Patrick Chanezon, @chanezon February 2018
Develop and deploy Kubernetes
applications with Docker

French
Polyglot
Platforms
Software Plumber
San Francisco
Developer Relations
@chanezon

Agenda
1. Intro: the Docker Platform
2. Modernizing Traditional Applications
3. Kubernetes in Docker
4. Demo: Kubernetes in Docker Desktop
5. General CE/EE Architectures
6. Demo: Kubernetes in Docker EE 2.0
7. EE: Topics on mixed workloads
8. Q&A

Introduction
The Docker Platform

Traditional
Micro
services
ISV / COTS IoT
Big Data
ML
AI
...Serverless
Cloud VM Bare
Metal
Edge
Device
Docker Platform

Docker Momentum
Docker
Hosts
21.0M
Growth in Docker
job listings
77K%
Container
downloads
24B
Industry
Standards

Enterprise Momentum
Portability Agility Security
50% total cost savings

The Docker Container Platform
Enabling the Software Supply Chain
• Diverse Applications
• Disparate Infrastructure
• Lifecycle Management
• Orchestrate Complex Systems
• Secure by Default
• Edge / IoT
• Serverless Anywhere

DEVELOPERS OPERATORS
Applications
Infrastructure
The Docker Platform in a nutshell

INDEPENDENCE
OPENNESS
SIMPLICITY
Core Principles of the Docker Platform

Docker Enterprise Edition
Docker Community Edition
containerd
1
2
3
4
The best container
development workflow
The best enterprise
container security and
management
Native Kubernetes
integration provides full
ecosystem
compatibility Industry-standard
container runtime
Docker with Swarm and Kubernetes

Docker Community Edition
Developers EnterpriseContainer Ecosystem
The Docker Innovation Model
Docker Enterprise Edition
9,149 Open Source Contributors 8800 PRs/Year

runc
Notary
Registry LibNetworkVPNKit
DataKit HyperKitCompose

Modernizing Traditional
Applications

The Innovation Challenge
Average IT Spend By Type
INNOVATION
MAINTENANCE
20%
80%
20%
40%
60%
80%
100%
0%
1%
Windows Server 2008
Windows Server 2012
Windows Server 2000
Windows Server 2003
Red Hat, Other Linux, Other OS
Server OS Market Share
Sources: Bank of America, Spiceworks, SolarWinds
18%
45%
24%
12%

Source: RightScale 2017 State of the Cloud Report
Top Priority for Enterprise IT
2016
2017
39%
50%
27% 29%
23%
9% 10% 10%
Leverage
Hybrid Cloud
Use Public
Cloud
Build Private
Cloud
Use Hosted
Cloud
Enterprise Priority: Portability

50+%
79%
Major Release Frequency
0
Weekly Monthly Quarterly Annually
5%
10%
15%
20%
25%
More than
2 years
Enterprise Priority: Agility
Source: Plutora, CIO Insight
Release 6x or
less per year
Set increasing release
velocity as top IT priority

Enterprise Priority: Security
60%
Source: Forbes 2017 State Of Cloud Adoption And Security
Report security concerns
slowing cloud adoption

The Docker Modernize Traditional
Apps POC Program
Partner
Consulting Services
Partner
Infrastructure
Docker
Enterprise
Edition
Portable
Agile
Secure Efficient
< 5 days
+ +
No
Code
Changes
App
Existing
Application
Convert to a
Docker EE
container
Modern
Infrastructure

Reducing total costs by 50%
MTA POC Impact
Hybrid
Cloud-Ready
Portability Agility
2x Faster
Security
Isolation & Integrity

The Modernization Journey
App
Existing
Application
Modern
Methodologies
Convert to a
Docker EE
Container
Modern
Infrastructure
Ongoing
Innovation

22
KEY CHALLENGES
• Accumulated thousands of apps, 400+ systems of record and
5 infrastructures over 150 years
• Difficult to innovate with majority of budget spent on
maintenance
SOLUTION
• Leverage Docker MTA program to modernize the email opt-
out app with Docker EE to drive down total costs
Docker EE and MTA create self funding model
for container adoption
-70%
VMs
-67%
Cores
10x
Average CPU
utilization
+ +
-66%
Total Cost of
Ownership
593
Applications
RESULTS
• Modernization of single app completed in 1 day
• Applying model to other apps built with same technology
• Business case forecasts a 66% cost reduction

23
KEY CHALLENGES
• Maintenance costs of managing traditional apps on prem
• Code quality was increasingly difficult with outsource
software house
• App delivery process was too slow for the pace of the
business
SOLUTION
• Leverage Docker MTA program jointly with their trusted
partner Accenture
App Visibility and Consistency at 50% the Cost
RESULTS
• 50% savings across all applications
• Unified architecture for the first time
• New visibility into their outsourced applications

Kubernetes in Docker

What is a container orchestrator?
Management of containers running in one or more container runtimes

Docker Enterprise Edition
Docker Community Edition
containerd
The best container
development workflow
The best enterprise
container security and
management
Docker: Now Powered by Swarm and Kubernetes
Native Kubernetes
integration provides full
ecosystem
compatibility Industry-standard
container runtime

Lifecycle of a Kubernetes API Request
Kubernetes API Server
Authentication Authorization
Admission
Control
etcd

