leak ALL DEKs ü leak ALL secrets ü trust collapse! • DEK decryption interfaces invoked by fake users Motivation: K8s Secrets Protection • Kube-on-Kube [1] ü Components => too many! ü Interactions kubeconfig maliciously reused by attackers Ø kubeconfig in the clear in clients’ memory Ø leak users’ secrets • Sending to / receiving from malicious software entity (logic) TEE-based Kubelet • Address com/AliyunContainerService/sgx-device-plugin Secure Kubectl • Design goal • kubconfig transparent to kubectl users • kubeconfig credentials binding w/ identity • kubeconfig only in memory • TEE as an option •

|--- ca | |--- tlsca | |--- users | |--- orderers | |--- orderer0.orgorderer1 |--- ca |--- tlsca |--- users |--- peers |--- peer0.org1 40 部署 – 生成Pod、namespace配置 |--- org1 |--- msp |--- ca |--- tlsca |--- users |--- peers |--- peer0.org1 |--- org1-ca.yaml |--- org1-cli.yaml |---

should be able to scale quickly but keep lowest cost possible ● Users must identify themselves (log in) ● Gametickets must be e-mailed to users Challenge: Timing! Weekly show - 9 weeks in a row Attempt Attempt to get people to sign up early - unsuccessful Hundreds of thousands users signing up during commercial break. Show-time !! First row winner Second row winner Final winner Tease before commercial

What happened about the cluster 1 Is there something unexpected happened in the cluster 2 What end users did in the cluster How to locate failure 1 Which component is going wrong 2 Which component that caused by cluster itself RuntimeError, ImageFailed, Unscheduled, KubeletDelay... End Users Failure caused by end users ContainerCrashLoopBackOff, FailedPostStartHook, Unhealthy… Trace system Increase of

troubleshooting ● Sharing with non-technical stakeholders ● Infrequent tasks ● Onboarding new K8s users / learning Kubectl Strengths: ● In-Terminal workflows ● Frequently-repeated tasks ● Scripting Scripting & automation ● Sharing workflows / reproducibility ● Customization Onboarding new K8s users https://unsplash.com/ Over 50% of survey takers said that Dashboard is very useful or extremely

to a YAML file. Please enter the path of a directory where this configuration will be saved? [/Users/karangoel/my-test-cluster/]: Where do you want to install your cluster? [1] vSphere v6.5 Please numeric choice [2]: 2 Enter the path to the SSH private key to use (leave empty to generate): /Users/karangoel/.ssh/vsphere Enter proxy without "http://" or "https://" (leave blank if none): username:password@1

access or use of sensitive resources ● Common attack vector ○ Checked into Github ○ Accessible by users who shouldn’t have access, e.g., CEO ○ Stored in public storage buckets Secret management requirements Ensure DEKs are encrypted at rest ● Don’t use the same DEK to encrypt data from two different apps/users ● Generate a new DEK every time you write the data. This means you don't need to rotate the DEKs

Kubernetes locally. Minikube runs a single-node Kubernetes cluster inside a VM on your laptop for users looking to try out Kubernetes or develop with it day-to-day. 7 Out of tree components, what changes

altinity.com/v1" kind: "ClickHouseInstallation" metadata: name: "demo-01" spec: configuration: users: demo/password: secret demo/profile: default demo/networks/ip: "::/0" clusters:

own Controller • gPRC based interface design in Kubernetes (CRI as example) • For Kubernetes users: • Effective pattern of programming based on Kubernetes • ⼴广告（Don’t worry, it’s not that kind