Docker Desktop and Enterprise Edition now both include Kubernetes as an optional orchestration component. This talk will explain how to use Docker Desktop (Mac or Windows) to develop and debug a cloud native application, then how Docker Enterprise Edition helps you deploy it to Kubernetes in production.
3. Agenda
1. Intro: the Docker Platform
2. Modernizing Traditional Applications
3. Kubernetes in Docker
4. Demo: Kubernetes in Docker Desktop
5. General CE/EE Architectures
6. Demo: Kubernetes in Docker EE 2.0
7. EE: Topics on mixed workloads
8. Q&A
11. Docker Enterprise Edition
Docker Community Edition
containerd
1
2
3
4
The best container
development workflow
The best enterprise
container security and
management
Native Kubernetes
integration provides full
ecosystem
compatibility Industry-standard
container runtime
Docker with Swarm and Kubernetes
12. Docker Community Edition
Developers EnterpriseContainer Ecosystem
The Docker Innovation Model
Docker Enterprise Edition
9,149 Open Source Contributors 8800 PRs/Year
15. The Innovation Challenge
Average IT Spend By Type
INNOVATION
MAINTENANCE
20%
80%
20%
40%
60%
80%
100%
0%
1%
Windows Server 2008
Windows Server 2012
Windows Server 2000
Windows Server 2003
Red Hat, Other Linux, Other OS
Server OS Market Share
Sources: Bank of America, Spiceworks, SolarWinds
18%
45%
24%
12%
16. Source: RightScale 2017 State of the Cloud Report
Top Priority for Enterprise IT
2016
2017
39%
50%
27% 29%
23%
9% 10% 10%
Leverage
Hybrid Cloud
Use Public
Cloud
Build Private
Cloud
Use Hosted
Cloud
Enterprise Priority: Portability
17. 50+%
79%
Major Release Frequency
0
Weekly Monthly Quarterly Annually
5%
10%
15%
20%
25%
More than
2 years
Enterprise Priority: Agility
Source: Plutora, CIO Insight
Release 6x or
less per year
Set increasing release
velocity as top IT priority
19. The Docker Modernize Traditional
Apps POC Program
Partner
Consulting Services
Partner
Infrastructure
Docker
Enterprise
Edition
Portable
Agile
Secure Efficient
< 5 days
+ +
No
Code
Changes
App
Existing
Application
Convert to a
Docker EE
container
Modern
Infrastructure
20. Reducing total costs by 50%
MTA POC Impact
Hybrid
Cloud-Ready
Portability Agility
2x Faster
Security
Isolation & Integrity
22. 22
KEY CHALLENGES
• Accumulated thousands of apps, 400+ systems of record and
5 infrastructures over 150 years
• Difficult to innovate with majority of budget spent on
maintenance
SOLUTION
• Leverage Docker MTA program to modernize the email opt-
out app with Docker EE to drive down total costs
Docker EE and MTA create self funding model
for container adoption
-70%
VMs
-67%
Cores
10x
Average CPU
utilization
+ +
-66%
Total Cost of
Ownership
593
Applications
RESULTS
• Modernization of single app completed in 1 day
• Applying model to other apps built with same technology
• Business case forecasts a 66% cost reduction
23. 23
KEY CHALLENGES
• Maintenance costs of managing traditional apps on prem
• Code quality was increasingly difficult with outsource
software house
• App delivery process was too slow for the pace of the
business
SOLUTION
• Leverage Docker MTA program jointly with their trusted
partner Accenture
App Visibility and Consistency at 50% the Cost
RESULTS
• 50% savings across all applications
• Unified architecture for the first time
• New visibility into their outsourced applications
25. What is a container orchestrator?
Management of containers running in one or more container runtimes
26.
