VMware SIG Purpose, Projects managed, How to join The Roadmap Moving “Out of Tree” : vSphere cloud provider + storage (CSI) How to Get Information on an ongoing basis The VMware SIG How to Contribute Join 6 SIG Sponsored projects vSphere cloud provider (In-tree and Out-of-tree) • A cloud provider is a Kubernetes controller that runs cloud provider-specific loops required for the functioning of kube-controller-manager to cloud- provider specific code. In order to free the Kubernetes project of this dependency, the cloud-controller-manager was introduced. CSI provider for vSphere • Container Storage

Confidential AWS 中国（宁夏）区域由西云数据运营 AWS 中国（北京）区域由光环新网运营 周琦，AWS 解决方案架构师 Amazon Elastic Kubernetes Service (EKS) 初探秘 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Elastic Container Registry 管理 容器化应用的部署，调度，扩 展和管理 Amazon Elastic Container Service Amazon Elastic Container Service for Kubernetes 主机 容器在哪里运行 Amazon EC2 AWS Fargate 服务注册发现 云端服务的黄页 AWS Cloud New Amazon EKS Region: Paris, London, Mumbai - CNI v1.5.0 - New Regions: Hong Kong 即将发布 - Service linked role for Amazon EKS - EKS Support for K8s version 1.13 + ECR AWS PrivateLink - EKS-optimized

������Kubernetes Service�������� �� ��Cloud BU - PaaS��� Github: @m1093782566 Kubernetes�Service�� Iptables��Service���� ��Iptables������� IPVS��Service���� Iptables vs. IPVS Kubernetes�Service ����onl��a�o� ����onl��a�o� - ��������������t� - ���������� - �����IP�n������� - �������� - ��������� Kubernetes Service�Endpoints Label Selector Label: app=backend IP: 172.17.10.1 Port: 80 Label: app=MyApp Container 80 Label: app=MyApp Container Container Replication Controller Label: app=MyApp Replicas: 2 Service <10.0.0.11>:<9376> Label: app=MyApp Endpoints: track backend pod changes <172.17.10.1>:<80> <172

LoadBalancer • 服务发现 – DNS – 环境变量 25 Worker Node Service Pod 1 Pod 2 Pod N Node IP: 192.168.10.10 IP: 10.2.3.14 DNS: service1.cluster.local Port: 9443 NodePort: 31233 Protocol: TCP 用namespace分隔各个组织的Pod Container Peer0 CouchDB Pod PVC service CA Pod PVC service … … Namespace: org1 PeerN CouchDB Pod PVC service CLI Pod PVC NFS Namespace: orgN SACC2017 orgorderer1 service …. ordererM Pod PVC service PVC NFS Namespace: Kafka …. …. Kafka 0 Pod service Kafka N Pod service zookeeper0 Pod service ZookeeperN Pod service SACC2017

encoded) • > K8s 1.7+ • at-rest encryption for etcd (local + remote) Local Encryption Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets encrypted Kubernetes Secrets”, by Raghu Yeluri & Haidong Xia, Intel Corp. TEE-based KMS Provider • Address security threats • Host (KMS provider) compromise Ø leak DEKs Ø leak Secrets • Fraudsters calling DEK decryption failure times of en/decryption • KMS health check • Ops tooling • kms-plugin-tools KMS Plugin as a Service • Motivation • SGX physical servers do not meet API servers’ performance requirements • Solution

Utilizing Zones to improve scheduling Using vSphere tags to define regions and zones – add cloud provider What is NUMA? How to solve potential issues with CPU and memory intensive workloads Kubernetes Restrictions are engaged when this is exceeded • Unmanaged by default • Mechanisms exist to allow a cloud provider or admin to supply a default and over-ride container specification outside an allowed range • is a load balancer for VMs deployed on a hypervisor cluster. It has advanced features that can provider actual guaranteed resource reservations, not just shares. It also incorporates health monitoring

19-配置最佳实践 20-管理容器的计算资源 21-Kubernetes资源分配 22-将Pod分配到Node 23-容忍与污点 24-Secret 25-Pod优先级和抢占 26-Service 27-Ingress Resources 28-动态⽔平扩容 29-实战：使⽤K8s编排Wordpress博客 2 简介 Kubernetes开源书。不啰嗦了，JUST READ IT Controller：负责维护系统中每个replication controller对象具有正确数量的Pod。 Endpoints Controller：填充Endpoint对象（即：连接Service＆Pod）。 Service Account & Token Controllers：为新的namespace创建默认帐户和API access tokens。 cloud-controller-manager ntroller循环。您必须在kube-controller-manager中禁⽤这些 Controller循环。可在启动kube-controller-manager时将 --cloud-provider 标志设为 external 来禁⽤控制器循环。 cloud-controller-manager允许云供应商代码和Kubernetes内核独⽴发展。在以前的版本中，核⼼的Kubernetes代码依

EncryptionConfig ● Encrypt secrets with a locally managed key ● EncryptionConfig for secrets ● Multiple provider options ○ aesgcm ○ aescbc ○ secretbox Master kube-apiserver etcd SECRETDEK DEK Kubernetes which is then encrypted with a centrally managed key ● EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK HashiCorp Vault ● Authenticate to Vault using a K8s service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 KMS plugin Auditing

​Utilizing Zones to improve scheduling ​Using vSphere tags to define regions and zones – add cloud provider ​What is NUMA? ​How to solve potential issues with CPU and memory intensive workloads ​Kubernetes Restrictions are engaged when this is exceeded • Unmanaged by default • Mechanisms exist to allow a cloud provider or admin to supply a default and over-ride container specification outside an allowed range • is a load balancer for VMs deployed on a hypervisor cluster. It has advanced features that can provider actual guaranteed resource reservations, not just shares. It also incorporates health monitoring

consistent user experience and data, leverage with PaaS capability • Facilitate our PaaS and micro-service product Kubernetes Capabilities/Advantages to Build DevOps Solution Pod Job CronJob • k8s itself Pod Pod Pod Pod ElasticSearch ElasticSearch Logging Service agent to collecting log data ElasticSearch ElasticSearch Monitor/Alert Service CronJob Node Pod Node Pod Unified logging、monitoring、alert customization Cluster Resource Auto Scaling kubelet can do image GC DevOps Service DevOps Operator DevOps Operator DevOps Service DevOps Manager CronJob k8s API MySQL k8s API MySQL MySQL • Pipeline