Docker, Inc., profile picture
Uploaded byDocker, Inc.
PDF, PPTX2,062 views

Networking in docker ee with kubernetes and swarm

The document discusses networking principles in Docker EE 2.0 with Kubernetes and Swarm, highlighting design objectives, security, multi-tenancy, and observability. It emphasizes the flexibility in choosing orchestrators and network configurations to ensure secure and efficient application deployment. Key takeaways include the importance of operator selection and the capabilities of Docker EE to adapt to various needs and environments.

Download as PDF, PPTX
v Networking in Docker EE 2.0 with Kubernetes and Swarm
SW Engineer, Docker Flavio Crisciani SW Engineer, Docker Abhinandan Prativadi
Objectives Design principles behind Docker EE Focus on operator deployment goals What’s the best fit for Kubernetes and Swarm Final takeaways SWARM KUBERNETES
Docker EE Design Principles Multiple orchestrators Multiple OSs Multiple infrastructure Choice SecurityAgility Safer apps Chain of custody Threat mitigation Unified operations Cost efficiency
Docker EE Architecture Secure Cluster Management App Scheduler Swarm KubernetesOR Docker EE Cluster Universal Control Plane (UCP) Node • Each node is K8s and Swarm ready • Operator chooses the production orchestrator • Freedom to choose orchestrator Node Node
Operator network design goals Network Security Multi-tenancy Observability Flexibility Data-path Migration
Network Security Practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information Control planeData plane Management Plane Information segregation
Manager Mgmt Plane: Node identities with mutual TLS Control Plane: Encrypted gossip based DB Data Plane: Optionally encrypted with IPSec Manager Manager Network Security WorkerWorker
Network Security ucp-bundle-john $docker network create -d overlay john-network Error response from daemon: access denied: no access to Network Create, on collection ucp-bundle-admin $source env.sh Cluster "ucp_10.1.1.1:6443_admin" set. User "ucp_10.1.1.1:6443_admin" set. Context "ucp_10.1.1.1:6443_admin" created. ucp-bundle-admin $docker network create --opt encrypted --driver overlay net1 l5vtb59oqk6r7fgzrjlou6llg Jun 11 21:13:57 ubuntu-1 dockerd[4721]: time="2018-06-11T21:13:57.200950113Z" level=debug msg="Initial encryption keys: [(key: dda14, tag: 0x1eb1) (key: b6b91, tag: 0x1eb0) (key: 0e8a0, tag: 0x1eb2)]" Jun 11 21:13:57 ubuntu-1 dockerd[4721]: time="2018-06-11T21:13:57.201251695Z" level=debug msg="Initial encryption keys: [(key: dda14, tag: 0x1eb1) (key: b6b91, tag: 0x1eb0) (key: 0e8a0, tag: 0x1eb2)]"
Manager Mgmt Plane: Secure etcd, api-server access control Control Plane: Calico BGP based Control plane Data Plane: App to app encryption with service mesh Manager Manager Network Security WorkerWorker
Network Security ucp-bundle-john $source env.sh Cluster "ucp_10.1.1.1:6443_john" set. User "ucp_10.1.1.1:6443_john" set. Context "ucp_10.1.1.1:6443_john" created. ucp-bundle-john $ ucp-bundle-john $kubectl get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "john" cannot list pods in the namespace "kube-system": access denied
Multi-tenancy Concept that refers to the logical isolation of shared virtual compute, storage, and network resources. Application isolation Traffic isolation
