Performance measurement Test topology Test result Service type Short connection cps Short connection P99 latency Long connection pps ClusterIP +40% -31% not available NodePort +64% -47% +22% Test IPVS-BPF IPVS 0 20000 40000 60000 80000 100000 120000 140000 160000 180000 Nodeport short connection Instructions/req Lessons from eBPF • No loop support in eBPF verifier (Linux 4.14) • #param

with Google Cloud Console On-Prem/Public Cloud Provider Any K8s Cluster GCP Connection Proxy K8s API Server Connection Agent End-User Single-Pane of Glass Market- place & Service- Catalog & Builder Stackdriver GCP Services Securing Your Connection to GCP ● GKE Connect Agent installs in your cluster ● Encrypted connection from the K8s cluster to GCP ● No public IP required

kubectl delete deployment hello-node 服务停⽤ minikube stop 遇到问题处理 1. kubectl get nodes 报错 The connection to the server 127.0.0.1:55000 was refused - did you specify the right host or port? 解决⽅法：

UDP�SCTP���IPV4�IPV6 • ���������� Ø rr, wrr, lc, wlc, sh, dh, lblc… • ������ Ø persistent connection���� IPVS��� IPVS������ • ����LB��: Direct Routing(DR), Tunneling, NAT Ø DR�����L2������������

sgx-device- plugin daemonset [1] • kms-plugins deployed as deployment • Interfaces • https + connection reuse • certificate: similar to apiserver ó etcd (X.509) • Version-based key synchronization

Server Resolver • DNS resolver is builtin in gRPC framework and its out-of-box for users • When connection fail DNS Resolver can resolve name immediately • In scale-up scenario, DNS Resolver will not resolve