如何實踐 • 透過User Account & Authentication (UAA) 服務達成PKS API 呼叫認證 • 透過 CredHub服務安全地自動化產生與 保存帳號權限 • 這幾項服務可以針對多個 Kubernetes 叢集個別指派授權 Centralized Authentication with RBAC Operator admin d. Process Security e. Minimization of Attack Surface f. Network Security g. Auditing h. Authentication and Authorization i. Compliance j. File System Permissions k. User Account Management

updates Monitoring resources Accessing and ingesting logs Debugging applications Providing authentication and authorization 这提供了PaaS的简单性，并具有IaaS的灵活性，并促进了跨基础架构提供商的可移植性。 Kubernetes是⼀个怎样的平台？ 尽管Kuber 从集群到Master的所有通信路径终⽌于apiserver（其他Master组件都不是设计来暴露远程服务的）。在典型的部署中， 我们会为apiserver配置监听启⽤了⼀种或多种形式的客户端 authentication 的安全HTTPS端⼝（443）。应启⽤⼀种或 多种 authorization 形式，特别是允许 anonymous requests 或 service account tokens 书。 如果不能这样做，如果需要，请在apiiserver和kubelet之间使⽤ SSH tunneling ，以避免通过不可信或公共⽹络进⾏连 接。 最后，应启⽤ Kubelet authentication and/or authorization 来保护kubelet API。 12-Master与Node的通信 34 apiserver -> nodes, pods, and services

resource • Natural Kubernetes experience for operating your own resource with Kubernetes RBAC and authentication. • What it comes from • From ThirdPartyResource in Kubernetes 1.6 • Create CRD with spec in

Methods to achieve high SLOs on a large scale Kubernetes cluster Kang FAN, Jinghua YAO Why SLO? SLO (Service-Level Objective). Within service-level agreements (SLAs), SLOs are the objectives that must slo metrics csi metrics dirty data With huge amount of metrics data collected, statistical methods can be used to check whether the node is healthy or not. Besides, node delivery capacity can also

to organize items in a cluster Labels, Annotations & Selectors Tags for component grouping and methods to access them Service Discovery An object associated to a label selector to provide a LB and Service

scanning, detecting and acting on this insight instantly. This is in sharp contrast to earlier methods in which data was passed via an operations center, by which time the target may have moved or