多雲一體就是現在: GOOGLE CLOUD 的 KUBERNETES 混合雲戰略 安玟宇 Wayne An Customer Engineer, Google Cloud WayneAn@google.com 安玟宇 Wayne An Customer Engineer, Google Cloud WayneAn@google.com 多雲一體就是現在: Google Cloud Portable Elastic Transform Efficient Secure Pay for use Out ● ● Migrate Move up, out or both? Google is a recognized leader in Open Source Cloud Kubernetes Istio Apache Beam TensorFlow Service Machine Intelligence Kubernetes Contributors opensource.google.com A strong community with corporate and independent support. Independent Google Red Hat Huawei ZTE Corp FathomDB IBM Microsoft

Tcherniakhovski, Google Cloud Maya Kaczorowski, Google Cloud Nov 14 2018 Turtles all the way down Turtles all the way down Alex Tcherniakhovski Security Engineer, Google Cloud Maya Kaczorowski Kaczorowski Security PM, Google Cloud @MayaKaczorowski Protecting secrets What’s a secret? Credentials, configurations, API keys, and other small bits of information needed by applications at build or EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK Terminology and Notation DEK Data encryption key KEK

resource management of multiple containers – Docker, Mesos à Kubernetes Support – AWS, Azure, Google à Kubernetes Services $docker run container1 $docker run container2 $docker run container3 $docker Clusters Desired state of Application The difference between PKS and Kubernetes Open Source Project – Google/Pivotal/VMware 21 Container scheduling, scale, resiliency, and Day 2 Desired state of Kubernetes vSphere NSX Manager NSX Controllers T1 NSX Edge Cluster Architecture NSX-T • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, runs in K8s as a

要求docker<=20.10 k8s 1.24及之后版本： kubelet→cri-containerd→containerd→runC 后来cri-containerd重构进containerd中（CRI Plugin），合为一个containerd进程 默认调用的cri-socket： unix:///var/run/containerd/containerd.sock 本小节讲解k8s v1 x86_64/ enabled=1 gpgcheck=0 EOF #或者使用google的源： # cat >> /etc/yum.repos.d/k8s-google.repo <google] name=k8s-google baseurl=h�ps://packages.cloud.google.com/yum/repos/kubernetes-el7-x86_64 enabled=1 sandbox_image = "cof-lee.com:5443/k8s/pause:3.9" #和k8s需要的pause镜 像版本保持一致 #如果要启用CRI-Plugin，注释掉其中的 disabled_plugins = ["cri"] #再重启containerd即可有 unix:///run/containerd/containerd.sock 接口 #信

Charter Link to join group: https://groups.google.com/forum/#!forum/kubernetes-sig-vmware (This will give you write access to all the SIG VMware shared google documents) Link to join Slack: https://kubernetes Container Storage Interface (CSI) is a standard API allowing a storage provider to write just one plugin that will work for all major container orchestration systems: Kubernetes, Mesos, Docker and Cloud

Container Service for Kubernetes 主机 容器在哪里运行 Amazon EC2 AWS Fargate 服务注册发现 云端服务的黄页 AWS Cloud Map 服务网格 服务间通信的基础设施层 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon EKS private endpoints - New Amazon EKS Regions: Sao Paulo, Canada Central - Next-generation CNI plugin © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential © All rights reserved. Amazon Confidential 开源与 Amazon EKS Amazon EKS 的主要模块已经开源 • Amazon VPC CNI plugin • AWS IAM authenticator • Amazon EKS AMI AWS团队贡献或管理着超过20个与Kubernetes相关的开源项目 • /kubernetes •

Kubernetes是 可移植: 共有、私有、混合、多云 可扩展: 模块化、可插拔、提供Hook、可组合 ⾃愈: ⾃动放置、⾃动重启、⾃动复制、⾃动缩放 Google于2014年启动了Kubernetes项⽬。Kubernetes建⽴在Google在⼤规模运⾏⽣产⼯作负载⽅⾯ ⼗⼏年的经验之 上，并结合了社区中最佳的创意和实践。 为什么使⽤容器 寻找你为啥要使⽤容器 的原因？ 01-什么是Kubernetes ：在构建/发布期间⽽⾮部署期间创建镜像，从⽽将应⽤程序与基础架构分离。 开发、测试和⽣产环境⼀致 ：在笔记本电脑运⾏与云中⼀样。 云和操作系统可移植性 ：可运⾏在Ubuntu、RHEL、CoreOS、内部部署，Google Container Engine以及任何其他 地⽅。 以应⽤为中⼼的管理：从在虚拟硬件上运⾏操作系统的抽象级别，提升到使⽤逻辑资源在操作系统上运⾏应⽤程序 的级别。 松耦合，分布式，弹 使⽤Label选择器定义 service 指向的⼀组Pod。类似地， replicationcontroller 所管理的Pod总数也可⽤Label选择 器定义。 两个对象的Label选择器都使⽤map在 json 或 yaml ⽂件中定义，只⽀持equality-based requirement选择器： "selector": { "component" : "redis",

status to buildjob Submit buildjob List/Watch buildjob Pod Pod Pod Pod Build task configuration - map to k8s Job, can also be a raw k8s job Job / Pod / Node info BuildJob / Job status Pipeline / Stage management tools • Optimize UI generation methodology • Improve development experience, such as CLI, plugin for IDE, dev on Cloud • Move forward to better DevOps under micro-service architecture • Consolidate

enable GPU on Kubernetes with vSphere. Also actively contributing to kubelet, device manager, device plugin area. GitHub: @figo Steve Wong Hui Luo Presenter Bios 3 Abstract ​Kubernetes allows using topology manages desired policy. ​Enforcement passes Pod -> container runtime -> Linux OS ​Cgroups are used to map Pod CPU and Memory Resources • Note: Two Cgroups Drivers exist (cgroupfs [default], systemd) 20

manages desired policy. Enforcement passes Pod -> container runtime -> Linux OS Cgroups are used to map Pod CPU and Memory Resources • Note: Two Cgroups Drivers exist (cgroupfs [default], systemd) 20 first, and Prodsystems before others 27 The VMware SIG Charter Link to join group: https://groups.google.com/forum/#!forum/kubernetes-sig-vmware Link to join Slack: https://kubernetes.slack.com/messages/sig-vmware