root and intermediate certs if you have intermediate certs in your chain.

  7. Configure Portainer backups
    Click on settings, scroll down to backup Portainer, and configure scheduled backups of Portainer to S3
    1. Check – you need a AWS s3 bucket for this

  8. Prepare for the connection of external user directories by configuring teams
    In order to prepare connection of external user directories, we should pre-create a team structure.
    1. Go into Users, Teams, and create teams that best suit your operational model (these will later be mapped to groups in your directory service). 

  9. Connect Portainer to your internal user directory
    Now that you have teams configured, its time to connect Portainer to your internal user directory, so under settings, authentication, configure your auth provider
    1. Check – enable SSO (and hide authentication prompt if you want to auto-login), 
    2. Check – enable auto user provisioning if you want users to be auto-created in Portainer on successful login
    3. Check -  enable auto team membership if you want automatically add users into teams based on their corresponding group memberships.  Make sure to set the team to group mappings.

  10. Install registries
    Go into settings, registries, and add your registries. Note you can add multiple of the same type of registry
    1. Check if you are using an insecure registry, make sure you update your daemon.json configuration on each docker host, else pulls will fail.

  11. Manage Access for each environment
    Click manage access, and then grant the appropriate TEAMS access with the appropriate role.

  12. Set base security and config options per environment
    1. Click on each Docker environment, one at a time, click on “cluster” or “host” click settings, and configure base security policies
    2. Click on each Kubernetes environment, one at a time, click on cluster, click settings, and configure base cluster capabilities

  13. Now you are ready to start creating apps 😀


See for yourself with a live online Portainer Business demo

Let us introduce you to a world of fast and easy app deployment, governance, and management in Docker/Swarm and Kubernetes. Schedule a demo with our tech team and see how Portainer's container service delivery platform can make everyone's life easier.


Topics:SecurityHow ToProduct