Docker EE 2.0 Choice, Security & Agility
Download as PPTX, PDF2 likes369 views
Docker EE 2.0 provides choice, security, and agility for container deployments. It offers more than just containers and orchestration, including lifecycle management, governance, and security features. Docker EE can deploy applications on Linux and Windows across on-premises and cloud infrastructure. It supports both Docker Swarm and Kubernetes orchestrators. Security features include image scanning, role-based access control, and audit logging to secure the software supply chain. Docker EE aims to provide a unified platform for both traditional and microservices applications.
Docker EE 2.0 Choice, Security & Agility
- 1. Docker EE 2.0 Choice, Security & Agility Eric Tan Solutions Engineer
- 3. Containers are the “Fastest Growing Cloud Enabling Technology” By 2020, more than 50% of global organizations will be running containers in production. -Gartner Title source: 451 Research
- 4. Static Website ? ? ? ? ? ? ? ? Web Frontend ? ? ? ? ? ? ? ? Background Workers ? ? ? ? ? ? ? ? User DB ? ? ? ? ? ? ? ? Analytics DB ? ? ? ? ? ? ? ? Queue ? ? ? ? ? ? ? ? Desktop Test/QA Cluster Production Cluster Public Cloud Data Center Mainframe Windows Server Edge Device The “Matrix from Hell” Breeds Complexity
- 5. The “Matrix from Hell” Breeds Complexity Static Website ? ? ? ? ? ? ? Web Frontend ? ? ? ? ? ? ? Background Workers ? ? ? ? ? ? ? User DB ? ? ? ? ? ? ? Analytics DB ? ? ? ? ? ? ? Queue ? ? ? ? ? ? ? Desktop Test/QA Cluster Production Cluster Public Cloud Data Center Mainframe Windows Server Edge Device — Containers Cut Complexity
- 6. The Docker Enterprise Edition
- 7. Docker Enterprise Edition is More than Containers + Orchestration... CONTAINER ORCHESTRATION Container placement & schedulingDOCKER ENTERPRISE EDITION CONTAINER Image format & runtime Lifecycle Mgt Governance Security Automated, Open and Extensible Orchestration Organizations also require: Lifecycle Management + Governance + Security + Automation + Support
- 8. Only Docker Delivers All Three Core Enterprise Requirements • Hybrid and multi-clouds • Windows and Linux • Traditional apps and microservices • DevOps and existing ops processes Choice AgilitySecurity • Unified operations • Rapid delivery and response • Cost efficiency • Safer apps • Governance • Chain of custody • Threat mitigation Only Docker EE Gives Global 2000 Customers the Following:
- 9. 450+ Enterprise IT Customers Trust Docker Enterprise Edition Financial Services Healthcare & Science Tech Oil & Gas / Energy Insurance Public Sector
- 10. CHOICE
- 11. Docker Enterprise Edition is certified to run on CentOS, RHEL, Ubuntu, SUSE, Oracle Linux and Windows Server and can be deployed into all major public clouds while maintaining the same operating experience companies with 1,000+ employees have multiple clouds81% Source: https://w3techs.com/technologies/details/os-linux/all/all Source: Rightscale 2018 State of the Cloud Report CHOICE Only Container Platform that is Multi-Linux, Multi-OS and Multi- Cloud
- 12. Existing Application Modern Methodologies Integrate to CI/CD and automation system Convert to a container with Docker EE Modernize Traditional Applications Modern Infrastructure Built on premises, in the cloud, or as part of a hybrid environment. Modern Microservices Add new services or start peeling off services from monolith code base App CHOICE Only Container Platform Designed for both Microservices and Traditional Applications
- 13. Node Worker Node Worker Node Worker Node Worker Worker Nodes App-Net: 10.0.0.0/24 10.0.0.1 10.0.0.2 • Leverage best-in-class technologies across Windows and Linux • Connect Windows and Linux containers in the same cluster through a common overlay network • Build Compose files for hybrid applications • Leverage labels and constraints for intelligent placement and scheduling CHOICE Only Container Platform to Deliver First-Class Support and Interoperability across Linux and Windows
- 14. Choice of Swarm and Kubernetes: Only Solution That Lets You Run Swarm Today, Kubernetes Tomorrow and Vice Versa Docker EE is the only platform that allows you to run both Swarm and Kubernetes in the same cluster: ● Developers do not need to select orchestrators ● Freedom to change orchestrators as needs arise ● EE Manager Nodes are both Swarm and Kubernetes enabled ● Every worker node is both Kubernetes API- and Swarm API-ready Secure Cluster Management App Scheduler Swarm KubernetesOR Docker EE Cluster Docker EE Orchestration Node Node Node CHOICE
- 15. Deploy Applications with Either Compose or Kubernetes YAML Docker Compose Kubernetes YAML Node NodeNode Node • Simple Compose spec for developers, IT ops have multiple options for deployment • Migrate existing Docker apps to Kubernetes at your own pace KEY BENEFITS • Use existing Docker Compose files and choose at runtime to deploy on either Swarm or Kubernetes FEATURE / CAPABILITY CHOICE
- 16. Deploy Kubernetes Apps via UI or CLI • Docker EE uses standard Kube API and CLI • Use UCP UI to upload yaml files for deploying Kube workloads • Both methods enforce permissions and limit unauthorized access −Client bundle to connect local client to UCP controller with user certs CHOICE
- 17. AGILITY
- 18. Distributed Supply Chain Supports Global Development and Deployment • Enable “follow the sun” development with secure image promotion and image caching • Rapidly update software when new patches need to be distributed globally KEY BENEFITS • Image mirroring: Push and pull images from one registry to another based on pre- defined policies • Image caching: Extend the registry to a local cache while maintaining secure posture via encryption and access controls FEATURE / CAPABILITY Primary Registry Mirror Registry HQ Cache AGILITY
