DCEU 18: Docker Enterprise Platform and Architecture
1 like571 views
The document provides an architectural overview of Docker Enterprise Platform 2.1, highlighting new features such as extended Windows Server support, enhanced Kubernetes functionalities, and improved security and compliance measures. Key updates include native Kubernetes RBAC, operational insights through metrics, and comprehensive auditing capabilities. The platform is tailored for various use cases, including microservices and big data, and emphasizes automation, governance, and container security.
![Audit Logs for All Cluster-Wide Operations
{“audit”; {
"metadata": {...},
"level": "Metadata",
"timestamp": "2018-08-07T22:10:35Z",
"auditID": "7559d301-fa6b-4ad6-901c-
b587fab75277",
"stage": "RequestReceived",
"requestURI":
"/api/v1/namespaces/default/pods",
"verb": "list",
"user": {"username": "alice",...},
"sourceIPs": ["127.0.0.1"],
...,
"requestReceivedTimestamp": "2018-08-
07T22:10:35.428850Z"}}
orchestrator audit events
audit logs
user request
{“audit”; {
"metadata": {...},
"level": "Metadata",
"timestamp": "2018-08-07T22:10:35Z",
"auditID": "7559d301-94e7-4ad6-901c-
b587fab31512",
"stage": "RequestReceived",
"requestURI": "/v1.30/configs/create",
"verb": "post",
"user": {"username": "alice",...},
"sourceIPs": ["127.0.0.1"],
...,
"requestReceivedTimestamp": "2018-08-
07T22:10:35.428850Z"}}
kubernetes pod listing swarm config create
FEATURE
• Configurable audit logs for both
Swarm and Kubernetes
• Logs API calls tracking request,
time, user, and response
• Persistent storage of audit log
entries for historical recall
BENEFITS
• Track and investigate all
security-relevant user activity in
the cluster
• Provide a full audit trail for more
complete troubleshooting,
adherence to compliance
requirements](https://image.slidesharecdn.com/dceu18dockerenterpriseplatformandarchitecture-181214181828/85/DCEU-18-Docker-Enterprise-Platform-and-Architecture-29-320.jpg)
DCEU 18: Docker Enterprise Platform and Architecture
- 1. Docker Enterprise Platform 2.1: Architectural Overview and Use Cases
- 2. Product Manager, Docker @yongshinyu David Yu Senior Software Engineer, Docker Jean Rouge
- 3. Agenda 1.Docker Enterprise Overview & Architecture 2.Docker Enterprise 2.1 - What’s New with Demos 3.Next Steps
- 4. Docker Enterprise Use Cases Cloud VM Edge Device Bare Metal Mainframe Docker Enterprise Microservices Big Data ML & AITraditional ServerlessISVEdge & IoT Blockchain
- 5. Docker Enterprise Container Platform Support and Certification AutomationGovernanceSecurity • Threat Scanning • Controlled Code Deployment • Encryption • Secrets Mgmt • Image Mgmt • Support for 3rd party security • Role-based access control (RBAC) • Policy Mgmt • App Config Mgmt • Forensic Image History • Controlled Code Deployment • Orchestration • Built-in app reliability/High Avail. • Policy-based automation • Auto healing • Enterprise-grade support • Certified Plug-ins and Infrastructure • Certified ISV apps • Certified professionals Server OS App Docker Engine
- 6. Docker Enterprise leads the pack The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester's call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester’s Assessment: Docker “leads the pack with a robust container platform well-suited for the enterprise.”
- 7. Operating Systems Docker Platform Architecture Config Mgt Monitoring LoggingCI/CD ..more..Images Networking Volumes PhysicalVirtualizationPublic Cloud Platform Security Developer Services Registry Services Access Policies App Lifecycle Management Automation & Extensibility Networking Orchestration Storage Container Engine ENTERPRISE PLATFORM
- 8. Secure Supply Chain Docker Enterprise adds end-to-end security features TEST STAGING • Signature verification • Native encryption Scanning SigningAutomated PoliciesDocker Desktop (Mac or Windows) PRODUCTION
- 9. Cluster Architecture Node Node Node Docker Enterprise Cluster Node Manager Worker Node Worker Worker Worker Node Manager Node Manager Management Plane
- 10. Kubernetes in Docker Enterprise UCP Manager/Linux UCP Linux worker calico cni pods kubedns kube-proxy kubelet kube- controller- manager kube-manager kube-scheduler calico cni pods kube-proxy kubelet
- 11. What’s New in Docker Enterprise 2.1 Extended Windows Server Support Expanded Kubernetes Support Improved Operational Insight Stronger Security and Compliance 21 3 4
- 13. Windows Support ● Expanded Operating System Server Support ○ Windows Server 2016, 1709, 1803, and 2019* ○ Smaller image sizes ○ Ingress and VIP Networking for Docker Swarm *Swarm support for Win Server 2019 GA will be delivered in a patch release (due to the timing of Docker Enterprise 2.1 and Server 2019)
- 16. Upgraded to Kubernetes 1.11 Generally Available features: ● Kubernetes pod autoscaling ● Kubernetes RBAC including support for cluster roles ● Storage protection ● CRI-tools for improved debugging ● API aggregation ● Webhook authorization ● DaemonSet, Deployment, ReplicaSet, and StatefulSet APIs FEATURE BENEFITS • Access the most recent developments from the Kubernetes community • Stay on top of latest stable Kubernetes enhancements • Get an enterprise-ready experience with the latest Kubernetes release
- 17. Native Kubernetes RBAC FEATURE BENEFITS • Add native Kubernetes roles defined in yaml file • Distinct view of kubernetes roles from swarm role • Define grants in UCP similar to swarm • Deploy Helm charts • Use native kubernetes RBAC primitives
