docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add info on Kube secrets

This commit is contained in:
Traci Morrison 2019-11-20 11:47:31 -05:00
parent e50d65b5d9
commit d84a422989
1 changed files with 75 additions and 77 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

150
ee/ucp/ucp-architecture.md
View File

@ -4,16 +4,16 @@ description: Learn about the architecture of Docker Universal Control Plane.
keywords: ucp, architecture
---
Universal Control Plane is a containerized application that runs on
Docker Universal Control Plane (UCP) is a containerized application that runs on
[Docker Enterprise Edition](/ee/index.md), extending its functionality
to simplify the deployment, configuration, and monitoring of your applications at scale.
UCP also secures Docker with role-based access control so that only authorized
UCP also secures Docker with role-based access control (RBAC) so that only authorized
users can make changes and deploy applications to your Docker cluster.
![](images/ucp-architecture-1.svg){: .with-border}
Once Universal Control Plane (UCP) instance is deployed, developers and IT
Once the UCP instance is deployed, developers and IT
operations no longer interact with Docker Engine directly, but interact with
UCP instead. Since UCP exposes the standard Docker API, this is all done
transparently, so that you can use the tools you already know and love, like
@ -22,14 +22,14 @@ the Docker CLI client and Docker Compose.
## Under the hood
Docker UCP leverages the clustering and orchestration functionality provided
UCP leverages the clustering and orchestration functionality provided
by Docker.
![](images/ucp-architecture-2.svg){: .with-border}
A swarm is a collection of nodes that are in the same Docker cluster.
[Nodes](/engine/swarm/key-concepts.md) in a Docker swarm operate in one of two
modes: Manager or Worker. If nodes are not already running in a swarm when
modes: manager or worker. If nodes are not already running in a swarm when
installing UCP, nodes will be configured to run in swarm mode.
When you deploy UCP, it starts running a globally scheduled service called
@ -60,70 +60,68 @@ Once this service is running, it deploys containers with other UCP components,
and it ensures they keep running. The UCP components that are deployed
on a node depend on whether the node is a manager or a worker.
> OS-specific component names
> Note
>
> Some UCP component names depend on the node's operating system. For example,
> on Windows, the `ucp-agent` component is named `ucp-agent-win`.
> [Learn about architecture-specific images](admin/install/architecture-specific-images.md).
> Regarding OS-specific component names, some UCP component names depend on the node's operating system. For example, on Windows, the `ucp-agent` component is named `ucp-agent-win`. [Learn about architecture-specific images](admin/install/architecture-specific-images.md).
### UCP components in manager nodes
Manager nodes run all UCP services, including the web UI and data stores that
persist the state of UCP. These are the UCP services running on manager nodes:
persist the state of UCP. The following table shows the UCP services running on manager nodes.
| UCP component | Description |
|:--------------------------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| k8s_calico-kube-controllers | A cluster-scoped Kubernetes controller used to coordinate Calico networking. Runs on one manager node only. |
| k8s_calico-node | The Calico node agent, which coordinates networking fabric according to the cluster-wide Calico configuration. Part of the `calico-node` daemonset. Runs on all nodes. Configure the container network interface (CNI) plugin by using the `--cni-installer-url` flag. If this flag isn't set, UCP uses Calico as the default CNI plugin. |
| k8s_install-cni_calico-node | A container that's responsible for installing the Calico CNI plugin binaries and configuration on each host. Part of the `calico-node` daemonset. Runs on all nodes. |
| k8s_POD_calico-node | Pause container for the `calico-node` pod. |
| k8s_POD_calico-kube-controllers | Pause container for the `calico-kube-controllers` pod. |
| k8s_POD_compose | Pause container for the `compose` pod. |
| k8s_POD_kube-dns | Pause container for the `kube-dns` pod. |
| k8s_ucp-dnsmasq-nanny | A dnsmasq instance used in the Kubernetes DNS Service. Part of the `kube-dns` deployment. Runs on one manager node only. |
| k8s_ucp-kube-compose | A custom Kubernetes resource component that's responsible for translating Compose files into Kubernetes constructs. Part of the `compose` deployment. Runs on one manager node only. |
| k8s_ucp-kube-dns | The main Kubernetes DNS Service, used by pods to [resolve service names](https://v1-11.docs.kubernetes.io/docs/concepts/services-networking/dns-pod-service/). Part of the `kube-dns` deployment. Runs on one manager node only. Provides service discovery for Kubernetes services and pods. A set of three containers deployed via Kubernetes as a single pod. |
| k8s_ucp-kubedns-sidecar | Health checking and metrics daemon of the Kubernetes DNS Service. Part of the `kube-dns` deployment. Runs on one manager node only. |
| ucp-agent | Monitors the node and ensures the right UCP services are running. |
| ucp-auth-api | The centralized service for identity and authentication used by UCP and DTR. |
| ucp-auth-store | Stores authentication configurations and data for users, organizations, and teams. |