- 19. Swarm: Application (Layer 7) Ingress Routing 21 Upstream External LB Traffic via DNS (http port 80, https port 443, etc) Worker Node App2 Ingress LB Node Proxy Ingress LB Node Proxy Worker Node Worker Node acme.com/app1 acme.com/app2 App1 App1 App2 AGILITY • Intelligently route traffic to the appropriate nodes with performance and security • Integrate with preferred load balancing tools KEY BENEFITS • Hostname and Path-based routing • SSL termination • Included load balancing proxy with NGINX, swappable for others FEATURE / CAPABILITY
- 20. Docker EE Delivers Infrastructure Savings and Productivity Gains Financial Services Case Study Applications 500 VMs 5,300 Cores 22,000 $12 million CPU utilization 57% max Docker EE Cuts TCO by 41%, Saves $28M over 5yrs Applications 500 VMs 1,320 Cores 13,100 $7 millionCPU utilization ~90% max 75% reduction 40% reduction 41% reduction 2x improvement Annualized Cost AGILITY
- 21. Docker EE Makes Scaling Your Environment Easy Docker EE Management Console Docker EE Control Plane and Cluster Management Node Node Node • Single command to join new Swarm/Kubernetes nodes into a secure cluster • Automatically integrate new nodes into existing access controls and policies • No need to install separate services; all nodes come pre- installed with necessary services KEY BENEFITS Swarm-mode cluster with Kubernetes-ready Linux nodes Node Node AGILITY
- 22. Unified Operations Enable Your Existing Team to Operationalize Docker Containers in Production Docker EE simplifies and automates the day-to-day application delivery and operations of containers, increasing what your existing team can support With Docker Enterprise Edition Other Container Platforms SKILLS REQUIRED Unbudgeted new headcount for operational expertise and support Existing team AGILITY
- 23. SECURITY
- 24. > _ *** *** *** Build With Integrity • Verify, sign, & scan • Secure image storage • Secure sensitive data Trusted Automation (CI/CD) • Verifiable chain of custody • Policy-based automation Run Safe • Secure by default • Security Zones • Governance controls Docker EE Secures the End-to-End Software Supply ChainSECURITY
- 25. • Respond faster to changing organizational demands • Drive higher infrastructure and operational efficiencies and avoid cluster sprawl KEY BENEFITS • Secure Environment Zones −Logical and physical partitioning − Role-based permissions for delivery and operations FEATURE / CAPABILITY Operations Team TEST STAGING PRODUCTION DOCKER ENTERPRISE EDITION MANAGEMENT PLANE Single cluster, multiple divided zones SANDBOX Define Secure Environment Zones to Avoid Costly Cluster SprawlSECURITY
- 26. Node Worker Node Worker Node Worker Node Worker swarm mode cluster docker enterprise edition universal control plane trusted registry Node Worker Node Worker .NET Dev Team Using Swarm Java Dev Team using K8s Java Dev Team Using Swarm Ops Team Define Secure Application Zones to Enforce IT Governance • Easily define resource-based permissions to different teams and expose only the allotted resources to each team • Re-allocate resources as needed KEY BENEFITS • Integrate with LDAP/AD and create granular and flexible access controls • Combine Namespace isolation with node-based isolation for increased separation FEATURE / CAPABILITY SECURITY
- 27. Threat Mitigation: Scan Container Images for VulnerabilitiesSECURITY • Reduce risk by identifying security issues early • Stop automation workflows when security issues discovered • Ensure compliance with alerts for new vulnerabilities KEY BENEFITS • Integrated security scanning and vulnerability monitoring with customized alerts • Binary level scanning provides deep visibility into all components FEATURE / CAPABILITY
- 28. Threat Mitigation: Audit All Image Layers and ComponentsSECURITY • Ensure compliance with an audit log of all application dependencies • Track supporting library versions and licenses KEY BENEFITS • Get a full Bill of Materials for all of your Docker images that details all application and library dependencies • Detailed visibility of all Layers including those from Base Images FEATURE / CAPABILITY
- 29. Access Control: Image PromotionSECURITY FEATURE / CAPABILITY KEY BENEFITS • Restrict access to images to the right users. • Track and lock down on image versions. • Promotes “blessed” images from one repository to a different repository in the same DTR using a policy. • Repositories each have their own access control. • Images can be re-tagged automatically to a new flag.
- 30. Maintaining a Globally Consistent Supply Chain • Create a single source of truth for containerized applications no matter where they are deployed • Maintain a single supply chain for a globally-distributed enterprise footprint KEY BENEFITS • Connect multiple Docker EE clusters to a single private registry • Validate image signatures before deployment FEATURE / CAPABILITY Docker Trusted Registry Docker EE Cluster Docker EE Cluster Docker EE Cluster Docker EE Cluster SECURITY
- 31. Trusted Automation, With Verifiable Chain of Custody ● Image signing and scanning of applications to validate and verify content ● Content Trust: Only run applications that have the required signatures ● Automated policies for image promotions across the app development lifecycle dev/hello-world No ‘critical’ or ‘major’ vulnerabilities prod/hello-world App.go App.go SECURITY
- 32. THANK YOU :)