Multi-tenancy Constraints allow to specify where a workload can be deployed Containers in different networks are isolated. Worker Worker Net1 Net2
Multi-tenancy $docker service create --name redis_2 --constraint 'node.labels.type == queue' redis:3.0.6 $docker service create --name prod-db --network net1 alpine sleep 9000 X8qnrfhhjrcis5nk6fx6mfc5w $docker service create --name prod-web --network net2 alpine sleep 9000 T5uwwccffj0qg0zeddfnd5ouu $docker exec -it prod-web.1.87aa93qtbg1dvxip9cpizjdls sh / # ping prod-db.1.87aa93qtbg1dvxip9cpizjdls ping: bad address 'prod-db.1.87aa93qtbg1dvxip9cpizjdls'
Multi-tenancy Node Affinity, Taints and Tolerations allow to specify where a workload can be scheduled and deployed Policies define network connectivity between pods Worker Worker
Multi-tenancy $kubectl taint nodes node1 Tenant=node.org1:NoSchedule ….. tolerations: - key: ”Tenant" operator: "Equal" value: ”node.org1" effect: "NoSchedule" apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: {} policyTypes: - Ingress
Observability Is a measure of how well internal states of a system can be inferred from knowledge of its external outputs. Control Plane Data Plane Metrics
Observability Mgmt Plane: Cluster key-value store based on raft Control Plane: Gossip based datastore Metrics through swarm events Data Plane • Linux: network namespaces, iptables, IPVS • Windows: Windows Host Network Service
Observability Mgmt Plane: etcd, kubectl Control Plane: BGP for route distribution Metrics through Prometheus Data Plane • Linux: L3 forwarding, iptables and ipsets, nsenter, iproute • Windows: WinCNI that configures windows HNS
Flexibility Ability of a system to adapt to different ecosystems Network Drivers Cluster Configuration
Flexibility Allows multiple drivers, most used in is overlay Abstraction on top of physical infrastructure Dynamic network creation ORIGINAL ETHERNET FRAME VXLAN FRAME Available Drivers: Overlay, MacVlan, IPVlan, external drivers
Flexibility Multiple CNI plugins available CNI integrated with the cloud provider Static network configuration ORIGINAL ETHERNET FRAME IPINIP FRAME Available Drivers: IPinIP, Native L3 routing
Data Path Data-path traffic ingress and egress out of the cluster and between workloads Concept of Service Service Discovery Cloud Provider Performance
Data Path Service is a group of containers sharing the same image Forwarding performance depends on the driver, but leverages Linux and Windows native data path Service discovery is built-in served by the docker daemon and extensible
Data Path Service is a logical set of pods determined by label selectors. Forwarding performance depends on the driver, but leverages Linux and Windows native data path Service discovery is swappable. kube-dns by default
Migration Process of transferring apps between different systems Docker EE nodes are Swarm and K8s enabled Both networking stacks work independently Node
What fits best ? App Getting started InnovationFirst Project Scale It depends…
Docker EE allows you to choose what fits best for your purpose. Leverage your current expertise or investment. Swarm is simpler with native Docker experience. Kubernetes brings the flexibility and native integration with cloud providers. Final Takeaways
Thank you! Questions??

