com/GoogleContainerTools/jib ... <plugin> com.spotify dockerfile-maven-plugin 1.4.8 io/petclinic-app ${project.version} plugin> ... github.com/GoogleContainerTools/jib What did we do? 1. Write first better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use a Maven plugin github.com/GoogleContainerTools/jib What did we do? 1. Write first Dockerfile 2. Reduce image

Operators Kubernetes + OAM K8s Plugin HPA Deployment scale-to-0 Function Unified Model Layer Platform Capability Pool 统一的模型层 平台统一“能力池” 模块化的交付系统 - GitOps “应用”配置 Git (as source of truth) 持续集成 ● KubeVela Git (as source of truth) 持续集成 ● Build ● Run Unit Tests ● Build Docker Image ● Push Docker Image Image Registry AutoScaling Controller Rollout Controller GitOps OAM K8s Plugin + CUE Abstraction

系统总体架构 系统原型 持续集成 测试报告 版本发布 评审 产品立项 评审 迭代启动 评审 产品立项报告 实践 相关规范：《敏捷开发过程指南》 规范指南设计 规范与指南 GIT分⽀管理规范 4+1共5个分⽀，每个 分⽀具体的⽤途 版本发布规范 版本发布评审流程， ⽣产环境上线流程 缺陷管理规范 缺陷的定义，缺陷报 告，缺陷跟踪，缺陷 分析 ⽤户需求分解指南 开发任务关联需求 ü 事务管理⼯具对任务进⾏ 细粒度拆解 ü 设置合理的任务⼤⼩， 跟 踪开发状态 ü IDE 与DevOps⼯具紧密 集成 ü 代码变更管理任务 ü 本地代码扫描保证质量 ü 推荐Git 分⽀管理模型 ü 代码提交触发流⽔线 ü 流⽔线⾃动进⾏单元测 试 ü 流⽔线⾃动进⾏编译打 包 ü 流⽔线⾃动⽣成镜像 ü 流⽔线⾃动部署更新服 务 ü 事务管理⼯具跟踪状态 ü 跟踪团队开发进度 14. 06-14-⽤户体验设计指南V1.0 15. 06-15-质量标准指南-⾮功能性V1.0 16. 06-16-微服务模块分析指南1.0 操作⼿册(16) 1. 08-01-Eclipse-Git-Plug-in 2. 08-02-Eclipse-Jenkins-Plug-in 3. 08-03-Eclipse-Jira-Plug-in 4. 06-04-代码审查指南V1.0 5.

Integration Event payload can be passed to build task if needed gitlab new merge request event git log --pretty=oneline c5eff7ea..3211901e 3211901e9b877c92ab059a6f25180469dcbf1629 Merge branch 'dev-branch' [LOT-3213] Fix xxx 96ce85fdecd50aafafca2eae6a2a1fe4b1aef72d Merge branch 'LOT-3033' into 'dev-branch' git commit should have naming convention • Get the commits between two builds • Invoke Jira API to mark management tools • Optimize UI generation methodology • Improve development experience, such as CLI, plugin for IDE, dev on Cloud • Move forward to better DevOps under micro-service architecture • Consolidate

EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK Terminology and Notation DEK Data encryption key KEK kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer Generates a DEK Master kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer Sends DEK to Plugin Master kube-apiserver kube-apiserver etcd kms-plugin Encrypt(DEK) SECRET KMS 1.10 Plugin Forwards to KMS Master kube-apiserver etcd kms-plugin Encrypt(DEK) SECRET Encrypt(DEK) KMS 1.10 KMS Encrypts a DEK Master kube-apiserver

KMS Plugin [1] • Address performance & latency concerns • Reduce / minimize remote KMS interactions w/o compromising security • Address security threats • etcd compromise • Host (KMS plugin) compromise compromise Ø leak DEKs Ø leak KEKs [1] KubeCon NA 2019: "TEE-based KMS Plugin for encryption of Kubernetes Secrets”, by Raghu Yeluri & Haidong Xia, Intel Corp. TEE-based KMS Provider • Address security Experience @ Ant Group KMS Plugin • Workflow • Encryption • Decryption • Engineering decisions • apiserver is responsible for • DEK generation • Secret en/decryption • kms-plugin • keeps KEK cache • only

vSphere NSX Manager NSX Controllers T1 NSX Edge Cluster Architecture NSX-T • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, runs in K8s as a standardized interface to the NSX API Network Container Plugin (NCP) NSX Manager Kubernetes Master etcd API-Server Scheduler NSX Container Plugin (NCP) NSX Infra NSX Manager API Client Kubernetes Creation Workflow NSX Manager NS: foo NS: bar NSX / Kubernetes Topology C C C C NSX Container Plugin (NCP) NSX Infra NSX Manager API Client Kubernetes Adapter 1. NCP creates a ‘watch’ on K8s

EKS private endpoints - New Amazon EKS Regions: Sao Paulo, Canada Central - Next-generation CNI plugin © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential © All rights reserved. Amazon Confidential 开源与 Amazon EKS Amazon EKS 的主要模块已经开源 • Amazon VPC CNI plugin • AWS IAM authenticator • Amazon EKS AMI AWS团队贡献或管理着超过20个与Kubernetes相关的开源项目 • /kubernetes • 简单安全 GitHub开源 … { } Amazon VPC CNI Plugin 支持 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon VPC CNI plugin Elastic network interface Secondary

Deamonset Node should be tainted when critical Daemonset is unhealthy. Case 4: Plugin registry Registration of plugin such as CSI plugin should be checked. Case 5: Capacity The QPS Limit and Capacity Limit should

要求docker<=20.10 k8s 1.24及之后版本： kubelet→cri-containerd→containerd→runC 后来cri-containerd重构进containerd中（CRI Plugin），合为一个containerd进程 默认调用的cri-socket： unix:///var/run/containerd/containerd.sock 本小节讲解k8s v1 sandbox_image = "cof-lee.com:5443/k8s/pause:3.9" #和k8s需要的pause镜 像版本保持一致 #如果要启用CRI-Plugin，注释掉其中的 disabled_plugins = ["cri"] #再重启containerd即可有 unix:///run/containerd/containerd.sock 接口 #信 Oct 19 16:53 test-chart-1.0.2.tgz ★上传chart包到harbor（未测试成功） 首先要安装helm-push插件，在线安装方式： helm plugin install h�ps://github.com/chartmuseum/helm-push 离线安装方式： # helm env | grep HELM_PLUGINS