Containers Made secure and easy with Docker EE 2.0
Download as PPTX, PDF0 likes176 views
The document outlines the key features and benefits of Docker EE 2.0 for secure and efficient container deployment in enterprise environments. It emphasizes choices in orchestration, enhanced security, and simplified workflows, highlighting the ability to run both Swarm and Kubernetes. Additionally, it provides guidance on next steps for users, including trials and consultations.
Containers Made secure and easy with Docker EE 2.0
- 1. Containers Made secure and easy with Docker EE 2.0 How to make your Docker Deployment Successful!
- 2. It is no more “Why Docker?”
- 3. Enterprise Needs are Now Beyond “Containerization” • Your app in any cloud, including Hybrid • No lock-in • Risk mitigation • Use Docker native tools … or almost any you prefer Choice SecurityAgility • Safer applications • Governance • Chain of custody • Threat mitigation • Standardized and unified operations • Dev to Ops consistency • Rapid Delivery and response • Cost efficiency
- 4. Typical Challenges in Container Adoption
- 6. Orchestrator on Dev Platforms
- 7. Setup and Management of Orchestrator
- 8. Trade-offs - Complexity Or Security
- 9. Authenticity of Images Potential Downtime
- 10. Introducing Docker EE 2.0
- 11. New Features of Docker EE 2.0 ● Secure Supply Chain for Kubernetes ○ Default mutual TLS encryption ○ Signing/scanning enforcement ○ Automated image promotion ● Choice of Swarm or Kubernetes ○ Run Swarm & Kubernetes interchangeably in the same cluster ○ Deploy applications with either Compose or Kubernetes YAML ● Choice of Kubernetes Networking (CNI) Plugin ○ Calico integrated, but swappable ● Simplified Kubernetes Workflows ○ Cluster management ○ Secure application zones ● Registry Enhancements ○ Image mirroring and caching between registries ● Swarm Enhancements ○ Enhanced Layer 7 Routing Performance CHOICE AGILITY SECURITY
- 12. Run Swarm and Kubernetes Side by side
- 13. Demo – 1: Docker Container with UCP
- 14. Demo – 2: Kube Pod with UCP
- 15. Demo – 3: Kube Application with UCP
- 16. Demo – 4: On-premise Image Repository (push)
- 17. Demo – 4: On-premise Image Repository (pull) …contd
- 18. Demo – 5: DTR Image Management (Image hardening and certification)
- 19. Demo – 5: DTR Image Management (Promotion and Mirror) …contd
- 20. Demo – 6: Deploy Services with HRM
- 21. HRM Features • Based on interlock • Host name to service mapping • Path based routing • Application Name based redirect • SSL pass-through • SSL Off-loading • Flexibility – batteries included but replace-able
- 22. Demo – 7: Add New Worker Nodes to Cluster
- 23. What should you do next? • Get a trial version or try the hosted trial • Reach out to us for a customized demo • Do you have some questions? • Need training or consulting on Dockerizing your application? • Talk to Ashnik
Editor's Notes
- #14: docker run -d --name=nginx-docker nginx
- #15: ### Create a pod definition file cat ~/nginx-kube.yml apiVersion: v1 kind: Pod metadata: name: nginx-app spec: containers: - name: nginx-app image: nginx ### Now run the pod using kubectl kubectl create -f ~/nginx-kube.yml
- #16: kubectl delete -f /home/centos/kube-app/guestbook.yaml kubectl create -f /home/centos/kube-app/guestbook.yaml
- #17: Show DTR Portal #### Push ## Download your code (done) git clone https://github.com/sameerkasi200x/docker-ci-cd.git cd docker-ci-cd cd docker-ci-cd/code docker image build -t $dtr_url/development/tweet-to-us:b1 . docker push $dtr_url/development/tweet-to-us:b1
- #18: Kubenetes: ### Create a secret (already done, not to be demo) kubectl create secret docker-registry dtr --docker-server=dtr.ashnikdemo.com:12443 --docker-username=ashnik --docker-password=Ashnik123 --docker-email="[email protected]" #### Get the secret to confirm kubectl get secrets ### Create a deployment file apiVersion: v1 kind: Pod metadata: name: tweet-app spec: containers: - name: tweet-app image: dtr.ashnikdemo.com:12443/development/tweet-to-us:b1 imagePullSecrets: - name: dtr ### Swarm docker container run –d dtr.ashnikdemo.com:12443/development/tweet-to-us:b1
- #20: docker image build -t $dtr_url/development/tweet-to-us:b1 .
- #21: ### Cautionary Cleanup docker service rm tweet-using-context-root docker service rm tweet-using-context-root-app2 docker service rm tweet-to-us docker service rm tweet-to-us-v2 docker service rm default-interlock-app docker network rm default-app-network ### Setup a service docker service create --network ucp-interlock --name tweet-to-us --mode replicated \ --replicas 2 \ --label com.docker.lb.hosts="tweet.demoapps.ashnikdemo.com" \ --label com.docker.lb.network="ucp-interlock" \ --label com.docker.lb.port="80" \ --constraint 'node.platform.os==linux' \ --detach=true \ --env METADATA="tweet-hrm-v1" \ $dtr_url/development/tweet-to-us:b1 ### Setup a default (catch all) service docker network create -d overlay default-app-network docker service create --network default-app-network --name default-interlock-app --mode replicated \ --replicas 2 \ --label com.docker.lb.default_backend="true" \ --label com.docker.lb.network="default-app-network" \ --label com.docker.lb.port="80" \ --constraint 'node.platform.os==linux' \ --detach=true \ ehazlett/interlock-default-app ### Blue green deployment (v2 of a service) docker service create --network ucp-interlock --name tweet-to-us-v2 --mode replicated \ --replicas 2 \ --label com.docker.lb.hosts="tweet.demoapps.ashnikdemo.com" \ --label com.docker.lb.network="ucp-interlock" \ --label com.docker.lb.port="80" \ --constraint 'node.platform.os==linux' \ --detach=true \ --env METADATA="tweet-hrm-v2" \ --env VERSION="0.2" \ $dtr_url/development/tweet-to-us:b3 ### Route more traffic to v2 docker service update tweet-to-us --replicas=1 –detatch=true docker service update tweet-to-us-v2 --replicas=3 --detach=true ### deplicate v1 (it can still be rolled back by increasing replica, pretty much instantaneously) docker service update tweet-to-us --replicas=0 --detach=true docker service update tweet-to-us-v2 --replicas=4 --detach=true ### Drop v1 docker service rm tweet-to-us
- #22: docker service create --network ucp-interlock --name tweet-using-context-root --mode replicated \ --replicas 2 \ --label com.docker.lb.hosts="apps.demoapps.ashnikdemo.com" \ --label com.docker.lb.network="ucp-interlock" \ --label com.docker.lb.port="80" \ --label com.docker.lb.context_root="/tweet" \ --label com.docker.lb.context_root_rewrite="true" \ --constraint 'node.platform.os==linux' \ --detach=true \ $dtr_url/development/tweet-to-us:b4 docker service create --network ucp-interlock --name tweet-using-context-root-app2 --mode replicated \ --replicas 2 \ --label com.docker.lb.hosts="apps.demoapps.ashnikdemo.com" \ --label com.docker.lb.network="ucp-interlock" \ --label com.docker.lb.port="80" \ --label com.docker.lb.context_root="/tweet-v2" \ --label com.docker.lb.context_root_rewrite="true" \ --constraint 'node.platform.os==linux' \ --detach=true \ $dtr_url/development/tweet-to-us:b3