More Related Content

PDF
A vision of persistence
byDocker, Inc.
 
PDF
Accessible hpc for everyone with docker and containers
byDocker, Inc.
 
PDF
Don’t have a Meltdown! Practical Steps for Defending Your Apps
byDocker, Inc.
 
PDF
Windows container security
byDocker, Inc.
 
PDF
5 patterns for success for application transformation
byDocker, Inc.
 
PDF
Docker in Production, Look No Hands! by Scott Coulton
byDocker, Inc.
 
PDF
Demystifying container connectivity with kubernetes in docker
byDocker, Inc.
 
PDF
Docker ee an architecture and operations overview
byDocker, Inc.
 
A vision of persistence
byDocker, Inc.
 
Accessible hpc for everyone with docker and containers
byDocker, Inc.
 
Don’t have a Meltdown! Practical Steps for Defending Your Apps
byDocker, Inc.
 
Windows container security
byDocker, Inc.
 
5 patterns for success for application transformation
byDocker, Inc.
 
Docker in Production, Look No Hands! by Scott Coulton
byDocker, Inc.
 
Demystifying container connectivity with kubernetes in docker
byDocker, Inc.
 
Docker ee an architecture and operations overview
byDocker, Inc.
 

What's hot

PPTX
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
byDocker, Inc.
 
PDF
How to accelerate docker adoption with a simple and powerful user experience
byDocker, Inc.
 
PDF
Building your production tech stack for docker container platform
byDocker, Inc.
 
PDF
Considerations for operating docker at scale
byDocker, Inc.
 
PDF
Docker for developers on mac and windows
byDocker, Inc.
 
PDF
Taking Docker from Local to Production at Intuit JanJaap Lahpor, Intuit and H...
byDocker, Inc.
 
PDF
Automated hardware testing using docker for space
byDocker, Inc.
 
PDF
DCEU 18: Docker Enterprise Platform and Architecture
byDocker, Inc.
 
PDF
Docker Meetup at Docker HQ: Docker Cloud
byDocker, Inc.
 
PPTX
DockerCon EU 2015: Docker Universal Control Plane (Gordon's Special Session)
byDocker, Inc.
 
PPTX
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker Brings
byDocker, Inc.
 
PDF
Why I wish I'd Heard of Docker when I was 12 - Finnian Anderson
byDocker, Inc.
 
PPTX
DockerCon 16 General Session Day 1
byDocker, Inc.
 
PDF
Production sec ops with kubernetes in docker
byDocker, Inc.
 
PPTX
Oscon 2017: Build your own container-based system with the Moby project
byPatrick Chanezon
 
PDF
DCSF 19 Microservices API: Routing Across Any Infrastructure
byDocker, Inc.
 
PDF
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
byDocker, Inc.
 
PDF
Proactive ops for container orchestration environments
byDocker, Inc.
 
PDF
The Tale of Two Deployments: Greenfield and Monolith Apps with Docker Enterpr...
byDocker, Inc.
 
PDF
DockerCon 18 Cool Hacks: solo.io
byDocker, Inc.
 
Using the SDACK Architecture on Security Event Inspection by Yu-Lun Chen and ...
byDocker, Inc.
 
How to accelerate docker adoption with a simple and powerful user experience
byDocker, Inc.
 
Building your production tech stack for docker container platform
byDocker, Inc.
 
Considerations for operating docker at scale
byDocker, Inc.
 
Docker for developers on mac and windows
byDocker, Inc.
 
Taking Docker from Local to Production at Intuit JanJaap Lahpor, Intuit and H...
byDocker, Inc.
 
Automated hardware testing using docker for space
byDocker, Inc.
 
DCEU 18: Docker Enterprise Platform and Architecture
byDocker, Inc.
 
Docker Meetup at Docker HQ: Docker Cloud
byDocker, Inc.
 
DockerCon EU 2015: Docker Universal Control Plane (Gordon's Special Session)
byDocker, Inc.
 
DockerCon EU 2015: Cultural Revolution - How to Mange the Change Docker Brings
byDocker, Inc.
 
Why I wish I'd Heard of Docker when I was 12 - Finnian Anderson
byDocker, Inc.
 
DockerCon 16 General Session Day 1
byDocker, Inc.
 
Production sec ops with kubernetes in docker
byDocker, Inc.
 
Oscon 2017: Build your own container-based system with the Moby project
byPatrick Chanezon
 
DCSF 19 Microservices API: Routing Across Any Infrastructure
byDocker, Inc.
 
On-the-Fly Containerization of Enterprise Java & .NET Apps by Amjad Afanah
byDocker, Inc.
 
Proactive ops for container orchestration environments
byDocker, Inc.
 
The Tale of Two Deployments: Greenfield and Monolith Apps with Docker Enterpr...
byDocker, Inc.
 
DockerCon 18 Cool Hacks: solo.io
byDocker, Inc.
 