27. Docker Enterprise Edition
Docker Community Edition
containerd
The best container
development workflow
The best enterprise
container security and
management
Docker: Now Powered by Swarm and Kubernetes
Native Kubernetes
integration provides full
ecosystem
compatibility Industry-standard
container runtime
28. Lifecycle of a Kubernetes API Request
Kubernetes API Server
Authentication Authorization
Admission
Control
etcd
29. Orchestrator: Docker Engine with Swarm-Mode Enabled
● github.com/docker/swarmkit
● Declarative State through the “Service” construct
● Built-in Routing Mesh & Overlay networking
● In-memory Raft Store for all state (persisted to disk)
● Built-in CA, per-node cryptographic node identity, mTLS between all endpoints
30. Orchestrator: Kubernetes
● github.com/kubernetes/kubernetes
● Scheduling Unit: Pods
● Declarative State through “Controllers”: Deployment, ReplicaSet, DaemonSet …
● Load balancing via Services and Ingresses
● Flat Networking model delegated to plugins
32. Test locally on Swarm
and Kubernetes
Develop with Docker
Community Edition on
your workstation
Deploy to production in
Swarm
Deploy to production in
Kubernetes
Docker Community Edition
All in one development for Swarm and Kubernetes
36. Linuxkit VM
Kubernetes CLI
Swarm Mode
Kubernetes
etcd
Docker CLI
kubeadm
Kubernetes in Docker CE (Windows and Mac)
Compose
CRD
Single Docker Engine
vpnkitHost fs mounts hyperkit / hyperv
37. Docker EE now includes Kubernetes
Docker Enterprise Edition
Production Ready Windows and IBM P/Z Support
Pods, batch jobs, blue-green deployments,
horizontal pod auto-scaling
Docker Swarm Swarm-Mode Kubernetes
Private Image Registry
Secure Access and User
Management
App and Cluster Management
Image Security Scanning Content Trust and Verification
Policy Management
38. GUI
Universal Control Plane
Trusted Registry Kubernetes CLI
Docker Engine
Swarm-Mode
Docker Swarm Kubernetes
etcd
CA OIDC Provider
Docker CLI
Node Agent Reconciler
Kubernetes in Docker EE
39. Docker EE Architectural Highlights
● Conformant Kubernetes components ran as Docker containers
● Swarm Managers are Kubernetes Masters
● Swarmkit node inventory is source of truth
● Cryptographic Node Identity and mTLS used throughout
40. - Easy High Availability provisioning
- Cryptographic node identity
Features Swarm Support
- Registry
- Content Trust
- Secure
Scanning
- Clean upstream integration
- Full ecosystem compatibility
- Role Based Access Control
- Authorization, Authentication
- Node Segmentation
Secure Cluster Lifecycle
Secure Supply Chain
100% Interoperability
Secure Multi-tenancy
Management Dashboard
Supported and Certified on Windows Server and Major Linux Distributions
Kubernetes Support
Docker Enterprise Edition
Management for Swarm and Kubernetes
43. Authentication
● X509 Client Certificates
○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature
● OpenID Connect Identity Provider
○ GUI sessions use a custom identity provider and a token exchange service to authenticate with
the OIDC authentication plugin
44. Authorization
● All requests authorized via the Authorization Webhook plugin
● Custom RBAC system shared between Swarm and Kubernetes:
○ Users, Teams, Organizations, Service Accounts
○ Custom Roles
○ Hierarchical “Grants”
● No support for the rbac.authorization.k8s.io API, future plans for API translation
45. Admission Control
● Allows plugins to inspect, mutate or reject API requests after authorization
● Used for:
○ Orchestrator Selection
○ Linking nodes to namespaces
○ User Impersonation for Stacks
○ Image Signing policy enforcement
46. Orchestrator Selection
● Each node is running both kubernetes and swarm system components
● Administrators can toggle between (kubernetes, swarm or mixed) for any given node
● When toggling orchestrators, workloads of the previous orchestrator will be evicted
● An admission controller ensures that kubernetes workloads can only be scheduled on nodes
labelled as “kubernetes” nodes.
● Workloads of multiple orchestrators on the same node can lead to resource contention
Manager Node
(K8s, Swarm)
Worker Node
(Swarm)
Worker Node
(Kubernetes)
Worker Node
(Kubernetes)
Kubelet
Swarm Agents
Kubelet Kubelet Kubelet
Swarm Agents Swarm Agents Swarm Agents
47. Linking Nodes to Namespaces
● Allows users to uniquely assign nodes to namespaces.
● Variation of the PodNodeSelector admission controller integrated with UCP’s RBAC system
48. Image Signing Policy Enforcement
● Enforces that all workloads deployed in the cluster have a fully qualified image reference
● Resolves image references to always include a digest
● Contacts the registry to ensure that the referenced image has been signed by an authorized
user.
56. 无为 Modernize traditional applications without
coding
The Docker 之道
自然 Create microservice applications with the
container platform that started the container
revolution
General Architecture:
Compose, DCT
Plugins,
Networking
HA, Reconciliation, Promotion
Installation/Upgrade ?? (optional, talk with vivek)
Storage
Mixed Workloads:
Interop, mixed “stacks”
Resource Contention
Windows containers are different
Runs on Docker EE engine
Swarm-mode Managers are Kubernetes Masters
Swarm-modet node inventory is source of truth
Cryptographic Node Identity and mTLS used throughout
Unmodified Kubernetes components run as Docker containers
UCP Agent/Reconciler manages component lifecycle
Manager / Worker states
Certificate validity
Patching and upgrades
Leverage Kubernetes extension model (webhooks, initializers, flexvolume, CNI, etc.)
We will submit the product and aim to pass the Certified Kubernetes Conformance program
Requests arriving to the UCP controller against the kubernetes API will have their session token exchanged for a long-lived identity token. The request is then forwarded to the kubernetes API server which is configured to trust UCP’s identity tokens.
A Grant is either a RoleBinding or a ClusterRoleBinding