Jean Rouge - Sr. Software Engineer, Docker
David Yu - Product Manager, Docker
Docker Enterprise is an enterprise container platform for developers and IT admins building and managing container applications. The platform includes integrated orchestration (Swarm and Kubernetes), advanced private image registry, and centralized admin console to secure, troubleshoot, and manage containerized applications. This talk will focus on the Docker Enterprise platform's technical architecture, key features and use cases it is designed to support. Key areas covered in this session: -Latest features and enhancements -Security and Compliance - how to ensure oversight and validate applications for different compliance regulations -Operational Insight - how to identify and troubleshoot issues in your container environment -Integrated Technology - the technologies are supported and can be run with Docker Enterprise -Policy-based Automation - how to scale container environments through automated policies.
4. Docker Enterprise Use Cases
Cloud VM
Edge
Device
Bare
Metal
Mainframe
Docker Enterprise
Microservices
Big Data
ML & AITraditional ServerlessISVEdge & IoT Blockchain
5. Docker Enterprise Container Platform
Support and
Certification
AutomationGovernanceSecurity
• Threat Scanning
• Controlled Code
Deployment
• Encryption
• Secrets Mgmt
• Image Mgmt
• Support for 3rd
party security
• Role-based access
control (RBAC)
• Policy Mgmt
• App Config Mgmt
• Forensic Image
History
• Controlled Code
Deployment
• Orchestration
• Built-in app
reliability/High Avail.
• Policy-based
automation
• Auto healing
• Enterprise-grade
support
• Certified Plug-ins
and Infrastructure
• Certified ISV apps
• Certified
professionals
Server
OS
App
Docker Engine
6. Docker Enterprise leads the pack
The Forrester Wave™ is copyrighted by Forrester Research,
Inc. Forrester and Forrester Wave™ are trademarks of
Forrester Research, Inc. The Forrester Wave™ is a graphical
representation of Forrester's call on a market and is plotted
using a detailed spreadsheet with exposed scores,
weightings, and comments. Forrester does not endorse any
vendor, product, or service depicted in the Forrester Wave™.
Information is based on best available resources. Opinions
reflect judgment at the time and are subject to change.
Forrester’s Assessment: Docker
“leads the pack with a robust
container platform well-suited for the
enterprise.”
11. What’s New in Docker Enterprise 2.1
Extended Windows
Server Support
Expanded Kubernetes
Support
Improved Operational
Insight
Stronger Security and
Compliance
21
3 4
13. Windows Support
● Expanded Operating System Server Support
○ Windows Server 2016, 1709, 1803, and 2019*
○ Smaller image sizes
○ Ingress and VIP Networking for Docker Swarm
*Swarm support for Win Server 2019 GA will be delivered in a patch release (due to the timing of Docker Enterprise 2.1 and
Server 2019)
16. Upgraded to Kubernetes 1.11
Generally Available features:
● Kubernetes pod autoscaling
● Kubernetes RBAC including support for
cluster roles
● Storage protection
● CRI-tools for improved debugging
● API aggregation
● Webhook authorization
● DaemonSet, Deployment, ReplicaSet, and
StatefulSet APIs
FEATURE
BENEFITS
• Access the most recent
developments from the
Kubernetes community
• Stay on top of latest stable
Kubernetes enhancements
• Get an enterprise-ready
experience with the latest
Kubernetes release
17. Native Kubernetes RBAC
FEATURE
BENEFITS
• Add native Kubernetes roles defined
in yaml file
• Distinct view of kubernetes roles
from swarm role
• Define grants in UCP similar to
swarm
• Deploy Helm charts
• Use native kubernetes RBAC
primitives
18. Kubernetes Network Encryption
Use Case
● Apply default encryption without intervention or
awareness from users
● Protect internal application traffic on untrusted or
shared infrastructure by default
Usage
● Deploy encryption daemonset to encrypt all host-to-
host traffic between all pods within the Kubernetes
cluster
● Key management and rotation managed centrally by
add-on encryption module
● IPSec encryption
Host
Pod
app
Host
Pod
app
21. Improved Operational Insights
FEATURE
BENEFITS
