Last week, we covered some of the questions about container infrastructure from our recent webinar “Demystifying VMs, Containers, and Kubernetes in the Hybrid Cloud Era.” This week, we’ll tackle the questions about Kubernetes, Docker and the software supply chain. One common misperception that we heard in the webinar — that Docker and Kubernetes are competitors. In fact, Kubernetes is better with Docker. And Docker is better with Kubernetes.
Docker And Kubernetes? I thought you were competitors?
We hear questions along this line all the time. Here are some quick answers:
Can I use Kubernetes with Docker?
- Yes, they go together. You need a container runtime like Docker Engine (based on open source containerd) to start and stop containers on a host.
- When you have a bunch of containers running across a bunch of hosts, you need an orchestrator to manage things like: Where will the next container start? How do you make a container highly available? How do you control which containers can communicate with other containers? That’s where an orchestrator such as Kubernetes comes in.
- The container runtime and the orchestrator are the two core atomic units that go together. You could just install Kubernetes and Docker Engines and have something that works, but enterprise organizations need security, monitoring and logging, enterprise storage and networking, and much more.
- This is where a container platform like Docker Enterprise comes in: Docker Enterprise is the easiest and fastest way to use containers and Kubernetes at scale and delivers the fastest time to production for modern applications, securely running them from hybrid cloud to the edge. It also ships with a CNCF-conformant version Kubernetes!
Does Kubernetes replace Docker Swarm?
- No, they can be used together. Kubernetes and Docker Swarm are both orchestrators, so they have the same end goals. New users find it much easier to understand Docker Swarm. However, Kubernetes has evolved to add a lot of functionality.
- The good news: you can use both side-by-side in Docker Enterprise. Enable your developers and operators to decide which route they want to go: you don’t have to tie yourself to one decision or the other.
You can learn more about this choice from the on-demand webinar, Swarm vs. Kubernetes, Presented by BoxBoat.
Container images, security, and CI/CD
A Secure Software Supply Chain is another big part of what makes up a container platform. After all, Docker Engine and Kubernetes wouldn’t have anything to do without container images! This was clearly another area with lots of interest.
We demonstrated vulnerability scanning and some questions came up about where scanning fits in the development lifecycle.
Do you scan containers in development? Test? QA? Production?
Vulnerability scanning is a feature of Docker Trusted Registry (DTR), which is part of Docker Enterprise. Scanning can happen any time a new image is pushed to the registry, when the vulnerability database is updated, or on demand.
- The answer is “Always be scanning.” Scanning can occur in both development and production. You want to scan the images when they are pushed to the registry and then continue to check them against the latest vulnerability discoveries. Vulnerabilities have a way of getting discovered months or even years after libraries are released. If you only scan the container when it’s originally created, you risk missing these new vulnerabilities in your existing applications.
- The Application Designer in Docker Desktop Enterprise (our locally installed tool for developers) has pre-configured Templates. In reality, those Templates are container images that “live” in DTR. With Desktop Enterprise, developers automatically pull scanned images to their machines. In addition, the templates can be customized to your organization’s particular standards and approved frameworks. You can build-in your coding standards, plug-ins or other artifacts directly into the templates as well.
- We automatically check existing images against the vulnerability database whenever it is updated. On the production side, you might have long-running containers in your environment. Those get scanned and we surface the results in the Universal Control Plane. From there, you can easily tell which of your running applications are affected and choose how to address the issues.
A lot of people had questions about how to get started with Kubernetes. Fortunately, they’re much easier questions to answer and many of the resources are free!
- If you want to get started with Docker and Kubernetes on your own and you have a Windows 10 (with Hyper-V features) or macOS machine, go get Docker Desktop. It’s free, incredibly easy to set up, and you’ll have both Docker and Kubernetes ready to go.
- If you have a Linux workstation you can get Docker Engine for free. Make sure you’re getting the actual Docker Engine and not a forked version by following the instructions here.
- If you can’t install software on your machine or you don’t have an OS that meets the requirements, you can use Play with Docker and Play with Kubernetes for free. . Both provide access to nodes directly from your browser. They also have lab content to guide you through introductory exercises.
- Read the excellent blog series from Bill Mills on our training team about designing your first application in Kubernetes.