Utility/Public subnet # - 1 NGW for the private subnet to NAT to # - 1 Route Table Association to the Main Route Table # - 1 Private subnet (to hold the instances) # ---------------------- --------------------------- # Utility Subnet # # This is the public subnet that will hold the route to the # gateway, the NAT gateway # --------------------------------------------------------------- Utility/Public subnet # - 1 NGW for the private subnet to NAT to # - 1 Route Table Association to the Main Route Table # - 1 Private subnet (to hold the instances) # ----------------------

Skb’s pointer to route is NULL during PREROUTING • No de-fragment is done during PREROUTING IPVS bypass conntrack (con.) • Egress • Original way • Nf local-out -> ip_output nf post-route -> ip_finish_output The new way • Call ip_finish_output directly Pre-route Conntrack Pre-route route IPVS entry Post-route Iptables snat Conntrack Post-route Pre-route IPVS entry BPF SNAT IPVS mode data path IPVS-eBPF

PodTemplate Configuration Revision Route $ heroku apps $ heroku domains $ heroku releases $ heroku pipeline $ rio run $ rio scale $ rio weight/promote $ rio route $ rio up riofile 抽象程度 vs 可扩展性 • 随 Service Manual Scaling App CRD HPA Knative Service Cert Canary AutoScaler AutoScaling Route Job Deployment 缺乏交互、复用、可移植能 力。不同重复造轮子只是适 配不同 API 如何基于 K8s ，构建出一个既用户友好，又高可扩展，还 统一、标准化的应用管理平台？ 定义“以应用为中心”的原语 • 打破“谷仓”! Common Traits Function Deployment K8s Operator Virtual Machine Gateway Route Traffic Alert Monitor Service Binding Rollout Ingress interoperability Application Application

TO CONFLICTS WITH traffic virtualservices.networking.istio.io apps.k8s.io services.k8s.io route route.core.oam.dev apps.k8s.io tls tls.core.oam.dev apps.k8s.io Workload 与 Trait 注册与发现机制 # 示例：将 Gateway Route Traffic Monitor Alert Deployme nt App Instance HPA Function • 碎片化： 大约 11 个内部 PaaS/Serverless • 烟囱化：互相之间完全独立， 没有可互操作性 • 用户不友好：大量基础设施层 语义泄露 • 封闭：不能利用 K8s 生态能力 Gateway Route Traffic Traffic Rollout Job Infra Ops Developers Operators Deployme nt Route Service Job PaaS A PaaS B Serverless C 案例：过去的阿里巴巴应用管理平台 Traits/Scopes Scale: - 10,000 nodes/cluster - 100,000 apps/cluster

Tencent’s business by using kubernetes native approach. • Adapt to various internal systems like Route System, CMDB, CI, Security Platform, etc. • Declarative application lifecycle management. • Support Kubeflow Hybrid Deploy StatefulSetPlus-Operator Tencent Cloud Mesh MultiCluster-Route-Manager Application & Route Management VWA Controller (Vertical Workload Autoscaler) HPAPlus Controller HNA

powerdns (dns-proxy):53 L2网络 route-HA 172.16.0.2 172.16.0.3 k8s-core-dns SVC:10.16.0.2 L3路由 route add -net 10.12.0.0 netmask 255.252.0.0 gw 172.16.0.2 && 172.16.0.3 route add -net 10.16.0.0 netmask 255

use: failed to get default interface: Unable to find default route 原因是没有找到有效的网卡，因为默认没有在kube-flannel.yml指定vxlan使用的 底层网络接口，所以它根据ip route show去查找default via这行的网卡（有默认 路由的网络接口），但我们测试环境的服务器没有配置网关，所以它找不到默 务器上的所有pod的网卡都连通到这个网桥里，即同一台k8s服务器上的所有pod 容器处于同一个二层广播域 ★k8s服务器上的各网卡关系图 [root@k8s-node01 ~]# ip route #查看k8s node结点上的路由表 default via 10.99.1.1 dev ens33 proto sta�c metric 100

install kops and kubectl + Configure AWS cli + Create S3 Bucket + Export KOPS variables + Setup Route53 KOPS: Create cluster KOPS: Edit ig nodes KOPS: Edit ig nodes KOPS: Validate cluster Monitoring

dummy�G # ip link add dev dummy0 type dummy # ip addr add 192.168.2.2/32 dev dummy0 ü �P��� # ip route add to local 192.168.2.2/32 dev eth0 proto kernel ü �GCK # ifconfig eth0:1 192.168.2.2 netmask 255

com/blogs/opensource/ centralized-container-logging-fluent-bit/ • 新增 AWS FluentBit 容器插件 • 优化成本. Route logs from Amazon EKS 和 Amazon ECS 集群的日志会直接发送到S3， 并且通过 Amazon Athena 进行 即席查询 • 开源工具 • 比 Fluentd效率更高，测试显示