Scaling a Multi-Tenant k8s Cluster in a Telco Pablo Moncada October 28, 2020 About MasMovil group ● 4th telecom company in Spain ● Provides voice and broadband services to +12M customers ● Several Services +3k CPU +2k Mem +5TB Nodes +300 kube-proxy replacement NetworkPolicy logging Multi-cluster DNS Aware NetworkPolicy Increased Istio security External Services TLS visibility Performance

Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Troubleshooting Component & Cluster Health Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy Troubleshooting etcd (kvstore) Cluster Mesh Troubleshooting Symptom Guarantees API Reference Internals Hubble internals Hubble Architecture Cilium Operator Highly Available Cilium Operator CRD Registration IPAM KVStore operations Identity garbage collection CiliumEndpoint

Advanced Networking Cluster Mesh Operations Istio Concepts Component Overview Terminology Networking Network Security eBPF Datapath Observability Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Troubleshooting Component & Cluster Health Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy Troubleshooting etcd (kvstore) Cluster Mesh Troubleshooting Symptom Guarantees API Reference Internals Hubble internals Hubble Architecture Cilium Operator Highly Available Cilium Operator CRD Registration IPAM KVStore operations Identity garbage collection CiliumEndpoint

Terminology Networking Network Security eBPF Datapath Observability Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Training Enterprise support Security Bugs Operations Scalability report Performance Evaluation Setup Evaluation Results Tuning Troubleshooting Component & Cluster Health Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy examples: Command Reference cilium-agent cilium cilium-health cilium-operator cilium-operator-aws cilium-operator-azure cilium-operator-generic Key-Value Store Key-Value Store Layout Leases Debugging

Overview Terminology Networking Network Security eBPF Datapath Kubernetes Integration Multi-Cluster (Cluster Mesh) Getting Help FAQ Slack GitHub Security Bugs Operations System Requirements Summary Scalability report Performance Evaluation Setup Evaluation Results Tuning Troubleshooting Component & Cluster Health Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy examples: Command Reference cilium-agent cilium cilium-health cilium-operator cilium-operator-aws cilium-operator-azure cilium-operator-generic Key-Value Store Key-Value Store Layout Leases Debugging

Configuration Core Agent Monitoring & Metrics Installation cilium-agent cilium-operator Troubleshooting Component & Cluster Health Connectivity Problems Policy Troubleshooting Symptom Library Useful Scripts Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator Key-Value Store Key-Value Store Layout Leases Debugging Further Reading Related Material Presentations requires the firewalls on all servers to be manipulated whenever a container is started anywhere in the cluster. In order to avoid this situation which limits scale, Cilium assigns a security identity to groups

Lifecycle Troubleshooting Monitoring & Metrics Installation cilium-agent cilium-operator Troubleshooting Component & Cluster Health Connectivity Problems Policy Troubleshooting Symptom Library Useful Scripts Command examples: Kubernetes examples: Command Reference cilium-agent cilium cilium-health cilium-operator Key-Value Store Key-Value Store Layout Leases Debugging Further Reading Related Material Presentations requires the firewalls on all servers to be manipulated whenever a container is started anywhere in the cluster. In order to avoid this situation which limits scale, Cilium assigns a security identity to groups

Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy Troubleshoo�ng Automa�c Diagnosis Symptom Library Useful Scripts requires the firewalls on all servers to be manipulated whenever a container is started anywhere in the cluster. In order to avoid this situa�on which limits scale, Cilium assigns a security iden�ty to groups store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services, tradi�onal CIDR

Maximized node performance Application cluster Storage cluster (multi-node/multi-controller) /A /A /B /C /D /E /F Multipath NFS/RDMA or NFS/TCP Maximized cluster performance in client-server model improving the application performance. Repositories https://gitee.com/openeuler/wayca-scheduler • Cluster and NUMA scheduling domains are established based on the hardware topology, and the scheduler supports HybridSched is a full-stack solution for hybrid deployment of VMs, covering enhanced OpenStack cluster scheduling, new single-node QoS management component Skylark, and kernel-mode basic resource isolation

can be installed with one click for ARM and x86 hybrid clusters, while deployment of a 100-node cluster is possible within just 15 minutes. Scenario-specific innovations: • Edge computing: openEuler To adapt to this trend, openEuler has launched KubeOS, an OS that centrally manages cloud-native cluster OSs in containers. KubeOS has the following features: • OS containerization and Kubernetes interconnection Kubernetes cluster deployment and management project initiated by the openEuler SIG sig-CloudNative. It provides efficient and stable cluster deployment (online and offline) for a single cluster over multiple