With edge computing and pro- cessing at the point of data collection, we will give warfighters access to real-time, data-driven insights so they can act at the speed of the mission. SmartEdge makes Kubernetes were part of the plan from the start. The team began experimenting with Ku- bernetes and early versions of Docker in 2015. They soon became familiar with Ku- bernetes’ value as a mechanism to of that object. Connected sensors will not only alert the individual but the entire group. This early consolidation of information allows entire battalions to strategize on-the-fly—all that processing

#先查看k8s版本 kubeadm version: &version.Info{Major:"1", Minor:"28", GitVersion:"v1.28.2", GitCommit:"89a4ea3e1e4ddd7f7572286090359983e0387b2f", GitTreeState:"clean", BuildDate:"2023-09-13T09:34:32Z", GoVersion:"go1 此 Secret 资 源 为 docker-registry 类 型 的 imagePullSecret EOF ③RBAC基于角色的访问控制 RBAC（Role-Based Access Control）基于角色的访问控制，它将权限授予角色 Role之上，然后将角色绑定到某用户或用户组上，这样用户就有了所绑定角色 的权限 k8s的RBAC的角色有2种， Role role作用于名称空间，有命名空间之分

“12093805” selfLink: /api/v1/namespaces/default/pods/job- 1574739729783-driver uid: f26a81f3-10f8-11ea-938f-fa163eddd2ce Spec: containers: … Create podgroup Create driver pod Request create executor

be passed to build task if needed gitlab new merge request event git log --pretty=oneline c5eff7ea..3211901e 3211901e9b877c92ab059a6f25180469dcbf1629 Merge branch 'dev-branch' into 'dev-branch' 5

e-mailed to users Challenge: Timing! Weekly show - 9 weeks in a row Attempt to get people to sign up early - unsuccessful Hundreds of thousands users signing up during commercial break. Show-time !! First

secrets? ● Attractive target ○ Controls access or use of sensitive resources ● Common attack vector ○ Checked into Github ○ Accessible by users who shouldn’t have access, e.g., CEO ○ Stored in public storage key is compromised ○ Time available for attempts to penetrate physical, procedural, and logical access ○ Time available for computationally intensive cryptanalytic attacks ● A cryptoperiod is the time practices Managing DEKs: ● Generate DEKs locally ● Use a strong cryptographic algorithm ● For easy access, store the DEK near the data that it encrypts ● Ensure DEKs are encrypted at rest ● Don’t use

for Pods • Creates virtual IP for external access • Interfaces with local iptables • Load-balance interface for Pods • Creates virtual IP for external access • Interfaces with local iptables The Kubernetes organize items in a cluster Labels, Annotations & Selectors Tags for component grouping and methods to access them Service Discovery An object associated to a label selector to provide a LB and Service DNS

Security Best Practices ©2019 VMware, Inc. 7  關閉公開存取 (Disable public access)  實施角色型存取權控管 (Implement role-based access control)  將 Kubernetes密鑰加密 (Encrypt secrets at rest)  設置 Kubernetes 的許可控制器 Ci/CD Application DevOPS Owner Consumes PKS API/CLI Day 1 & Day 2 for k8s clusters Manages access to k8s API for developers IT Operator IaaS Management Internet User Application User Trust

Kuberentes Servcie is an abstraction which defines a logical set of Pods and a policy by which to access them. • Service provides a way for applications to communicate with each other on K8s platform objects used in OW charts • ConfigMap: like nginx deployment configuration • Secrets: like DB access credentials • Ingress Component Launch Sequence • In Kubernetes, we can use the following

VIP using a load balancer • Two types • ClusterIP provides in-cluster access • NodePort provides out-of-cluster access • Major modes • Iptables • IPVS Iptables mode • How it works • DNAT at