systemctl start chronyd # cat > /etc/chrony.conf <file /var/lib/chrony/dri� makestep 1.0 3 rtcsync keyfile /etc/chrony.keys leapsectz right/UTC logdir /var/log/chrony cgroupdriver=systemd" ] } # mkdir -p /etc/systemd/system/docker.service.d # docker info ★docker会修改防火墙规则，导致pod网络不通 # vi /usr/lib/systemd/system/docker.service #在[Service]下的ExecStart=/usr/bin/dockerd 置文件并编辑 # vi /etc/kubeadm-init.yaml apiVersion: kubeadm.k8s.io/v1beta2 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef �l: 24h0m0s usages:

Scalable Kubernetes Applications • Scalable Infrastructure for Applications Application Operating System Physical Infrastructure Platform Containers as Enabler Fast Boot Environments Rapidly Portable Needed Application Operating System Physical Infrastructure Containers and VMs - A Practical Comparison Containers Containers virtualize the operating system limiting the the number of application applications on the same OS Allows you to run multiple OS on the same hardware Application Operating System Physical Infrastructure Containers VMware Hypervisor VMs Docker Containers User Cases 9

Dashboard 执⾏： kubectl proxy 02-安装单机版Kubernetes 8 访问： http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview? namespace=default 参考： https://kubernetes y⽂件 ~]# declare -a IPS=(172.20.0.88 172.20.0.89 172.20.0.90 172.20.0.91 172.20.0.92) ~]# CONFIG_FILE=inventory/mycluster/hosts.ini python36 contrib/inventory_builder/inventory.py ${IPS[@]} 此时，会看到 i addons（插件） Addon是实现集群功能的Pod和Service。Pod可由Deployment、ReplicationController等进⾏管理。Namespace的插件 对象则是在 kube-system 这个namespace中被创建的。 Addon manager创建并维护addon的资源。详⻅这⾥： here 。 DNS 虽然其他Addon不是严格要求的，但所有Kubernetes集群都应该有

container orchestration and management project created by Google • Successor of Google Borg/Omega system • One of the most popular open source projects in this world • Written by, and heavily depends I am stateful Job I only run for once CronJob I run periodically ConfigMap I read configure file Secret I need confidential data HPA I need auto-scaling Understand Kubernetes in 2 min • kubectl I am stateful Job I only run for once CronJob I run periodically ConfigMap I read configure file Secret I need confidential data HPA I need auto-scaling My Awesome Object I have my own special

b. File System Hardening c. Boot Security d. Process Security e. Minimization of Attack Surface f. Network Security g. Auditing h. Authentication and Authorization i. Compliance j. File System

Separate where secrets are used vs managed Encryption at different layers (or turtles) disks file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer … then

ster>:/ui 該 URL 將會被重導向到： https://:/api/v1/proxy/namespaces/kube-system/services/ kube-ui/#/dashboard/ 圖 4.6 顯示了 kube-ui 的主頁，展示所有 Node 的資訊，並且每秒更新顯示每個 Node 的 CPU 使用率、記憶體使用情況和檔案系統的使用情況。 的建立。如果不使用 Secret，則 Heapster 啟 動時將會出現錯誤： /var/run/secret/kubernetes.io/serviceaccount/token no such file or directory 然後 Heapster 容器會被 ReplicationController 反覆銷毀、建立，無法正常運作。

failure reason Unhealth node is healed or removed. Reason classification: Source Feature Example System Failure caused by cluster itself RuntimeError, ImageFailed, Unscheduled, KubeletDelay... End Users Users Failure caused by end users ContainerCrashLoopBackOff, FailedPostStartHook, Unhealthy… Trace system Increase of SLO Data Collect Audit log Event The unhealthy node Monitoring Isolation Recover Weekly Report SLO： Indicate the cluster is healthy or there is something unexpected happened. Trace system： Collect and analyze logs in cluster. So we can known what happened about the cluster. Increase

Farabi KubeCon + CloudNativeCon China 2018 Hello! Giri Kuncoro System Engineer Go-Jek Indonesia @girikuncoro Iqbal Farabi System Engineer Go-Jek Indonesia @iqbal_farabi We’re from Jakarta, Indonesia International Expansion Projects • High availability DBs lead to fewer outage Higher Uptime • System resources like CPU, memory, etc. are more effectively utilized in container world than in VMs. https://github.com/gojektech/charts/tree/master/incubator/stolon Credits Vijay Dhama – Go-Jek System Team Prashant Mittal – Go-Jek Lambda Team Irfan Shah – Go-Jek Atlas Team Sumit Gupta – Go-Jek

Horowitz投资，公司在2015年在 旧金山湾区成立，致力于推动开源项目和社区以及商业化 8 面向大数据和AI应用的内存级数据编排系统 数据编排层(Data Orchestration) Java File API HDFS Interface S3 Interface REST API POSIX Interface Alluxio是什么 HDFS Driver S3 Driver OSS Driver Alluxio 服务器 Alluxio 服务器 大数据查询 大数据ETL 模型训练 Alluxio核心功能一：分布式数据缓存 Alluxio 服务器 A B /path1/file1 /path2/file2 C A B C A Alluxio 服务器 Alluxio 服务器 大数据查询 大数据ETL 模型训练 Alluxio核心功能二：灵活多样的数据访问API Alluxio 当本地节点的空间少于1056MB时，数据缓存的调度器不会选择该 节点；转而选择其他节点。 alluxio.user.file.passive.cache.enabled false 当从Alluxio远程worker读文件时，是否缓存文件到Alluxio的本 地worker。 alluxio.user.file.readtype.default CACHE 默认的CACHE_PROMOTE会带来显著的性能开销