docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ECI and Kubernetes Improvements (#21961) 

<!--Delete sections as needed -->

## Description

* Added an image in the "Deploy on Kubernetes" section showing the
Docker Desktop Kubernetes settings.
* Updated the ECI FAQs regarding ECI protection for docker build and
Kubernetes.

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review
- [X] Editorial review
- [ ] Product review

---------

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
This commit is contained in:
Cesar Talledo 2025-02-04 02:03:33 -08:00 committed by GitHub
parent 8b264bd54f
commit cb21bfc60f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 43 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/manuals/desktop/features/kubernetes.md
View File

@ -12,10 +12,12 @@ weight: 60
Docker Desktop includes a standalone Kubernetes server and client, as well as Docker CLI integration, enabling local Kubernetes development and testing directly on your machine. Docker Desktop includes a standalone Kubernetes server and client, as well as Docker CLI integration, enabling local Kubernetes development and testing directly on your machine.
The Kubernetes server runs as a single or multi-node cluster within a Docker container. This lightweight setup helps you explore Kubernetes features, test workloads, and work with container orchestration in parallel with other Docker functionalities. The Kubernetes server runs as a single or multi-node cluster, within Docker container(s). This lightweight setup helps you explore Kubernetes features, test workloads, and work with container orchestration in parallel with other Docker functionalities.
Kubernetes on Docker Desktop runs alongside other workloads, including Swarm services and standalone containers. Kubernetes on Docker Desktop runs alongside other workloads, including Swarm services and standalone containers.
![k8s settings](../images/k8s-settings.png)
## What happens when I enable Kubernetes in Docker Desktop? ## What happens when I enable Kubernetes in Docker Desktop?
When you enable Kubernetes in Docker Desktop, the following actions are triggered in the Docker Desktop backend and VM: When you enable Kubernetes in Docker Desktop, the following actions are triggered in the Docker Desktop backend and VM:

BIN
content/manuals/desktop/images/k8s-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 135 KiB

40
content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/faq.md
View File

@ -69,18 +69,38 @@ See [ECI Docker socket mount permissions](config.md#docker-socket-mount-permissi
Not yet. It protects all containers launched by users via `docker create` and Not yet. It protects all containers launched by users via `docker create` and
`docker run`. `docker run`.
Prior to Docker Desktop 4.30, it did not protect containers implicitly used by For containers implicitly created by `docker build` as well as Docker
`docker build` with the `docker` build driver (the default driver). Starting Desktop's integrated Kubernetes, protection varies depending on the Docker
with Docker Desktop 4.30, it protects such containers, except for Docker Desktop Desktop version (see the following two FAQs).
on WSL 2 (Windows hosts).
Note that ECI always protects containers used by `docker build`, when using the ECI does not yet protect Docker Desktop Extension containers and
[docker-container build driver](/manuals/build/builders/drivers/_index.md), since Docker [Dev Environments containers](/manuals/desktop/features/dev-environments/_index.md).
Desktop 4.19 and on all supported platforms (Windows with WSL 2 or Hyper-V, Mac,
and Linux).
ECI does not yet protect Docker Desktop Kubernetes pods, Extension containers, ### Does ECI protect containers implicitly used by `docker build`?
and [Dev Environments containers](/manuals/desktop/features/dev-environments/_index.md).
Prior to Docker Desktop 4.19, ECI did not protect containers used implicitly
by `docker build` during the build process.
Since Docker Desktop 4.19, ECI protects containers used by `docker build`
when using the [Docker container build driver](/manuals/build/builders/drivers/_index.md).
In addition, since Docker Desktop 4.30, ECI also protects containers used by
`docker build` when using the default "docker" build driver, on all
platforms supported by Docker Desktop except Windows with WSL 2.
### Does ECI protect Kubernetes in Docker Desktop?
Prior to Docker Desktop 4.38, ECI did not protect the Kubernetes cluster
integrated in Docker Desktop.
Since Docker Desktop 4.38, ECI protects the integreated Kubernetes cluster
when using the new **kind** provisioner (see [Deploy On Kubernetes](/manuals/desktop/features/kubernetes.md)).
In this case, each node in the multi-node Kubernetes cluster is actually an ECI
protected container. With ECI disabled, each node in the Kubernetes cluster is
a less-secure fully privileged container.
ECI does not protect the integrated Kubernetes cluster when using the
older **Kubeadm** single-node cluster provisioner.
### Does ECI protect containers launched prior to enabling ECI? ### Does ECI protect containers launched prior to enabling ECI?