| ucp-auth-worker | Performs scheduled LDAP synchronizations and cleans authentication and authorization data. |
| ucp-client-root-ca | A certificate authority to sign client bundles. |
| ucp-cluster-root-ca | A certificate authority used for TLS communication between UCP components. |
| ucp-controller | The UCP web server. |
| ucp-dsinfo | Docker system information collection script to assist with troubleshooting. |
| ucp-interlock | Monitors swarm workloads configured to use Layer 7 routing. Only runs when you enable Layer 7 routing. |
| ucp-interlock-proxy | A service that provides load balancing and proxying for swarm workloads. Only runs when you enable Layer 7 routing. |
| ucp-kube-apiserver | A master component that serves the Kubernetes API. It persists its state in `etcd` directly, and all other components communicate with API server directly. |
| ucp-kube-controller-manager | A master component that manages the desired state of controllers and other Kubernetes objects. It monitors the API server and performs background tasks when needed. |
| ucp-kubelet | The Kubernetes node agent running on every node, which is responsible for running Kubernetes pods, reporting the health of the node, and monitoring resource usage. |
| ucp-kube-proxy | The networking proxy running on every node, which enables pods to contact Kubernetes services and other pods, via cluster IP addresses. |
| ucp-kube-scheduler | A master component that handles scheduling of pods. It communicates with the API server only to obtain workloads that need to be scheduled. |
| ucp-kv | Used to store the UCP configurations. Don't use it in your applications, since it's for internal use only. Also used by Kubernetes components. |
| ucp-metrics | Used to collect and process metrics for a node, like the disk space available. |
| ucp-proxy | A TLS proxy. It allows secure access to the local Docker Engine to UCP components. |
| ucp-reconcile | When ucp-agent detects that the node is not running the right UCP components, it starts the ucp-reconcile container to converge the node to its desired state. It is expected for the ucp-reconcile container to remain in an exited state when the node is healthy. |
| ucp-swarm-manager | Used to provide backwards-compatibility with Docker Swarm. |
| `k8s_calico-kube-controllers` | A cluster-scoped Kubernetes controller used to coordinate Calico networking. Runs on one manager node only. |
| `k8s_calico-node` | The Calico node agent, which coordinates networking fabric according to the cluster-wide Calico configuration. Part of the `calico-node` daemonset. Runs on all nodes. Configure the container network interface (CNI) plugin by using the `--cni-installer-url` flag. If this flag isn't set, UCP uses Calico as the default CNI plugin. |
| `k8s_install-cni_calico-node` | A container that's responsible for installing the Calico CNI plugin binaries and configuration on each host. Part of the `calico-node` daemonset. Runs on all nodes. |
| `k8s_POD_calico-node` | Pause container for the `calico-node` pod. |
| `k8s_POD_calico-kube-controllers` | Pause container for the `calico-kube-controllers` pod. |
| `k8s_POD_compose` | Pause container for the `compose` pod. |
| `k8s_POD_kube-dns` | Pause container for the `kube-dns` pod. |
| `k8s_ucp-dnsmasq-nanny` | A dnsmasq instance used in the Kubernetes DNS Service. Part of the `kube-dns` deployment. Runs on one manager node only. |
| `k8s_ucp-kube-compose` | A custom Kubernetes resource component that's responsible for translating Compose files into Kubernetes constructs. Part of the `compose` deployment. Runs on one manager node only. |
| `k8s_ucp-kube-dns` | The main Kubernetes DNS Service, used by pods to [resolve service names](https://v1-11.docs.kubernetes.io/docs/concepts/services-networking/dns-pod-service/). Part of the `kube-dns` deployment. Runs on one manager node only. Provides service discovery for Kubernetes services and pods. A set of three containers deployed via Kubernetes as a single pod. |
| `k8s_ucp-kubedns-sidecar` | Health checking and metrics daemon of the Kubernetes DNS Service. Part of the `kube-dns` deployment. Runs on one manager node only. |
| `ucp-agent` | Monitors the node and ensures the right UCP services are running. |
| `ucp-auth-api` | The centralized service for identity and authentication used by UCP and DTR. |
| `ucp-auth-store` | Stores authentication configurations and data for users, organizations, and teams. |
| `ucp-auth-worker` | Performs scheduled LDAP synchronizations and cleans authentication and authorization data. |
| `ucp-client-root-ca` | A certificate authority to sign client bundles. |
| `ucp-cluster-root-ca` | A certificate authority used for TLS communication between UCP components. |
| `ucp-controller` | The UCP web server. |
| `ucp-dsinfo` | Docker system information collection script to assist with troubleshooting. |
| `ucp-interlock` | Monitors swarm workloads configured to use Layer 7 routing. Only runs when you enable Layer 7 routing. |
| `ucp-interlock-proxy` | A service that provides load balancing and proxying for swarm workloads. Only runs when you enable Layer 7 routing. |
| `ucp-kube-apiserver` | A master component that serves the Kubernetes API. It persists its state in `etcd` directly, and all other components communicate with the API server directly. The Kubernetes API server is configured to encrypt Secrets using AES-CBC with a 256-bit key.[^1] |
| `ucp-kube-controller-manager` | A master component that manages the desired state of controllers and other Kubernetes objects. It monitors the API server and performs background tasks when needed. |