- 18. Kubernetes Network Encryption Use Case ● Apply default encryption without intervention or awareness from users ● Protect internal application traffic on untrusted or shared infrastructure by default Usage ● Deploy encryption daemonset to encrypt all host-to- host traffic between all pods within the Kubernetes cluster ● Key management and rotation managed centrally by add-on encryption module ● IPSec encryption Host Pod app Host Pod app
- 19. Kubernetes Demo
- 21. Improved Operational Insights FEATURE BENEFITS • Easier access to node metrics: ○ View containers within node ○ Healthchecks • Events from the last hour within Kubernetes resources • Up to 24 hour data retention, and viewable within Overview Dashboard • Detailed metadata for Swarm and Kubernetes Resources • Quickly identify and root-cause problems occuring at various levels of the environment (service, node, cluster) • Track and prevent emerging issues
- 23. New Options for Collecting Metrics Manager Node External Node GET https://ucp/metricsdiscovery UCP Controller External Prometheus Prometheus POST metrics Docker Enterprise UI FEATURE BENEFITS • Deploy Prometheus as Kubernetes Daemon Set • Allow additional Prometheus configurations: ○ Deploy Prometheus on worker nodes ○ Allow external Prometheus instances to scrape Docker Enterprise metrics • Remove CPU pressure on manager nodes • Gather more information about your environment and collect it locally
- 24. Image Management and Storage Optimization at Scale Docker Image File FEATURE BENEFITS • Online garbage collection • Policy-based image tag pruning • Preserve storage space by deleting unused image layers • Reduce clutter in your image registry using pre-defined policies, particularly when used in conjunction with CI/CD systems Image Layer Image Layer Image Layer Image Layer Image Layer
- 27. Integrate Identity Providers with SAML 2.0 FEATURE BENEFITS • Allow for SSO to Docker Enterprise through existing identity provider (IdP) ○ Support for Okta and ADFS, with more IdPs added in the future • Continue to use LDAP synch for client bundle access • Achieve 2FA through identity provider • Credentials stored in IdP only; no local hosting of passwords
- 28. FIPS 140-2 Compliance for Enterprise Engine FEATURE BENEFITS • Linux support included in 18.03 Engine, 18.09 now adds FIPS compliance for Windows • Automatically enable FIPS mode for Docker engine based upon host OS FIPS status • Use env variable to override O/S FIPS state • Meet regulatory requirements by deploying Docker Engines in a FIPS compliant mode • Prevent non-FIPS nodes from joining a FIPS compliant cluster DOCKER ENGINE containerd Docker API Networking Docker Build (BuildKit) Orchestration VolumesDistribution Docker CLI Plugins FIPS 140-2 Validated Encryption Module
- 29. Audit Logs for All Cluster-Wide Operations {“audit”; { "metadata": {...}, "level": "Metadata", "timestamp": "2018-08-07T22:10:35Z", "auditID": "7559d301-fa6b-4ad6-901c- b587fab75277", "stage": "RequestReceived", "requestURI": "/api/v1/namespaces/default/pods", "verb": "list", "user": {"username": "alice",...}, "sourceIPs": ["127.0.0.1"], ..., "requestReceivedTimestamp": "2018-08- 07T22:10:35.428850Z"}} orchestrator audit events audit logs user request {“audit”; { "metadata": {...}, "level": "Metadata", "timestamp": "2018-08-07T22:10:35Z", "auditID": "7559d301-94e7-4ad6-901c- b587fab31512", "stage": "RequestReceived", "requestURI": "/v1.30/configs/create", "verb": "post", "user": {"username": "alice",...}, "sourceIPs": ["127.0.0.1"], ..., "requestReceivedTimestamp": "2018-08- 07T22:10:35.428850Z"}} kubernetes pod listing swarm config create FEATURE • Configurable audit logs for both Swarm and Kubernetes • Logs API calls tracking request, time, user, and response • Persistent storage of audit log entries for historical recall BENEFITS • Track and investigate all security-relevant user activity in the cluster • Provide a full audit trail for more complete troubleshooting, adherence to compliance requirements
- 30. Access Detailed Audit Logs for the Registry FEATURE • Audit registry events (e.g. Push/Pull/Scan/etc.) to see what is happening inside of a repository BENEFITS • Track and investigate all security-relevant user activity in the registry • Provide a full audit trail for more complete troubleshooting, adherence to compliance requirements
- 31. Identify Vulnerabilities in Running Containers Docker Trusted Registry Scan Data FEATURE BENEFITS • Create policies to manage service deployments using image vulnerability data • Maintain compliant deployment of production services • View vulnerability data of images deployed through the control plane • Roll up views for services & pods
- 32. Security Demo
- 33. New Features for Docker Enterprise 2.1 Windows updates ● WS1709, WS1803, WS2019 support: ○ Smaller image sizes ○ Relaxed image compatibility requirements ○ Swarm-based routing mesh and VIP-based service discovery CHOICE: Updated Platform Support Kubernetes updates ● Kubernetes v1.11 support ● Native K8s RBAC support inc. cluster roles ● Kubernetes pod autoscaling ● Kubernetes network encryption ● Health status dashboards (service & platform metrics) ● Runtime visibility of known vulnerabilities ● Event activity streams AGILITY: Improved Operational Insight ● SAML 2.0 authentication ● FIPS compliance for Windows & Linux ● Audit logs & events SECURITY: Stronger Security & Compliance
- 34. Give Docker Enterprise a spin! trial.docker.com
- 35. Thank you!