Similar to Networking in docker ee with kubernetes and swarm

PDF
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
byAjeet Singh Raina
 
PDF
Demystfying container-networking
byBalasundaram Natarajan
 
PDF
99cloud Docker Training module 2
byLiang Bo
 
PDF
Kubernetes
byLinjith Kunnon
 
PDF
Container Networking Deep Dive
byOpen Networking Summit
 
PPTX
Docker and kubernetes
byDongwon Kim
 
PPTX
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
byGuillaume Morini
 
PDF
Kubernetes Networking 101 kubecon EU 2022
byssuser1490e8
 
PDF
Building a sdn solution for the deployment of web application stacks in docker
byJorge Juan Mendoza
 
PDF
Kubernetes in Docker
bydocker-athens
 
PDF
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
byThomas Barlow
 
PDF
Practical Design Patterns in Docker Networking
byDocker, Inc.
 
PDF
Lessons learned and challenges faced while running Kubernetes at Scale
bySidhartha Mani
 
PPTX
Introduction to Kubernetes
byVishal Biyani
 
PPTX
Kubernetes on open stack
byNaveen Joy
 
PDF
DCSF 19 Docker Enterprise Platform and Architecture
byDocker, Inc.
 
PPTX
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
byPatrick Chanezon
 
PPTX
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
byCynthia Thomas
 
PDF
Introduction to Kubernetes Workshop
byBob Killen
 
PPTX
Docker Networking Overview
bySreenivas Makam
 
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
byAjeet Singh Raina
 
Demystfying container-networking
byBalasundaram Natarajan
 
99cloud Docker Training module 2
byLiang Bo
 
Kubernetes
byLinjith Kunnon
 
Container Networking Deep Dive
byOpen Networking Summit
 
Docker and kubernetes
byDongwon Kim
 
DockerCon EU 2018 Workshop: Container Networking for Swarm and Kubernetes in ...
byGuillaume Morini
 
Kubernetes Networking 101 kubecon EU 2022
byssuser1490e8
 
Building a sdn solution for the deployment of web application stacks in docker
byJorge Juan Mendoza
 
Kubernetes in Docker
bydocker-athens
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
byThomas Barlow
 
Practical Design Patterns in Docker Networking
byDocker, Inc.
 
Lessons learned and challenges faced while running Kubernetes at Scale
bySidhartha Mani
 
Introduction to Kubernetes
byVishal Biyani
 
Kubernetes on open stack
byNaveen Joy
 
DCSF 19 Docker Enterprise Platform and Architecture
byDocker, Inc.
 
Develop and deploy Kubernetes applications with Docker - IBM Index 2018
byPatrick Chanezon
 
Secure Your Containers: What Network Admins Should Know When Moving Into Prod...
byCynthia Thomas
 
Introduction to Kubernetes Workshop
byBob Killen
 
Docker Networking Overview
bySreenivas Makam
 

More from Docker, Inc.

PDF
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
PDF
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
PDF
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
PDF
Hands-on Helm
byDocker, Inc.
 
PDF
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
PDF
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
PDF
Monitoring in a Microservices World
byDocker, Inc.
 
PDF
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
PDF
Predicting Space Weather with Docker
byDocker, Inc.
 
PDF
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
PDF
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
PDF
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
PDF
Kubernetes at Datadog Scale
byDocker, Inc.
 
PDF
Labels, Labels, Labels
byDocker, Inc.
 
PDF
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
PDF
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
PDF
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
PDF
Developing with Docker for the Arm Architecture
byDocker, Inc.
 
Containerize Your Game Server for the Best Multiplayer Experience
byDocker, Inc.
 
How to Improve Your Image Builds Using Advance Docker Build
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
Securing Your Containerized Applications with NGINX
byDocker, Inc.
 
How To Build and Run Node Apps with Docker and Compose
byDocker, Inc.
 
Hands-on Helm
byDocker, Inc.
 
Distributed Deep Learning with Docker at Salesforce
byDocker, Inc.
 
The First 10M Pulls: Building The Official Curl Image for Docker Hub
byDocker, Inc.
 
Monitoring in a Microservices World
byDocker, Inc.
 
COVID-19 in Italy: How Docker is Helping the Biggest Italian IT Company Conti...
byDocker, Inc.
 
