Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
5 likes464 views
Tom Barlow discusses Docker's platform, focusing on Kubernetes integration for managing containerized applications. The presentation covers Kubernetes architecture, components, and the advantages of using Docker Enterprise Edition for enterprise container security and management. Key features include native Kubernetes support, authentication mechanisms, resource management, and a streamlined development workflow for both local and production environments.
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
- 1. Kubernetes in Docker Tom Barlow @tomwbarlow
- 2. About Me • Tom Barlow (@tomwbarlow) • Building enterprise products at Docker, Inc. for the last 2.5 years • Living and working in Galway
- 3. Agenda 1. Intro: the Docker Platform 2. Kubernetes in Docker 3. Demo: Kubernetes in Docker Desktop 4. General CE/EE Architectures 5. Demo: Kubernetes in Docker EE 2.0 6. EE: Topics on mixed workloads
- 5. Traditional Micro services ISV / COTS IoT Big Data ML AI ...Serverless Cloud VM Bare Metal Edge Device Docker Platform
- 6. Docker Momentum Docker Hosts 21.0M Growth in Docker job listings 77K% Container downloads 24B Industry Standards
- 7. Enterprise Momentum Portability Agility Security 50% total cost savings
- 8. DEVELOPERS OPERATORS Applications Infrastructure The Docker Platform in a nutshell
- 9. Docker Community Edition Developers EnterpriseContainer Ecosystem The Docker Innovation Model Docker Enterprise Edition 9,149 Open Source Contributors 8800 PRs/Year
- 12. What is a container orchestrator? Management of containers running in one or more container runtimes
- 13. Kubernetes ● Developed at Google ● Inspired by and resembles Borg & Omega ● The third container-management system built by Google ● v1.0 was released on July 21, 2015 (around since 2014) ● Commonly referred to as k8s or kube ● Greek for ‘Helmsman’ (pilot of a ship)
- 14. Kubernetes Primitives Pod: Consists of one or more containers that run together and share a process, network, filesystem namespace. Each Pod has its own unique IP address on the cluster. Controller: A reconciliation loop that ensures the system matches the desired state by managing pods. (e.g. a ReplicationController will ensure n pods of a given spec are running) Services: Targets a set of pods and provides a policy in which they can be accessed over the network (e.g. for external routing, load balancing etc.)
- 15. Kubernetes Components Master: ● API Server: Allows access to query/change the cluster state ● Controller Manager: Controller reconciliation loops ● Scheduler: Makes decisions where Pods should run ● etcd: Stores cluster state Worker: ● Kubelet: Manages Pod lifecycle running on a node ● Proxy: Routes incoming traffic to appropriate local container using IP/Port
- 17. Docker Enterprise Edition Docker Community Edition containerd 1 2 3 4 The best container development workflow The best enterprise container security and management Native Kubernetes integration provides full ecosystem compatibility Industry-standard container runtime Docker with Swarm and Kubernetes
- 19. Test locally on Swarm and Kubernetes Develop with Docker Community Edition on your workstation Deploy to production in Swarm Deploy to production in Kubernetes Docker Community Edition All in one development for Swarm and Kubernetes
- 20. Demo: Kubernetes in Docker Desktop
- 21. Linuxkit VM Kubernetes CLI Swarm Mode Kubernetes etcd Docker CLI kubeadm Kubernetes in Docker CE (Windows and Mac) Compose CRD Single Docker Engine vpnkitHost fs mounts hyperkit / hyperv
- 22. Docker EE 2.0: A conformant kubernetes distribution
- 23. Demo: Kubernetes in Docker EE 2.0
- 24. Docker EE to include Kubernetes Docker Enterprise Edition Production Ready Windows and IBM P/Z Support Pods, batch jobs, blue-green deployments, horizontal pod auto-scaling Docker Swarm Swarm-Mode Kubernetes Private Image Registry Secure Access and User Management App and Cluster Management Image Security Scanning Content Trust and Verification Policy Management
- 25. GUI Universal Control Plane Trusted Registry Kubernetes CLI Docker Engine Swarm-Mode Docker Swarm Kubernetes etcd CA OIDC Provider Docker CLI Node Agent Reconciler Kubernetes in Docker EE
- 26. Kubernetes Plugin Interfaces in Docker EE ● General: ○ Native API extensibility supported ○ Some apiserver/kubelet flags modifiable by users ● Networking: ○ Support for CNI plugin during install ○ Ingress ● Storage: Docker Volume Plugins supported via built-in flexvolume driver, CSI in future ● Metrics: Heapster Storage Backends or Prometheus
- 27. Docker EE Architectural Highlights ● Conformant Kubernetes components ran as Docker containers ● Swarm Managers are Kubernetes Masters ● Swarmkit node inventory is source of truth ● Cryptographic Node Identity and mTLS used throughout
- 28. - Easy High Availability provisioning - Cryptographic node identity Features Swarm Support - Registry - Content Trust - Secure Scanning - Clean upstream integration - Full ecosystem compatibility - Role Based Access Control - Authorization, Authentication - Node Segmentation Secure Cluster Lifecycle Secure Supply Chain 100% Interoperability Secure Multi-tenancy Management Dashboard Kubernetes Support Docker Enterprise Edition Management for Swarm and Kubernetes
- 29. Uses of Kubernetes Plugin Interfaces
- 30. Authentication ● X509 Client Certificates ○ Used for authentication of kubectl and the docker CLI via the “client bundle” feature ● OpenID Connect Identity Provider ○ GUI sessions use a custom identity provider and a token exchange service to authenticate with the OIDC authentication plugin
- 31. Authorization ● All requests authorized via the Authorization Webhook Mode ● Custom RBAC system shared between Swarm and Kubernetes: ○ Users, Teams, Organizations, Service Accounts ○ Custom Roles ○ Hierarchical “Grants” ● No support for RBAC Mode (rbac.authorization.k8s.io) currently, future plans for API translation
- 32. Resource Contention ● Allocatable Resources: The set of CPU and Memory resources available for scheduling by an orchestrator on a single node ● Multiple orchestrators = Different definitions of allocatable resources ○ Docker Swarm: Respectful of CPU/Memory limits, but container cache may be stale ○ Docker Engine with Swarm-Mode: Only aware of its own reservations ○ Kubernetes: Effective handling of out-of-resource situations, but only for kubernetes workloads ● When a node is at/near capacity: ○ All CPU shares throttled equally ○ The OS’s OOM killer kills processes ○ All orchestrators will reschedule on OOM, but potential workload interruption
- 33. Image Signing Policy Enforcement ● Enforces that all workloads deployed in the cluster have a fully qualified image reference ● Resolves image references to always include a digest ● Contacts the registry to ensure that the referenced image has been signed by an authorized user.
- 34. In Summary... ● Docker EE and CE will include a conformant Kubernetes distribution for Devs and Ops