VMware SIG Purpose, Projects managed, How to join The Roadmap Moving “Out of Tree” : vSphere cloud provider + storage (CSI) How to Get Information on an ongoing basis The VMware SIG How to Contribute Join 6 SIG Sponsored projects vSphere cloud provider (In-tree and Out-of-tree) • A cloud provider is a Kubernetes controller that runs cloud provider-specific loops required for the functioning of kube-controller-manager to cloud- provider specific code. In order to free the Kubernetes project of this dependency, the cloud-controller-manager was introduced. CSI provider for vSphere • Container Storage

Utilizing Zones to improve scheduling Using vSphere tags to define regions and zones – add cloud provider What is NUMA? How to solve potential issues with CPU and memory intensive workloads Kubernetes Restrictions are engaged when this is exceeded • Unmanaged by default • Mechanisms exist to allow a cloud provider or admin to supply a default and over-ride container specification outside an allowed range • is a load balancer for VMs deployed on a hypervisor cluster. It has advanced features that can provider actual guaranteed resource reservations, not just shares. It also incorporates health monitoring

EncryptionConfig ● Encrypt secrets with a locally managed key ● EncryptionConfig for secrets ● Multiple provider options ○ aesgcm ○ aescbc ○ secretbox Master kube-apiserver etcd SECRETDEK DEK Kubernetes which is then encrypted with a centrally managed key ● EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 KMS plugin Auditing Encryption Rotation Isolation Node authorizer

encoded) • > K8s 1.7+ • at-rest encryption for etcd (local + remote) Local Encryption Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets encrypted Kubernetes Secrets”, by Raghu Yeluri & Haidong Xia, Intel Corp. TEE-based KMS Provider • Address security threats • Host (KMS provider) compromise Ø leak DEKs Ø leak Secrets • Fraudsters calling DEK decryption similar to apiserver ó etcd (X.509) • Version-based key synchronization • Adaption • apiserver KMS provider endpoint to support https endpoint • KMS plugin to support https [1] https://github.com/Aliy

​Utilizing Zones to improve scheduling ​Using vSphere tags to define regions and zones – add cloud provider ​What is NUMA? ​How to solve potential issues with CPU and memory intensive workloads ​Kubernetes Restrictions are engaged when this is exceeded • Unmanaged by default • Mechanisms exist to allow a cloud provider or admin to supply a default and over-ride container specification outside an allowed range • is a load balancer for VMs deployed on a hypervisor cluster. It has advanced features that can provider actual guaranteed resource reservations, not just shares. It also incorporates health monitoring

ntroller循环。您必须在kube-controller-manager中禁⽤这些 Controller循环。可在启动kube-controller-manager时将 --cloud-provider 标志设为 external 来禁⽤控制器循环。 cloud-controller-manager允许云供应商代码和Kubernetes内核独⽴发展。在以前的版本中，核⼼的Kubernetes代码依 的⾸选模式。 13-Node 38 对于⾃注册，kubelet会使⽤如下的选项启动： --kubeconfig ：凭证向apiserver进⾏身份验证的路径。 --cloud-provider ：如何与云提供商进⾏会话，从⽽获取⾃身的元数据。 --register-node ：⾃动向API server注册。 --register-with-taints ：注册具有给定taint列表的Node（逗号分隔的 io/network-unavailable ：Node的⽹络不可⽤。 node.cloudprovider.kubernetes.io/uninitialized ：当kubelet以外部cloud provider启动时，它会为Node设置⼀个 Taint，将其标记为未使⽤。当来⾃cloud-controller-manager的Controller初始化此Node时，kubelet将删除此 Taint。

功能多样性与上线流程 • 如何实现 • K8s - 单『控制集群』， 多『⽤用户集群』 • 镜像仓库 - 单『默认仓 库』，多仓库集成 管理理集群和节点 • 技术概览 • cloud provider • custom resource • ansible 管理理镜像仓库 • Cargo （内部项⽬目）- ⽣生产级镜像仓库解决⽅方案，基于 • ⼀一键⾼高可⽤用部署和维护 •

Elastic Container Instance (ECI) Pod Pod Node-2 Pod Pod Node-1 Pod Pod Node-N ECI Provider 虚拟节点 • 无限弹性，敏捷扩容 • 支持pod之间互联互通 无需管理服务器 Without managing servers 用户只需关注容器应用 • Zero server

controller and cluster autoscaler, can also use container probe if needed Infrastructure Layer Cloud provider insufficient resource remove / add nodes vCenter openstack Extensibility / Integration •

io/k8s-cluster-api]: CLI (Installation) Register with Google Cloud Console On-Prem/Public Cloud Provider Any K8s Cluster GCP Connection Proxy K8s API Server Connection Agent End-User Single-Pane