Predicting Space Weather with Docker
byDocker, Inc.
 
Become a Docker Power User With Microsoft Visual Studio Code
byDocker, Inc.
 
How to Use Mirroring and Caching to Optimize your Container Registry
byDocker, Inc.
 
Monolithic to Microservices + Docker = SDLC on Steroids!
byDocker, Inc.
 
Kubernetes at Datadog Scale
byDocker, Inc.
 
Labels, Labels, Labels
byDocker, Inc.
 
Using Docker Hub at Scale to Support Micro Focus' Delivery and Deployment Model
byDocker, Inc.
 
Build & Deploy Multi-Container Applications to AWS
byDocker, Inc.
 
From Fortran on the Desktop to Kubernetes in the Cloud: A Windows Migration S...
byDocker, Inc.
 
Developing with Docker for the Arm Architecture
byDocker, Inc.
 

Recently uploaded

PDF
ptameetingppt-230914233943-0377432e (6).pdf
bytagolinomario20
 
PPTX
Eco Friendly Electric Energy PowerPoint Templates.pptx
byKenieta
 
PPTX
zxhksDHFlkjdsiofasdbgPrime Numbers Revisited
byjohnrosal0121
 
PDF
Leadership Skills for Kids in India - LearnifyU
byLearnifyU | Public Speaking & Spoken English Classes
 
PDF
Case Studies on X-ray Crystallographic Structures of Antibodies and Antibody-...
bySalam Al-Karadaghi
 
PDF
About Pearl Bipin Pulickal: A rigorous and seasoned mathematician dedicated t...
byPearlBipin20ECE1028
 
PPTX
2025-10-05-The-Mind-of-the-Lord-A-Prophetic-People-Part-1-Ashish-Raichur.pptx
bymailtrash3
 
PPTX
ANEMIA RELATED DISORDERS pptx.pptxxxxxxxx
bysheezujut
 
PDF
Media Systems, Structures & Trends of Nepal
byDepartmentofMediaBus
 
PPTX
nephritic syndrome ppt.ppt..... ############
bysheezujut
 
PPTX
Bob Stewart His Purpose 10 25 2025.pptx
byFamilyWorshipCenterD
 
PPT
Quality Analysis with Experts of Quality Members
byNayanGautam5
 
PPTX
Two pixels are connected if: – They are neighbors (i.e. adjacent in some sens...
byMilind580961
 
PPTX
Gevra CHP OCP Presentation 15.04.2024.pptx
bypradipkumar446774
 
PPTX
Cognitive Science and Communication for Reader Understanding
byCherylStephens10
 
PDF
Storytelling Classes for Kids in India - LearnifyU
byLearnifyU | Public Speaking & Spoken English Classes
 
PPTX
Basic technic presentation and guidance ppt
byRamaMulyadi1
 
PPTX
PRESENT PERFECT TENSE presentasi bahasa inggris
byNadiraei
 
PPTX
Present Perfect Continuous8.pptxPresent Perfect Continuous8.pptx
bybauenovas
 
PDF
Three Tips for a Great Medical Presentation
byDr. Om J Lakhani
 
ptameetingppt-230914233943-0377432e (6).pdf
bytagolinomario20
 
Eco Friendly Electric Energy PowerPoint Templates.pptx
byKenieta
 
zxhksDHFlkjdsiofasdbgPrime Numbers Revisited
byjohnrosal0121
 
Leadership Skills for Kids in India - LearnifyU
byLearnifyU | Public Speaking & Spoken English Classes
 
Case Studies on X-ray Crystallographic Structures of Antibodies and Antibody-...
bySalam Al-Karadaghi
 
About Pearl Bipin Pulickal: A rigorous and seasoned mathematician dedicated t...
byPearlBipin20ECE1028
 
2025-10-05-The-Mind-of-the-Lord-A-Prophetic-People-Part-1-Ashish-Raichur.pptx
bymailtrash3
 
