Mark Church

Author Archives: Mark Church

Advancing Windows Containers with Docker and Kubernetes

Today, the Cloud Native Computing Foundation (CNCF) announced Kubernetes 1.14,  which includes support for Windows nodes. Kubernetes supporting Windows is a monumental step for the industry and it further confirms the work Docker has been doing with Microsoft to develop Windows containers over the past five years. It is evidence that containers are not just for Linux; Windows and .NET applications represent an important and sizeable footprint of applications that can benefit from both the Docker platform and Kubernetes.

Docker’s collaboration with Microsoft started five years ago. Today, every version of Windows Server 2016 and later ships with the Docker Engine – Enterprise. In addition, to facilitate a great user experience with Windows containers, Microsoft publishes more than 129 Windows container images of its popular software on Docker Hub. Many Docker Enterprise customers are already running mixed Windows and Linux containers with Swarm, and an upcoming release of Docker Enterprise will allow our customers to expand their Windows options to Kubernetes as well. Today both Docker Enterprise and Docker Desktop users have found that the easiest way to use and manage Kubernetes is with Docker and now these users will have the same benefits with Windows containers as well.

gMSA Continue reading

Sharing is Caring: Docker Enterprise Edition Access Control

Multi-tenancy has many benefits in organizations. Clearly it increases hardware utilization but it also allows IT roles to specialize more, and provides better separation of concerns. This leads to more manageable infrastructure. Multi-tenancy is a challenging practice though, as it requires strict security control over resources without becoming too cumbersome for application deployment.

This blog post is about the Role-based Access Control (RBAC) enhancements introduced in Docker Enterprise Edition (Docker EE) 17.06. These enhancements allow for much more granular control and also flexible policy modeling that is one giant building block of a multitenant container infrastructure. This post will help you  address questions like:

  • How do I prevent different teams from viewing or interacting with each other’s applications when using shared infrastructure?
  • How can I enforce scheduling on certain nodes in the cluster?
  • How can I manage all the access policies so it’s clearly understandable who has access to what?

Docker EE Access Control is a policy-based model that uses access control lists called grants to dictate access between users and cluster resources. A grant is a rule that ties together who, can do which actions, against what resource.

As shown below, a grant is made Continue reading

Understanding Docker Networking Drivers and their use cases

Applications requirements and networking environments are diverse and sometimes opposing forces. In between applications and the network sits Docker networking, affectionately called the Container Network Model or CNM. It’s CNM that brokers connectivity for your Docker containers and also what abstracts away the diversity and complexity so common in networking. The result is portability and it comes from CNM’s powerful network drivers. These are pluggable interfaces for the Docker Engine, Swarm, and UCP that provide special capabilities like multi-host networking, network layer encryption, and service discovery.

Naturally, the next question is which network driver should I use? Each driver offers tradeoffs and has different advantages depending on the use case. There are built-in network drivers that come included with Docker Engine and there are also plug-in network drivers offered by networking vendors and the community. The most commonly used built-in network drivers are bridge, overlay and macvlan. Together they cover a very broad list of networking use cases and environments. For a more in depth comparison and discussion of even more network drivers, check out the Docker Network Reference Architecture.

Bridge Network Driver

The bridge networking driver is the first driver on our list. It’s simple to understand, Continue reading