Docker Community Forums

Share and learn in the Docker community.

Setting up DTR in Docker EE (Recommended Topology)


(Manglu) #1

I am trying to understand the setup for DTR vis-a-vis multiple UCP clusters. I will have two UCP Clusters - one for Non-PROD and another for PROD.

I would ideally like to have only one DTR (makes sense to me with adequate RBAC roles configured, I don’t see a need for multiple DTRs)

Info from Docker Inc’s best practice

DTR Clusters

Unlike the separate production and non-production UCP clusters, enterprises commonly have a single master DTR cluster. This allows enforcement of enterprise processes such as Security Scanning in a centralized place. If pulling images from globally distributed locations takes too long then you can use the DTR Content Cache feature to create local caches.

Note: Policy enforcement on image signing will not currently work if you have your DTR in a separate cluster from UCP.

End of Info from the website

I am unclear whether it states running DTR as a separate 3rd Cluster (with the other two being PROD and NON-PROD UCP Clusters) is the best practice. If yes, Does this setup prevent us from using capabilities such as Image Signing? What are the trade-offs?

I am looking for clear recommendations in this space.

I have posted this query on Stackeoverflow