The addition of Kubernetes support to Docker Enterprise Platform presents deployments with interesting new abstractions for application connectivity. Users and Operators are often challenged with rationalizing how pod networking (with CNI plugins like Calico or Flannel), Services (via kube-proxy) and Ingress work in concert to enable application connectivity within and outside a cluster. Similarly, given the dynamic and transient nature of containerized microservice workloads, how to leverage scalable and declarative approaches like network policies to express segmentation and security primitives.
This session provides an illustrative walkthrough of these core concepts by going through common deployment architectures providing design, operations, and scale considerations based on experience from numerous production deployments. The session will also showcase how to complement application and operations workflows with policy-driven business, compliance and security controls typically required in enterprise production deployments.
15. Secure networking for the cloud-native era
Open source, maintained by Tigera with hundreds of
third party contributors
Batteries-included Container networking for Docker EE
Kubernetes
> Scalable, distributed control plane
> Policy-driven network security
> No overlay required
> Integrated with all major cloud platforms
> Widely deployed, proven at scale
TIGERA CALICO: WHY IT’S AWESOME
23. Connectivity Concept Out-of-the-Box Solution with Docker EE 2.0
Pod - Pod Calico CNI
Services ClusterIP
NodePort
LoadBalancer
Ingress NGINX Ingress Controller
DNS kube-dns
K8s Network Policy Calico
Diverse Application Portfolio
* Tigera CNX builds on Calico with enterprise security features: Hierarchical Policies, Policy RBAC, DevSecOps tools (Audit, Alerting, Compliance), etc.
24. Zero-Trust Security
•Declarative policy-driven isolation
•Fine-grained access control
•Dynamic, in lock step with Kubernetes
ComplianceStage/tier
separation
Tenant/namespace
isolation
Micro-
segmentation
25. Takeaway
Docker Enterprise Edition 2.0 seamlessly integrates Calico
as the default CNI providing choice of using native K8S
connectivity abstractions on any infrastructure all while
enforcing a dynamic policy-based microsegmentation.