Velocity: - 100,000 deploys/day - 500~1000 replicas/app Gateway Route Traffic Monitor Alert Deployme nt App Instance HPA Function • 碎片化： 大约 11 个内部 PaaS/Serverless • 烟囱化：互相之间完全独立， 没有可互操作性 • 用户不友好：大量基础设施层 封闭：不能利用 K8s 生态能力 Gateway Route Traffic Rollout Job Infra Ops Developers Operators Deployme nt Route Service Job PaaS A PaaS B Serverless C 案例：过去的阿里巴巴应用管理平台 Traits/Scopes Scale: - 10,000

jc6mIQ3V06ElNBnk7xfhU GVXgTgnofyPrOND4k05MVTJ9YIl6L1QZMjvYySiZdHU6eJesJp5gBdgWJhR2VJ1+ NT15qCrwXZEKiTiqHuHy7+syoGgaA1sQ40mkkTcVrAHuqHCZscZKFtoBLDJLFrsn 4k7rGxWNtWhVEwjlhmgu1vUQ6v0UqD

安装Kubernetes（单机） 对于Mac/Windows 10 前提：保持⽹络畅通 系统版本满⾜要求 对于macOS或者Windows 10，Docker已经原⽣⽀持了Kubernetes。你所要做的只是启⽤Kubernetes即可，如下图： Minikube ⼀些场景下，安装Minikube是个不错的选择。该⽅式适⽤于Windows 10、Linux、macOS 官⽅安装说明⽂档：https://github 官⽅安装说明⽂档：https://github.com/kubernetes/minikube 如何在Windows 10上运⾏Docker和Kubernetes？：http://dockone.io/article/8136 启⽤Kubernetes Dashboard 执⾏： kubectl proxy 02-安装单机版Kubernetes 8 访问： http://localhost:80 created by the secret volume mount will have permission 0400 . Note that the JSON spec doesn’t support octal notation, so use the value 256 for 0400 permissions. If you use yaml instead of json for the

程占用的内存减少10%。 11 国内首发Windows容器服务：帮助企业实现海量Windows应用轻松容器 化上云 根据第三方咨询公司统计，大约有80%以上的企业现有系统仍是通 过Windows Server部署运维在服务器上，统计显示Windows Server在x86伺服器中的市占率高达6成。 CCE推出基于Kubernetes的Windows Server容器管理服务 • 完美兼 完美兼容Kubernetes能力，支持容器CPU/内存资源编排，无状态/ 有状态应用模型等能力； • 可纳管最新的Windows 1709系统，支持启动Windows Native容 器。 12 CCE支持GPU异构计算能力，帮助企业高效灵活应用深度学习服务 • 将旧的加速计算应用程序容器化，并部署 在较新的系统或者云环境中。 • 将特定的 GPU 资源分配给容器，以获得 更好的隔离效果和性能。 华为CCE在裸金属容器集群、windows容器、集群高可用、自动化运维、容器网络/存储、异构计算（ARM、GPU、FPGA）能力方面具有差 异化竞争力优势。 国内首发裸金属容器应对游戏高性能场景；独家提供ARM容器服务支撑低成本APP测试场景 全球首发云容器实例服务CCI ：更快的弹性，更高的资源利用率；国内首发windows容器、帮助企业实现海量Windows应用轻松容器化上云 自研iC

qingyuanos 王昕 2016-4-21 提供虚拟机服务的意义 Ø 客户的需求不仅仅是更多的计算能力 Ø 安全性：更小的Attack Surface Ø 易于提供有状态服务 Ø 传统应用容易迁移 Ø Windows应用容易迁移 Ø 易于部署单体应用 Ø 用于桌面云 Ø 多服务单服务器部署 云平台技术的选择 云平台技术选型 容器编排系统的选择 ——Kubernetes的优势 Size 问题 Ø 问题 Ø Neutron网络做隧道封装时，占用了包头， 导致上层网络的最大允许MTU比默认要小， 造成虚拟机网络时通时不通 Ø 给Linux虚拟机造成问题 Ø 给Windows虚拟机造成问题 Ø 给虚拟机内的Docker造成问题 Ø 解决方案 Ø 手动改小虚拟机MTU Ø 用CloudInit脚本更改MTU，集成到云平 台中 HTTPS的负载均衡 Ø 问题

Spark on Kubernetes Kubernetes extends beyond container orchestration, it has been expanded to support for data-intensive and stateful apps. Benefit: l Autoscaling in Cloud l Consolidate online service goal is to bring native support for Spark to use Kubernetes as a cluster manager like YARN, or Mesos. l Spark 2.3 added native support for Kubernetes. l Spark 2.4 added support for client mode, R, python python etc. l Spark 3.0 will add support for dynamic resource allocation, external shuffle service, Kerberos etc. How it works Spark on Kubernetes Spark-operator Gaps for spark Ø Dynamic Resource

conntrack/iptables SNAT • Pros • O(1) time complexity in control/data plane • Stably runs for two decades • Support rich scheduling algorithm • Cons • Performance cost caused by conntrack • Some bugs How to • No loop support in eBPF verifier (Linux 4.14) • #param unroll • Size limitation of BPF program <= 4096 • Move SNAT allocate port loop into IPVS kernel module • Bounded loop support in Linux 5.3 • https://github.com/Tencent/TencentOS-kernel/ • More components will be open source later • Support more Linux distributions • Build IPVS kernel modules in Ubuntu, Centos • IPVS-eBPF next generation

is not a shared VPC # (There is more than one availability zone for this cluster) # # Also add support for us-east-1 # --------------------------------------------------------------- {{ if not SharedVPC is not a shared VPC # (There is more than one availability zone for this cluster) # # Also add support for us-east-1 # --------------------------------------------------------------- {{ if not SharedVPC is not a shared VPC # (There is more than one availability zone for this cluster) # # Also add support for us-east-1 # --------------------------------------------------------------- {{ if not SharedVPC

KMS • API server & kms-plugin • Cron job backup for KEKs (from KMS) • Static key configuration support in kms-plugin • One click decryption • Key force update • Liveness probe • Monitoring • Integration Version-based key synchronization • Adaption • apiserver KMS provider endpoint to support https endpoint • KMS plugin to support https [1] https://github.com/AliyunContainerService/sgx-device-plugin Secure Interface Demo • The purpose of this demo is to • Demonstrate TEE Transparency w/ Occlum’s Golang support • Showcase the confidentiality guaranteed by TEE Demo Demo Summary & Plan Summary & Next Steps

since 2016 KubeCon update ● Exec into pod ● Global search ● Login mechanism ● Settings page ● Support for Cron Jobs ● Redesigned resource creation ● ...and much much more. github.com/kubernetes/dashboard/releases running Kubernetes in GCP and on-prem ● Custom Resource Definitions support ● Service topology view ● Mobile device support ● Cost estimates ● CI/CD pipelines ● ...and more! Additional feature