ANEMIA RELATED DISORDERS pptx.pptxxxxxxxx
bysheezujut
 
Media Systems, Structures & Trends of Nepal
byDepartmentofMediaBus
 
nephritic syndrome ppt.ppt..... ############
bysheezujut
 
Bob Stewart His Purpose 10 25 2025.pptx
byFamilyWorshipCenterD
 
Quality Analysis with Experts of Quality Members
byNayanGautam5
 
Two pixels are connected if: – They are neighbors (i.e. adjacent in some sens...
byMilind580961
 
Gevra CHP OCP Presentation 15.04.2024.pptx
bypradipkumar446774
 
Cognitive Science and Communication for Reader Understanding
byCherylStephens10
 
Storytelling Classes for Kids in India - LearnifyU
byLearnifyU | Public Speaking & Spoken English Classes
 
Basic technic presentation and guidance ppt
byRamaMulyadi1
 
PRESENT PERFECT TENSE presentasi bahasa inggris
byNadiraei
 
Present Perfect Continuous8.pptxPresent Perfect Continuous8.pptx
bybauenovas
 
Three Tips for a Great Medical Presentation
byDr. Om J Lakhani
 

Networking in docker ee with kubernetes and swarm

  • 1.
    v Networking in DockerEE 2.0 with Kubernetes and Swarm
  • 2.
    SW Engineer, Docker FlavioCrisciani SW Engineer, Docker Abhinandan Prativadi
  • 3.
    Objectives Design principles behind Docker EE Focus on operator deployment goals What’sthe best fit for Kubernetes and Swarm Final takeaways SWARM KUBERNETES
  • 4.
    Docker EE DesignPrinciples Multiple orchestrators Multiple OSs Multiple infrastructure Choice SecurityAgility Safer apps Chain of custody Threat mitigation Unified operations Cost efficiency
  • 5.
    Docker EE Architecture SecureCluster Management App Scheduler Swarm KubernetesOR Docker EE Cluster Universal Control Plane (UCP) Node • Each node is K8s and Swarm ready • Operator chooses the production orchestrator • Freedom to choose orchestrator Node Node
  • 6.
    Operator network designgoals Network Security Multi-tenancy Observability Flexibility Data-path Migration
  • 7.
    Network Security Practice ofpreventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information Control planeData plane Management Plane Information segregation
  • 8.
    Manager Mgmt Plane: Nodeidentities with mutual TLS Control Plane: Encrypted gossip based DB Data Plane: Optionally encrypted with IPSec Manager Manager Network Security WorkerWorker
  • 9.
    Network Security ucp-bundle-john $dockernetwork create -d overlay john-network Error response from daemon: access denied: no access to Network Create, on collection ucp-bundle-admin $source env.sh Cluster "ucp_10.1.1.1:6443_admin" set. User "ucp_10.1.1.1:6443_admin" set. Context "ucp_10.1.1.1:6443_admin" created. ucp-bundle-admin $docker network create --opt encrypted --driver overlay net1 l5vtb59oqk6r7fgzrjlou6llg Jun 11 21:13:57 ubuntu-1 dockerd[4721]: time="2018-06-11T21:13:57.200950113Z" level=debug msg="Initial encryption keys: [(key: dda14, tag: 0x1eb1) (key: b6b91, tag: 0x1eb0) (key: 0e8a0, tag: 0x1eb2)]" Jun 11 21:13:57 ubuntu-1 dockerd[4721]: time="2018-06-11T21:13:57.201251695Z" level=debug msg="Initial encryption keys: [(key: dda14, tag: 0x1eb1) (key: b6b91, tag: 0x1eb0) (key: 0e8a0, tag: 0x1eb2)]"
  • 10.
    Manager Mgmt Plane: Secureetcd, api-server access control Control Plane: Calico BGP based Control plane Data Plane: App to app encryption with service mesh Manager Manager Network Security WorkerWorker
  • 11.
    Network Security ucp-bundle-john $sourceenv.sh Cluster "ucp_10.1.1.1:6443_john" set. User "ucp_10.1.1.1:6443_john" set. Context "ucp_10.1.1.1:6443_john" created. ucp-bundle-john $ ucp-bundle-john $kubectl get pods -n kube-system Error from server (Forbidden): pods is forbidden: User "john" cannot list pods in the namespace "kube-system": access denied
