之间相差一个 c/u/d 操作，我们用 c-lag, u-lag 和 d-lag 来表示。 当本地 cache 为 latest 时，Plan Action 都能达到预期目的。 当 c-lag 时，API Server 中有该对象，cache 中无该对象。此时 Plan 只应该是 Update 或 Delete 两种 Action，但 因本地无 cache，所以 Update 实际变成了 Creat 实际不会生成，意味着操作丢失，与预期不符。 当 u-lag 时，API Server 与 cache 中都有该对象，但版本不同。此时 Plan 只应该是 Update 或 Delete 两种 Action，结果与预期相符。 当 d-lag 时，API Server 中无该对象，cache 中有该对象。此时 Plan 只应该是 Create 一种 Action，但因 cache 中有该对象，所以 Create 变成了 U Update，执行时会报“StatusReasonNotFound”错误；当新 Spec 中无该对象时， Plan 会错误生成 Delete Action，执行时同样会报对象不存在错。 根据上述分析，stale cache 确实会有问题，如何补救？先看一个 stale 对象。 如下图所示，某个版本为3（gen=3）的集群（Cluster）中有一个 stale 对象，即 StatefulSet (gen=2)。

TEE-based K8s Secrets Protection: Solution • Production Experience @ Ant Group • Demo • Summary & Plan K8s Secrets: Overview Background: K8s Secrets Cluster • What they are? • Sensitive information TEE Transparency • Motivation • Leverage the same code base, thus the same • APIs, logic, iteration plan for developers • Experience for users/operators • TEE as an option, en/disable based on • Hardware w/ Occlum’s Golang support • Showcase the confidentiality guaranteed by TEE Demo Demo Summary & Plan Summary & Next Steps • Summary • A TEE-based E2E solution aiming to guard K8s secrets while in use

monitoring, autoscaling, high availability • Extensibility / Integration • CI/CD examples • Future plan Our DevOps Expectations • Build a platform and easy to integrate with other DevOps/third-party tools monitoring, autoscaling, high availability • Extensibility/Integration • CI/CD examples • Future plan Overall Architecture Kubernetes Cluster Kubernetes Cluster Node Node Node Node Job Job Job Job autoscaling, high availability • Extensibility/Integration • CI/CD examples • Future plan Our Future Plan • More task templates to be added, integrate more CI/CD and project management tools •

then, when designing the SmartEdge infrastruc- ture, containers and Kubernetes were part of the plan from the start. The team began experimenting with Ku- bernetes and early versions of Docker in