Scaling a Multi-Tenant k8s Cluster in a Telco Pablo Moncada October 28, 2020 About MasMovil group ● 4th telecom company in Spain ● Provides voice and broadband services to +12M customers ● Several Services +3k CPU +2k Mem +5TB Nodes +300 kube-proxy replacement NetworkPolicy logging Multi-cluster DNS Aware NetworkPolicy Increased Istio security External Services TLS visibility Performance

your datacentre, public or private. Whether you want to deploy an OpenStack cloud, a Kubernetes cluster or a 50,000-node render farm, Ubuntu Server delivers the best value scale-out performance available HA - Migrate from crmsh to pcs 2 Databases 3 databases-introduction Introduction 3 databases-mysql MySQL 3 databases-postgresql PostgreSQL 2 Monitoring 3 logging-monitoring-alerting Logging, Monitoring create -f qcow2 disk-image.qcow2 10G Formatting 'disk-image.qcow2', fmt=qcow2 size=10737418240 cluster_size=65536 lazy_refcounts=off refcount_bits=16 qemu-img info disk-image.qcow2 image: disk-image

Maximized node performance Application cluster Storage cluster (multi-node/multi-controller) /A /A /B /C /D /E /F Multipath NFS/RDMA or NFS/TCP Maximized cluster performance in client-server model improving the application performance. Repositories https://gitee.com/openeuler/wayca-scheduler • Cluster and NUMA scheduling domains are established based on the hardware topology, and the scheduler supports HybridSched is a full-stack solution for hybrid deployment of VMs, covering enhanced OpenStack cluster scheduling, new single-node QoS management component Skylark, and kernel-mode basic resource isolation

scheduling and management software to build a solid cloud base. • High availability (HA) cluster solution: The HA cluster solution implemented by KylinSoft enables failover within seconds. Flourishing community IDE Auto-tuning tool A-Tune Test platform Compass-CI Toolchain OpenStack Kubernetes Kylin HA Cluster scheduling and management CPU: x86, ARM, RISC-V GPU NPU Chips Apps Virtualization Containers Scenarios Application scenario 1: kernel CVE fixes Typical applications, such as Nginx, Redis, and MySQL, run on a physical or virtual machine. They generate many keep-alive connections and occupy a large

can be installed with one click for ARM and x86 hybrid clusters, while deployment of a 100-node cluster is possible within just 15 minutes. Scenario-specific innovations: • Edge computing: openEuler do not access the memory frequently. Tests show that etMem delivers 40% higher performance for MySQL than counterparts. The user-mode memory swapping mechanism is added for the user-mode storage framework applications that use a large amount of memory but do not access the memory frequently, such as MySQL, Redis, and Nginx. All memory expansion operations are performed internally, that is within a node

......................................................................................... 232 1. MySQL ................................................................................................. Selects the BIND DNS server and its documentation. • LAMP server: Selects a ready-made Linux/Apache/MySQL/PHP server. • Mail server: This task selects a variety of packages useful for a general purpose mail org, home of the Network Time Protocol project16 • The pool.ntp.org projecti, being a big virtual cluster of timeservers.17 • Freedesktop.org info on timedatectl18 • Freedesktop.org info on systemd-timesyncd

Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy Troubleshoo�ng Automa�c Diagnosis Symptom Library Useful Scripts requires the firewalls on all servers to be manipulated whenever a container is started anywhere in the cluster. In order to avoid this situa�on which limits scale, Cilium assigns a security iden�ty to groups store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services, tradi�onal CIDR

33 - 本文档使用 书栈(BookStack.CN) 构建 较好一点！因此，对于主机的安全要求就需要严格的要求啦！就鸟哥的观点来看， 如果你的主机是用来替你赚钱的， 例如某些研究单位的大型 Cluster 运算主机， 那么即使架设一个甚至让你觉得很不方便的防火墙系统，都是合理 的手段！因为主机被入侵就算了，若数据被窃取，呵呵！ 那可不是闹着玩的！ 由上面的整个架站流程来看，由规划到安装、主机 会主动的帮你重组而进行传送，差一点的可能就直接回报这个封包无效而丢弃了～这个时候可 就糗大啰～ 所以， MTU 设定为 9000 这种事情，大概仅能在内部网络的环境中作～举例来说，很多的内部丛集系 统 (cluster) 就将他们的内部网络环境 MTU 设定为 9000，但是对外的适配卡可还是原本的标准 1500 喔！ ^_^ 2.2.5 MTU 最大传输单位 4.2. 2.2 TCP/IP 的链结层相关协议 switch 啦！因为 10/100/1000Mbps 的 switch 要比 10/100Mbps 的设备快上十倍，速度可是差很多的啊！如果你的 设备还需要更快时， 例如鸟哥之前服务的实验室内部的 cluster (丛集式计算机群) ，则购买的 switch 甚至需 要支持 Jumbo frame 这种支持大讯框的硬件架构才行，否则速度上不来啊！ 网络线：考虑与速度相配的等级、线材形状、施工配线等

Troubleshooting Monitoring & Metrics Installation cilium-agent cilium-operator Troubleshooting Component & Cluster Health Connectivity Problems Policy Troubleshooting Symptom Library Useful Scripts Reporting a problem requires the firewalls on all servers to be manipulated whenever a container is started anywhere in the cluster. In order to avoid this situation which limits scale, Cilium assigns a security identity to groups store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services, traditional CIDR

Agent Monitoring & Metrics Installation cilium-agent cilium-operator Troubleshooting Component & Cluster Health Connectivity Problems Policy Troubleshooting Symptom Library Useful Scripts Reporting a problem requires the firewalls on all servers to be manipulated whenever a container is started anywhere in the cluster. In order to avoid this situation which limits scale, Cilium assigns a security identity to groups store. Secure access to and from external services Label based security is the tool of choice for cluster internal access control. In order to secure access to and from external services, traditional CIDR