Orchestrator: Docker Engine with Swarm-Mode Enabled
● github.com/docker/swarmkit
● Declarative State through the “Service” construct
● Built-in Routing Mesh & Overlay networking
● In-memory Raft Store for all state (persisted to disk)
● Built-in CA, per-node cryptographic node identity, mTLS between all endpoints

Orchestrator: Kubernetes
● github.com/kubernetes/kubernetes
● Scheduling Unit: Pods
● Declarative State through “Controllers”: Deployment, ReplicaSet, DaemonSet …
● Load balancing via Services and Ingresses
● Flat Networking model delegated to plugins

Docker EE 2.0: A conformant kubernetes distribution

Test locally on Swarm
and Kubernetes
Develop with Docker
Community Edition on
your workstation
Deploy to production in
Swarm
Deploy to production in
Kubernetes
Docker Community Edition
All in one development for Swarm and Kubernetes

Demo: Kubernetes in Docker Desktop

Kubernetes in Docker Desktop

General CE/EE Architecture

Linuxkit VM
Kubernetes CLI
Swarm Mode
Kubernetes
etcd
Docker CLI
kubeadm
Kubernetes in Docker CE (Windows and Mac)
Compose
CRD
Single Docker Engine
vpnkitHost fs mounts hyperkit / hyperv

Docker EE now includes Kubernetes
Docker Enterprise Edition
Production Ready Windows and IBM P/Z Support
Pods, batch jobs, blue-green deployments,
horizontal pod auto-scaling
Docker Swarm Swarm-Mode Kubernetes
Private Image Registry
Secure Access and User
Management
App and Cluster Management
Image Security Scanning Content Trust and Verification
Policy Management

GUI
Universal Control Plane
Trusted Registry Kubernetes CLI
Docker Engine
Swarm-Mode
Docker Swarm Kubernetes
etcd
CA OIDC Provider
Docker CLI
Node Agent Reconciler
Kubernetes in Docker EE

Docker EE Architectural Highlights
● Conformant Kubernetes components ran as Docker containers
● Swarm Managers are Kubernetes Masters
● Swarmkit node inventory is source of truth
● Cryptographic Node Identity and mTLS used throughout

- Easy High Availability provisioning
- Cryptographic node identity
Features Swarm Support
- Registry
- Content Trust
- Secure
Scanning
- Clean upstream integration
- Full ecosystem compatibility
- Role Based Access Control
- Authorization, Authentication
- Node Segmentation
Secure Cluster Lifecycle
Secure Supply Chain
100% Interoperability
Secure Multi-tenancy
Management Dashboard
Supported and Certified on Windows Server and Major Linux Distributions
Kubernetes Support
Docker Enterprise Edition
Management for Swarm and Kubernetes

Demo: Kubernetes in Docker EE 2.0

Uses of Kubernetes Plugin Interfaces

Authentication
● X509 Client Certificates
○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature
● OpenID Connect Identity Provider
○ GUI sessions use a custom identity provider and a token exchange service to authenticate with
the OIDC authentication plugin

Authorization
● All requests authorized via the Authorization Webhook plugin
● Custom RBAC system shared between Swarm and Kubernetes:
○ Users, Teams, Organizations, Service Accounts
○ Custom Roles
○ Hierarchical “Grants”
● No support for the rbac.authorization.k8s.io API, future plans for API translation

Admission Control
● Allows plugins to inspect, mutate or reject API requests after authorization
● Used for:
○ Orchestrator Selection
○ Linking nodes to namespaces
○ User Impersonation for Stacks
○ Image Signing policy enforcement

Orchestrator Selection
● Each node is running both kubernetes and swarm system components
● Administrators can toggle between (kubernetes, swarm or mixed) for any given node
● When toggling orchestrators, workloads of the previous orchestrator will be evicted
● An admission controller ensures that kubernetes workloads can only be scheduled on nodes
labelled as “kubernetes” nodes.
● Workloads of multiple orchestrators on the same node can lead to resource contention
Manager Node
(K8s, Swarm)
Worker Node
(Swarm)
Worker Node
(Kubernetes)
Worker Node
(Kubernetes)
Kubelet
Swarm Agents
Kubelet Kubelet Kubelet
Swarm Agents Swarm Agents Swarm Agents

Linking Nodes to Namespaces
● Allows users to uniquely assign nodes to namespaces.
● Variation of the PodNodeSelector admission controller integrated with UCP’s RBAC system

Image Signing Policy Enforcement
● Enforces that all workloads deployed in the cluster have a fully qualified image reference
● Resolves image references to always include a digest
● Contacts the registry to ensure that the referenced image has been signed by an authorized
user.

The Tao of Docker

之道 Tao, The Way

之道 Tao

无为 Wu-wei, Effortless action

无为 Wu-wei, Effortless action

自然 Ziran, Naturalness

自然 Ziran, Naturalness
container
based
No state
No couplingbounded context

无为 Modernize traditional applications without
coding
The Docker 之道
自然 Create microservice applications with the
container platform that started the container
revolution

www.docker.com/kubernetes
Beta signup is open!
GENERALLY AVAILABLE
Q1 2018
Docker: Now powered by Swarm and Kubernetes

Thank You!
chanezon
@chanezon