docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

ECI and Kubernetes Improvements (#21961) 

<!--Delete sections as needed -->

## Description

* Added an image in the "Deploy on Kubernetes" section showing the
Docker Desktop Kubernetes settings.
* Updated the ECI FAQs regarding ECI protection for docker build and
Kubernetes.

## Reviews

<!-- Notes for reviewers here -->
<!-- List applicable reviews (optionally @tag reviewers) -->

- [ ] Technical review
- [X] Editorial review
- [ ] Product review

---------

Signed-off-by: Cesar Talledo <cesar.talledo@docker.com>
Co-authored-by: Allie Sadler <102604716+aevesdocker@users.noreply.github.com>
This commit is contained in:
Cesar Talledo 2025-02-04 02:03:33 -08:00 committed by GitHub
parent 8b264bd54f
commit cb21bfc60f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 43 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
content/manuals/desktop/features/kubernetes.md
View File

@ -10,12 +10,14 @@ aliases:
weight: 60 weight: 60
--- ---
Docker Desktop includes a standalone Kubernetes server and client, as well as Docker CLI integration, enabling local Kubernetes development and testing directly on your machine. Docker Desktop includes a standalone Kubernetes server and client, as well as Docker CLI integration, enabling local Kubernetes development and testing directly on your machine.
The Kubernetes server runs as a single or multi-node cluster within a Docker container. This lightweight setup helps you explore Kubernetes features, test workloads, and work with container orchestration in parallel with other Docker functionalities. The Kubernetes server runs as a single or multi-node cluster, within Docker container(s). This lightweight setup helps you explore Kubernetes features, test workloads, and work with container orchestration in parallel with other Docker functionalities.
Kubernetes on Docker Desktop runs alongside other workloads, including Swarm services and standalone containers. Kubernetes on Docker Desktop runs alongside other workloads, including Swarm services and standalone containers.
![k8s settings](../images/k8s-settings.png)
## What happens when I enable Kubernetes in Docker Desktop? ## What happens when I enable Kubernetes in Docker Desktop?
When you enable Kubernetes in Docker Desktop, the following actions are triggered in the Docker Desktop backend and VM: When you enable Kubernetes in Docker Desktop, the following actions are triggered in the Docker Desktop backend and VM:
@ -30,18 +32,18 @@ Turning the Kubernetes server on or off in Docker Desktop does not affect your o
## Install and turn on Kubernetes ## Install and turn on Kubernetes
1. Open the Docker Desktop Dashboard and navigate to **Settings**. 1. Open the Docker Desktop Dashboard and navigate to **Settings**.
2. Select the **Kubernetes** tab. 2. Select the **Kubernetes** tab.
3. Toggle on **Enable Kubernetes**. 3. Toggle on **Enable Kubernetes**.
4. Choose your cluster provisioning method. You can choose either **Kubeadm** or **kind** if you are signed in and are using Docker Desktop version 4.38 or later. 4. Choose your cluster provisioning method. You can choose either **Kubeadm** or **kind** if you are signed in and are using Docker Desktop version 4.38 or later.
If you select **kind** you can also choose the Kubernetes version and the number of nodes. If you select **kind** you can also choose the Kubernetes version and the number of nodes.
5. Select **Apply & Restart** to save the settings. This sets up the images required to run the Kubernetes server as containers, and installs the `kubectl` command-line tool on your system at `/usr/local/bin/kubectl` (Mac) or `C:\Program Files\Docker\Docker\Resources\bin\kubectl.exe` (Windows). 5. Select **Apply & Restart** to save the settings. This sets up the images required to run the Kubernetes server as containers, and installs the `kubectl` command-line tool on your system at `/usr/local/bin/kubectl` (Mac) or `C:\Program Files\Docker\Docker\Resources\bin\kubectl.exe` (Windows).
> [!NOTE] > [!NOTE]
> >
> Docker Desktop for Linux does not include `kubectl` by default. You can install it separately by following the [Kubernetes installation guide](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/). Ensure the `kubectl` binary is installed at `/usr/local/bin/kubectl`. > Docker Desktop for Linux does not include `kubectl` by default. You can install it separately by following the [Kubernetes installation guide](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/). Ensure the `kubectl` binary is installed at `/usr/local/bin/kubectl`.
When Kubernetes is enabled, its status is displayed in the Docker Desktop Dashboard footer and the Docker menu. When Kubernetes is enabled, its status is displayed in the Docker Desktop Dashboard footer and the Docker menu.
You can check which version of Kubernetes you're on with: You can check which version of Kubernetes you're on with:
@ -53,7 +55,7 @@ $ kubectl version
#### Kubernetes dashboard #### Kubernetes dashboard
Once Kubernetes is installed and set up, you can select the **Deploy the Kubernetes Dashboard into cluster** setting so you can manage and monitor your Kubernetes clusters and applications more easily. Once Kubernetes is installed and set up, you can select the **Deploy the Kubernetes Dashboard into cluster** setting so you can manage and monitor your Kubernetes clusters and applications more easily.
#### Viewing system containers #### Viewing system containers
@ -79,7 +81,7 @@ $ kubectl config use-context docker-desktop
> [!TIP] > [!TIP]
> >
> If the `kubectl` config get-contexts command returns an empty result, try: > If the `kubectl` config get-contexts command returns an empty result, try:
> >
> - Running the command in the Command Prompt or PowerShell. > - Running the command in the Command Prompt or PowerShell.
> - Setting the `KUBECONFIG` environment variable to point to your `.kube/config` file. > - Setting the `KUBECONFIG` environment variable to point to your `.kube/config` file.
@ -111,13 +113,13 @@ Kubernetes clusters are not automatically upgraded with Docker Desktop updates.
$ kubectl config use-context docker-desktop $ kubectl config use-context docker-desktop
``` ```
You can then try checking the logs of the [Kubernetes system containers](#viewing-system-containers) if you have enabled that setting. You can then try checking the logs of the [Kubernetes system containers](#viewing-system-containers) if you have enabled that setting.
- If you're experiencing cluster issues after updating, reset your Kubernetes cluster. Resetting a Kubernetes cluster can help resolve issues by essentially reverting the cluster to a clean state, and clearing out misconfigurations, corrupted data, or stuck resources that may be causing problems. If the issue still persists, you may need to clean and purge data, and then restart Docker Desktop. - If you're experiencing cluster issues after updating, reset your Kubernetes cluster. Resetting a Kubernetes cluster can help resolve issues by essentially reverting the cluster to a clean state, and clearing out misconfigurations, corrupted data, or stuck resources that may be causing problems. If the issue still persists, you may need to clean and purge data, and then restart Docker Desktop.
## Turn off and uninstall Kubernetes ## Turn off and uninstall Kubernetes
To turn off Kubernetes in Docker Desktop: To turn off Kubernetes in Docker Desktop:
1. From the Docker Desktop Dashboard, select the **Settings** icon. 1. From the Docker Desktop Dashboard, select the **Settings** icon.
2. Select the **Kubernetes** tab. 2. Select the **Kubernetes** tab.
3. Deselect the **Enable Kubernetes** checkbox. 3. Deselect the **Enable Kubernetes** checkbox.
4. Select **Apply & Restart** to save the settings. This stops and removes Kubernetes containers, and also removes the `/usr/local/bin/kubectl` command. 4. Select **Apply & Restart** to save the settings. This stops and removes Kubernetes containers, and also removes the `/usr/local/bin/kubectl` command.

BIN
content/manuals/desktop/images/k8s-settings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 135 KiB

42
content/manuals/security/for-admins/hardened-desktop/enhanced-container-isolation/faq.md
View File

@ -69,22 +69,42 @@ See [ECI Docker socket mount permissions](config.md#docker-socket-mount-permissi
Not yet. It protects all containers launched by users via `docker create` and Not yet. It protects all containers launched by users via `docker create` and
`docker run`. `docker run`.
Prior to Docker Desktop 4.30, it did not protect containers implicitly used by For containers implicitly created by `docker build` as well as Docker
`docker build` with the `docker` build driver (the default driver). Starting Desktop's integrated Kubernetes, protection varies depending on the Docker
with Docker Desktop 4.30, it protects such containers, except for Docker Desktop Desktop version (see the following two FAQs).
on WSL 2 (Windows hosts).
Note that ECI always protects containers used by `docker build`, when using the ECI does not yet protect Docker Desktop Extension containers and
[docker-container build driver](/manuals/build/builders/drivers/_index.md), since Docker [Dev Environments containers](/manuals/desktop/features/dev-environments/_index.md).
Desktop 4.19 and on all supported platforms (Windows with WSL 2 or Hyper-V, Mac,
and Linux).
ECI does not yet protect Docker Desktop Kubernetes pods, Extension containers, ### Does ECI protect containers implicitly used by `docker build`?
and [Dev Environments containers](/manuals/desktop/features/dev-environments/_index.md).
Prior to Docker Desktop 4.19, ECI did not protect containers used implicitly
by `docker build` during the build process.
Since Docker Desktop 4.19, ECI protects containers used by `docker build`
when using the [Docker container build driver](/manuals/build/builders/drivers/_index.md).
In addition, since Docker Desktop 4.30, ECI also protects containers used by
`docker build` when using the default "docker" build driver, on all
platforms supported by Docker Desktop except Windows with WSL 2.
### Does ECI protect Kubernetes in Docker Desktop?
Prior to Docker Desktop 4.38, ECI did not protect the Kubernetes cluster
integrated in Docker Desktop.
Since Docker Desktop 4.38, ECI protects the integreated Kubernetes cluster
when using the new **kind** provisioner (see [Deploy On Kubernetes](/manuals/desktop/features/kubernetes.md)).
In this case, each node in the multi-node Kubernetes cluster is actually an ECI
protected container. With ECI disabled, each node in the Kubernetes cluster is
a less-secure fully privileged container.
ECI does not protect the integrated Kubernetes cluster when using the
older **Kubeadm** single-node cluster provisioner.
### Does ECI protect containers launched prior to enabling ECI? ### Does ECI protect containers launched prior to enabling ECI?
No. Containers created prior to switching on ECI are not protected. Therefore, it is No. Containers created prior to switching on ECI are not protected. Therefore, it is
recommended you remove all containers prior to switching on ECI. recommended you remove all containers prior to switching on ECI.
### Does ECI affect the performance of containers? ### Does ECI affect the performance of containers?