| `ucp-kubelet` | The Kubernetes node agent running on every node, which is responsible for running Kubernetes pods, reporting the health of the node, and monitoring resource usage. |
| `ucp-kube-proxy` | The networking proxy running on every node, which enables pods to contact Kubernetes services and other pods, via cluster IP addresses. |
| `ucp-kube-scheduler` | A master component that handles scheduling of pods. It communicates with the API server only to obtain workloads that need to be scheduled. |
| `ucp-kv` | Used to store the UCP configurations. Don't use it in your applications, since it's for internal use only. Also used by Kubernetes components. |
| `ucp-metrics` | Used to collect and process metrics for a node, like the disk space available. |
| `ucp-proxy` | A TLS proxy. It allows secure access to the local Docker Engine to UCP components. |
| `ucp-reconcile` | When `ucp-agent` detects that the node is not running the right UCP components, it starts the ucp-reconcile container to converge the node to its desired state. It is expected for the ucp-reconcile container to remain in an exited state when the node is healthy. |
| `ucp-swarm-manager` | Used to provide backwards-compatibility with Docker Swarm. |
[^1]: Known limitations: the encryption key is never rotated, and the encryption key is stored in a file on disk on manager nodes.
### UCP components in worker nodes
Worker nodes are the ones where you run your applications. These are the UCP
services running on worker nodes:
Applications run on worker nodes. The following table shows the UCP services running on worker nodes.
| UCP component | Description |
|:----------------------------|:---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| k8s_calico-node | The Calico node agent, which coordinates networking fabric according to the cluster-wide Calico configuration. Part of the `calico-node` daemonset. Runs on all nodes. |
| k8s_install-cni_calico-node | A container that's responsible for installing the Calico CNI plugin binaries and configuration on each host. Part of the `calico-node` daemonset. Runs on all nodes. |
| k8s_POD_calico-node | Pause container for the Calico-node pod. By default, this container is hidden, but you can see it by running `docker ps -a`. |
| ucp-agent | Monitors the node and ensures the right UCP services are running |
| ucp-interlock-extension | Helper service that reconfigures the ucp-interlock-proxy service based on the swarm workloads that are running. |
| ucp-interlock-proxy | A service that provides load balancing and proxying for swarm workloads. Only runs when you enable Layer 7 routing. |
| ucp-dsinfo | Docker system information collection script to assist with troubleshooting |
| ucp-kubelet | The kubernetes node agent running on every node, which is responsible for running Kubernetes pods, reporting the health of the node, and monitoring resource usage |
| ucp-kube-proxy | The networking proxy running on every node, which enables pods to contact Kubernetes services and other pods, via cluster IP addresses |
| ucp-reconcile | When ucp-agent detects that the node is not running the right UCP components, it starts the ucp-reconcile container to converge the node to its desired state. It is expected for the ucp-reconcile container to remain in an exited state when the node is healthy. |
| ucp-proxy | A TLS proxy. It allows secure access to the local Docker Engine to UCP components |
| `k8s_calico-node` | The Calico node agent, which coordinates networking fabric according to the cluster-wide Calico configuration. Part of the `calico-node` daemonset. Runs on all nodes. |
| `k8s_install-cni_calico-node` | A container that's responsible for installing the Calico CNI plugin binaries and configuration on each host. Part of the `calico-node` daemonset. Runs on all nodes. |
| `k8s_POD_calico-node` | Pause container for the Calico-node pod. By default, this container is hidden, but you can see it by running `docker ps -a`. |
| `ucp-agent` | Monitors the node and ensures the right UCP services are running |
| `ucp-interlock-extension` | Helper service that reconfigures the ucp-interlock-proxy service based on the swarm workloads that are running. |
| `ucp-interlock-proxy` | A service that provides load balancing and proxying for swarm workloads. Only runs when you enable Layer 7 routing. |
| `ucp-dsinfo` | Docker system information collection script to assist with troubleshooting. |
| `ucp-kubelet` | The kubernetes node agent running on every node, which is responsible for running Kubernetes pods, reporting the health of the node, and monitoring resource usage. |
| `ucp-kube-proxy` | The networking proxy running on every node, which enables pods to contact Kubernetes services and other pods, via cluster IP addresses. |
| `ucp-reconcile` | When `ucp-agent` detects that the node is not running the right UCP components, it starts the `ucp-reconcile` container to converge the node to its desired state. It is expected for the `ucp-reconcile` container to remain in an exited state when the node is healthy. |
| `ucp-proxy` | A TLS proxy. It allows secure access to the local Docker Engine to UCP components. |
## Pause containers
@ -147,25 +145,24 @@ docker ps -a | grep -I pause
## Volumes used by UCP
Docker UCP uses these named volumes to persist data in all nodes where it runs:
UCP uses the following named volumes to persist data in all nodes where it runs.