  • 12.
    Multi-tenancy Concept that refersto the logical isolation of shared virtual compute, storage, and network resources. Application isolation Traffic isolation
  • 13.
    Multi-tenancy Constraints allow tospecify where a workload can be deployed Containers in different networks are isolated. Worker Worker Net1 Net2
  • 14.
    Multi-tenancy $docker service create--name redis_2 --constraint 'node.labels.type == queue' redis:3.0.6 $docker service create --name prod-db --network net1 alpine sleep 9000 X8qnrfhhjrcis5nk6fx6mfc5w $docker service create --name prod-web --network net2 alpine sleep 9000 T5uwwccffj0qg0zeddfnd5ouu $docker exec -it prod-web.1.87aa93qtbg1dvxip9cpizjdls sh / # ping prod-db.1.87aa93qtbg1dvxip9cpizjdls ping: bad address 'prod-db.1.87aa93qtbg1dvxip9cpizjdls'
  • 15.
    Multi-tenancy Node Affinity, Taintsand Tolerations allow to specify where a workload can be scheduled and deployed Policies define network connectivity between pods Worker Worker
  • 16.
    Multi-tenancy $kubectl taint nodesnode1 Tenant=node.org1:NoSchedule ….. tolerations: - key: ”Tenant" operator: "Equal" value: ”node.org1" effect: "NoSchedule" apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-deny spec: podSelector: {} policyTypes: - Ingress
  • 17.
    Observability Is a measureof how well internal states of a system can be inferred from knowledge of its external outputs. Control Plane Data Plane Metrics
  • 18.
    Observability Mgmt Plane: Clusterkey-value store based on raft Control Plane: Gossip based datastore Metrics through swarm events Data Plane • Linux: network namespaces, iptables, IPVS • Windows: Windows Host Network Service
  • 19.
    Observability Mgmt Plane: etcd,kubectl Control Plane: BGP for route distribution Metrics through Prometheus Data Plane • Linux: L3 forwarding, iptables and ipsets, nsenter, iproute • Windows: WinCNI that configures windows HNS
  • 20.
    Flexibility Ability of asystem to adapt to different ecosystems Network Drivers Cluster Configuration
  • 21.
    Flexibility Allows multiple drivers, mostused in is overlay Abstraction on top of physical infrastructure Dynamic network creation ORIGINAL ETHERNET FRAME VXLAN FRAME Available Drivers: Overlay, MacVlan, IPVlan, external drivers
  • 22.
    Flexibility Multiple CNI plugins available CNIintegrated with the cloud provider Static network configuration ORIGINAL ETHERNET FRAME IPINIP FRAME Available Drivers: IPinIP, Native L3 routing
  • 23.
    Data Path Data-path trafficingress and egress out of the cluster and between workloads Concept of Service Service Discovery Cloud Provider Performance
  • 24.
    Data Path Service isa group of containers sharing the same image Forwarding performance depends on the driver, but leverages Linux and Windows native data path Service discovery is built-in served by the docker daemon and extensible
  • 25.
    Data Path Service isa logical set of pods determined by label selectors. Forwarding performance depends on the driver, but leverages Linux and Windows native data path Service discovery is swappable. kube-dns by default
  • 26.
    Migration Process of transferringapps between different systems Docker EE nodes are Swarm and K8s enabled Both networking stacks work independently Node
  • 27.
    What fits best? App Getting started InnovationFirst Project Scale It depends…
  • 28.
    Docker EE allows youto choose what fits best for your purpose. Leverage your current expertise or investment. Swarm is simpler with native Docker experience. Kubernetes brings the flexibility and native integration with cloud providers. Final Takeaways
  • 29.