• Easier access to node metrics:
○ View containers within node
○ Healthchecks
• Events from the last hour within
Kubernetes resources
• Up to 24 hour data retention, and
viewable within Overview Dashboard
• Detailed metadata for Swarm and
Kubernetes Resources
• Quickly identify and root-cause
problems occuring at various levels of
the environment (service, node,
cluster)
• Track and prevent emerging issues
23. New Options for Collecting Metrics
Manager Node
External Node
GET https://ucp/metricsdiscovery
UCP
Controller
External
Prometheus
Prometheus
POST metrics
Docker
Enterprise UI
FEATURE
BENEFITS
• Deploy Prometheus as Kubernetes Daemon
Set
• Allow additional Prometheus configurations:
○ Deploy Prometheus on worker nodes
○ Allow external Prometheus instances to
scrape Docker Enterprise metrics
• Remove CPU pressure on manager nodes
• Gather more information about your
environment and collect it locally
24. Image Management and Storage Optimization
at Scale
Docker Image File FEATURE
BENEFITS
• Online garbage collection
• Policy-based image tag pruning
• Preserve storage space by
deleting unused image layers
• Reduce clutter in your image
registry using pre-defined
policies, particularly when used
in conjunction with CI/CD
systems
Image Layer
Image Layer
Image Layer
Image Layer
Image Layer
27. Integrate Identity Providers with SAML 2.0
FEATURE
BENEFITS
• Allow for SSO to Docker Enterprise
through existing identity provider (IdP)
○ Support for Okta and ADFS, with
more IdPs added in the future
• Continue to use LDAP synch for client
bundle access
• Achieve 2FA through identity provider
• Credentials stored in IdP only; no
local hosting of passwords
28. FIPS 140-2 Compliance for Enterprise Engine
FEATURE
BENEFITS
• Linux support included in 18.03
Engine, 18.09 now adds FIPS
compliance for Windows
• Automatically enable FIPS mode for
Docker engine based upon host OS
FIPS status
• Use env variable to override O/S
FIPS state
• Meet regulatory requirements by
deploying Docker Engines in a
FIPS compliant mode
• Prevent non-FIPS nodes from
joining a FIPS compliant cluster
DOCKER ENGINE
containerd
Docker
API
Networking
Docker Build
(BuildKit)
Orchestration VolumesDistribution
Docker
CLI
Plugins
FIPS 140-2 Validated Encryption Module
29. Audit Logs for All Cluster-Wide Operations
{“audit”; {
"metadata": {...},
"level": "Metadata",
"timestamp": "2018-08-07T22:10:35Z",
"auditID": "7559d301-fa6b-4ad6-901c-
b587fab75277",
"stage": "RequestReceived",
"requestURI":
"/api/v1/namespaces/default/pods",
"verb": "list",
"user": {"username": "alice",...},
"sourceIPs": ["127.0.0.1"],
...,
"requestReceivedTimestamp": "2018-08-
07T22:10:35.428850Z"}}
orchestrator audit events
audit logs
user request
{“audit”; {
"metadata": {...},
"level": "Metadata",
"timestamp": "2018-08-07T22:10:35Z",
"auditID": "7559d301-94e7-4ad6-901c-
b587fab31512",
"stage": "RequestReceived",
"requestURI": "/v1.30/configs/create",
"verb": "post",
"user": {"username": "alice",...},
"sourceIPs": ["127.0.0.1"],
...,
"requestReceivedTimestamp": "2018-08-
07T22:10:35.428850Z"}}
kubernetes pod listing swarm config create
FEATURE
• Configurable audit logs for both
Swarm and Kubernetes
• Logs API calls tracking request,
time, user, and response
• Persistent storage of audit log
entries for historical recall
BENEFITS
• Track and investigate all
security-relevant user activity in
the cluster
• Provide a full audit trail for more
complete troubleshooting,
adherence to compliance
requirements
30. Access Detailed Audit Logs for the Registry
FEATURE
• Audit registry events (e.g.
Push/Pull/Scan/etc.) to see what is
happening inside of a repository
BENEFITS
• Track and investigate all
security-relevant user activity in
the registry
• Provide a full audit trail for more
complete troubleshooting,
adherence to compliance
requirements
31. Identify Vulnerabilities in Running Containers
Docker Trusted Registry
Scan Data
FEATURE
BENEFITS
• Create policies to manage service
deployments using image
vulnerability data
• Maintain compliant deployment of
production services
• View vulnerability data of images
deployed through the control plane
• Roll up views for services & pods