Scalable, Flexible Networking Included in Docker Enterprise Edition 2.0
Docker believes in making technology easy to use and accessible and that approach also extends to our enterprise-ready container platform. That means providing out-of-the-box integrations to key extensions of the platform that enterprise organizations require, but also making it possible to swap these built-in solutions with other tools as desired.
Docker Enterprise Edition 2.0 integrates Kubernetes into our platform and delivers the only Kubernetes platform that can be deployed across multiple clouds and multiple operating systems. As part of this release, we have included Project Calico by Tigera as the “batteries included” Kubernetes CNI plug-in for a highly scalable, industry-leading networking and routing solution.
Why Project Calico?While we support our customers using their preferred CNI plug-in, we chose to integrate Project Calico for our built-in solution because it aligns well with our design objectives for Docker EE 2.0:
- Choice & Flexibility for Different Deployment Models: Enterprise organizations are largely pursuing hybrid and multi-cloud strategies and we want to ensure that you have the flexibility to operate Docker EE in any environment. The Tigera team behind Project Calico has worked closely with all the major cloud providers to ensure that Calico works well with their native cloud networking solutions. Calico also offers the choice of overlay (IPIP), no overlay, and hybrid data-plane networking models to fit different architecture requirements.
- Highly Scalable and Battle-Hardened: Data center networks can now reach 10,000+ servers with hundreds of thousands of container endpoints. In terms of scale, the only network that is larger is the global internet. Built on the same routing protocols as the internet, Calico easily handles the networking needs for clusters of many thousands of nodes at near bare-metal performance. Calico also has a distributed control plane leveraging the Kubernetes key-value store (etcd) to scale horizontally, without the need for a centralized controller.
- Policy-Driven Security Model with Close Integration to Kubernetes: The team at Tigera helped introduce fine-grained, label-based network policies for container networking, shepherding this model through the Kubernetes Networking SIG. For example, Calico implements the full set of CNI capabilities, including IPAM, and offers the most complete implementation of the Kubernetes network policy API. Calico also includes a number of key capabilities that extend the base Kubernetes network policy API, such as additional protocols, network sets, and host protection, that together form the basis of a zero trust approach to cloud-native networking.
Project Calico in Docker EE 2.0Calico comes pre-installed and pre-configured out-of-the-box when you install or upgrade to Docker EE 2.0. You can, however, change its configuration post-installation by updating the associated Calico configuration file. In this release, the default setting for Calico is to create a full-mesh IPIP overlay network. This means that each node in the cluster establishes BGP peering with every other node in the cluster creating a full mesh of interconnected routed nodes. IPIP tunnels are then created between these nodes to be used as a data-plane for pod-to-pod communication. Docker EE allows you to change from the overlay mode (default) to native flat routing option using the following instructions: https://docs.docker.com/ee/ucp/kubernetes/install-cni-plugin/#disable-ip-in-ip-overlay-tunneling
Calico has two key components: Calico Kube Controller and Calico Node. The Calico Kube Controller is deployed as a single-pod Kubernetes deployment and is responsible for interfacing between the Kubernetes API and the Calico control plane. The Calico Node is deployed as a daemonset that runs on each host, reads relevant policy and network configuration information from the key/value store, and implements it in the Linux kernel. The Calico Node is also responsible for establishing BGP peering with other nodes in the cluster and configuring the host routing table with the BGP routes.
Using Calico in Docker Enterprise Edition 2.0
When you launch your application as a Kubernetes deployment in Docker EE 2.0, the pods will automatically utilize the Calico CNI. Each pod will obtain an IP from the configured Calico IPAM. All pods within your Docker EE cluster will be able to communicate with each other even across namespaces. The Kubernetes DNS Service (kube-dns) also registers and de-registers the pods IP addresses as they come up/go down allowing for a seamless DNS resolution for pods and their corresponding services. In summary, deploying your Kubernetes application in Docker EE 2.0 automatically utilizes the powerful Calico CNI plugin for connecting and securing your applications.