In this talk, Scott Coulton will walk through how to build a container as a service platform with Docker EE. Starting from scratch he will help you figure out what orchestrator to choose by deep diving into the technical differences between swarm and kubernetes on the EE platform as well as cover some of the practical considerations that could influence your decision. He will also share various automation solutions to deploy your cluster into production. Once the cluster is up and and running, Scott will delve into sec ops and discuss security best practices - including signing images in DTR (Docker Trusted Registry) and CVE scanning to provide a secure supply chain into production. You’ll leave this talk with the knowledge needed to build your own container platform in production. And did I mention it will all be done live, step-by-step?
21. Secure Supply Chain
TEST STAGING
• Signature
verification
• Native encryption
Scanning SigningAutomated
PoliciesDocker for Mac
or
Docker for Windows
PRODUCTION
22.
23. Production Environments
Docker Trusted Registry
Docker UCP
Production Environments
Version Control
Docker UCP
Non-Production EnvironmentsDeveloper Machine
Development CI/CD Operations
Datacenter 1
Datacenter 2
Docker Trusted Registry
Docker for
Secure Supply Chain
24. CI Workflow Docker Trusted
Registry
Build container
$ git clone
$ mvn deploy
Repository
Manager
binaries
Version Control
src
Dockerfiles
docker-compose.yml
files
pull
push
CI Agent
$ docker run -it
--rm builder build
runs
build
start
CI Agent
$ git clone
$ docker build -t myapp
$ docker push myapp
push
pull
CI Agent
$ eval $(<env.sh)
$ docker run
$ docker service
$ docker-compose up
Docker UCP
Test Environment
CI Agent
$ eval $(<env.sh)
$ docker run -it --rm test uat
$ docker pull myapp
$ docker push myapp
test
pull
1
2
3 4runs
app
runs
tests
33. You don't have to chose one
apiVersion: v1
kind: Pod
metadata:
name: my-dockercon-app
spec:
securityContext:
runAsUser: 1000
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
34.
35. A great blog post on this stuff
https://blog.jessfraz.com/post/containers-security-and-echo-chambers/