| Volume name | Description |
|:----------------------------|:-----------------------------------------------------------------------------------------|
| ucp-auth-api-certs | Certificate and keys for the authentication and authorization service |
| ucp-auth-store-certs | Certificate and keys for the authentication and authorization store |
| ucp-auth-store-data | Data of the authentication and authorization store, replicated across managers |
| ucp-auth-worker-certs | Certificate and keys for authentication worker |
| ucp-auth-worker-data | Data of the authentication worker |
| ucp-client-root-ca | Root key material for the UCP root CA that issues client certificates |
| ucp-cluster-root-ca | Root key material for the UCP root CA that issues certificates for swarm members |
| ucp-controller-client-certs | Certificate and keys used by the UCP web server to communicate with other UCP components |
| ucp-controller-server-certs | Certificate and keys for the UCP web server running in the node |
| ucp-kv | UCP configuration data, replicated across managers |
| ucp-kv-certs | Certificates and keys for the key-value store |
| ucp-metrics-data | Monitoring data gathered by UCP |
| ucp-metrics-inventory | Configuration file used by the ucp-metrics service |
| ucp-node-certs | Certificate and keys for node communication |
| `ucp-auth-api-certs` | Certificate and keys for the authentication and authorization service |
| `ucp-auth-store-certs` | Certificate and keys for the authentication and authorization store |
| `ucp-auth-store-data` | Data of the authentication and authorization store, replicated across managers |
| `ucp-auth-worker-certs` | Certificate and keys for authentication worker |
| `ucp-auth-worker-data` | Data of the authentication worker |
| `ucp-client-root-ca` | Root key material for the UCP root CA that issues client certificates |
| `ucp-cluster-root-ca` | Root key material for the UCP root CA that issues certificates for swarm members |
| `ucp-controller-client-certs` | Certificate and keys used by the UCP web server to communicate with other UCP components |
| `ucp-controller-server-certs` | Certificate and keys for the UCP web server running in the node |
| `ucp-kv` | UCP configuration data, replicated across managers |
| `ucp-kv-certs` | Certificates and keys for the key-value store |
| `ucp-metrics-data` | Monitoring data gathered by UCP |
| `ucp-metrics-inventory` | Configuration file used by the ucp-metrics service |
| `ucp-node-certs` | Certificate and keys for node communication |
You can customize the volume driver used for these volumes, by creating
the volumes before installing UCP. During the installation, UCP checks which
@ -177,12 +174,14 @@ By default, the data for these volumes can be found at
## Configurations used by UCP
The following table shows the configurations used by UCP.
| Configuration name | Description |
|:-------------------------------|:-------------------------------------------------------------------------------------------------|
| com.docker.interlock.extension | Configuration for the Interlock extension service that monitors and configures the proxy service |
| com.docker.interlock.proxy | Configuration for the service responsible for handling user requests and routing them |
| com.docker.license | The Docker EE license |
| com.docker.ucp.interlock.conf | Configuration for the core Interlock service |
| `com.docker.interlock.extension` | Configuration for the Interlock extension service that monitors and configures the proxy service |
| `com.docker.interlock.proxy` | Configuration for the service responsible for handling user requests and routing them |
| `com.docker.license` | The Docker EE license |
| `com.docker.ucp.interlock.conf` | Configuration for the core Interlock service |
## How you interact with UCP
@ -194,8 +193,7 @@ permissions, deploy, configure, manage, and monitor your applications.
![](images/ucp-architecture-3.svg){: .with-border}
UCP also exposes the standard Docker API, so you can continue using existing
tools like the Docker CLI client. Since UCP secures your cluster with role-based
access control, you need to configure your Docker CLI client and other client
tools like the Docker CLI client. Since UCP secures your cluster with RBAC, you need to configure your Docker CLI client and other client
tools to authenticate your requests using
[client certificates](user-access/index.md) that you can download
from your UCP profile page.