and Features • CRD and operator design • Pipeline/Stage/Task/Task Template/Version Control/UI generation/Volume... • Logging, monitoring, autoscaling, high availability • Extensibility/Integration ConfigMap Job - pod template - volumes user build task • build the docker images init task • prepare code repository - volumes DevOps Operator Manage the Job environment variables image information completes - volumes Storage APIs user build task • build the application package init task • prepare code repository sidecar build task lifecycle - preStop - volumes storage config using secret Query

of Amazon EKS private endpoints - New Amazon EKS Regions: Sao Paulo, Canada Central - Next-generation CNI plugin © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential unnecessary privileged users, no scans, trust • code analysis • source available? • gotchas: big surface, many languages { } } • sanitizing user input • static code analysis • gotchas: log-leaking} • sensitive Identifiable Information (PII) • gotchas: leaks, GDPR (in Europe) { host container dependencies code config user data © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon

use a pure eBPF service? • Not mature enough eBPF brief • Write C • Compile into eBPF assembly code • Inject to kernel • Attach to network tc hooks • Triggered by ingress/egress packets IPVS bypass Support more Linux distributions • Build IPVS kernel modules in Ubuntu, Centos • IPVS-eBPF next generation on the way • Implement IPVS SNAT with eBPF without modification to kernel. Thanks! • Learn more Udp for A Srcport=x Udp for AAAA Srcport=x Udp for A Srcport=x DROP • Solution • In eBPF code, add a loop to wrap port alloc and insert. • If insert fails, it will retry alloc.

Workflow • Encryption • Decryption • Engineering decisions • apiserver is responsible for • DEK generation • Secret en/decryption • kms-plugin • keeps KEK cache • only en/decrypts DEK, not secrets Encryption kubeconfig for multiple clusters One binary: TEE Transparency • Motivation • Leverage the same code base, thus the same • APIs, logic, iteration plan for developers • Experience for users/operators

例包括 Kratix 和 Humanitec Platform Orchestrator。我们建议平台团队考虑这些工具，作为自己的脚本、本 地工具和基础设施即代码（infrastructure as code，IaC）的独特集合替代方案。我们还注意到，与开放应用模 型（OAM）及其参考编排器 KubeVela 有相似之处，尽管 OAM 声称更加面向应用程序而不是工作负载为中心。 21. 自托管式大语言模型 评估 Llama 2 是一个来自 Meta 的强大的语言模型，可免费用于研究和商业用途。它既提供原始的预训练模型，也 提供了经过微调的用于对话的 Llama-2-chat 和用于代码补全的 Code Llama。Llama 2 提供了多种尺寸的模型 —— 7B、13B 和 70B，因此如果您想控制自己的数据，Llama 2 是自托管式大型语言模型的一个好选择。 Meta 声称 Llama 分有用。根据我们的实验，我们发现这两个模型都可以使用提示词中的 小样本示例 进行上下文学习。尽管如此， 对于特定的下游任务（例如为 Postgres 等特定数据库生成 SQL），模型仍需要微调。最近，Meta 推出了 Code Llama，一款专用于编程的 Llama 2。使用这些开源模型时务必要小心谨慎。在选择任何这些编码 LLMs 供您的 组织使用之前，请考虑它们的许可，包括代码的许可和用于训练模型的数据集的许可，仔细评估这些方面后再

vSphere or GCP Container Service for Cloud-Native Apps Rapidly deliver and operationalize next generation apps End User Experience • Installation and clusters creation Deploy OpsMgr OVA Upload PKS K8s release Container Service for Cloud-Native Apps Rapidly deliver and operationalize next generation apps Ÿ Containers: Package applications Ÿ VMs: Run & Move Containers Ÿ Kubernetes: Manage Container

Object, eventhandler handler.EventHandler, opts ...WatchesOption) *Builder Reconcile Loop(Objects Generation) // SetControllerReference sets owner as a Controller OwnerReference on controlled. // This is

b Compiler + Containerizer github.com/GoogleContainerTools/jib Code Executable Compile github.com/GoogleContainerTools/jib Code Executable Compile Java Container Containerize github.com/G facilitates continuous development for Kubernetes applications. You can iterate on your application source code locally then deploy to local or remote Kubernetes clusters. Skaffold handles the workflow for building github.com/GoogleContainerTools/skaffold official website code Development Process application k8s config build push deploy connect update code Development Process application k8s config skaffold

Decision Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 7 Kubenetes scheduling What does the scheduler do: As pod are created, they Decision Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible Decision Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible

Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 7 Kubenetes scheduling What does the scheduler do: As pod are created, they Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible