contents not encrypted (only base64 encoded) • > K8s 1.7+ • at-rest encryption for etcd (local + remote) Local Encryption Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys to storage in etcd • Secrets decrypted on API Server prior to use • Encryption keys stored in a remote KMS • Use envelope encryption scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance prevented TEE-based KMS Plugin [1] • Address performance & latency concerns • Reduce / minimize remote KMS interactions w/o compromising security • Address security threats • etcd compromise • Host

information edge on the battlefield. Booz Allen is transforming military opera- tions in complex and remote locations with the use of groundbreaking technologies, to enable decision-making at the point of Kubernetes distribution, designed for production workloads in unat- tended, resource constrained, remote envi- ronments. This is the story of how, alongside the team at SUSE RGS, Booz Allen is delivering accustomed to thinking about the edge as an enterprise IT term— the edge of the data center, or remote ac- cess capabilities. For Booz Allen, the edge means the far, tactical edge—in the thick of the

Scheduling api-server Etcd bind pod, node list pod GenericRuntime SyncPod CRI grpc dockershim remote (no-op) Sandbox Create Delete List Container Create Start Exec Image Pull List shim client -y kubelet kubeadm kubectl • sed -i '2 i\Environment="KUBELET_EXTRA_ARGS=--container- runtime=remote --container-runtime-endpoint=/var/run/xxx.sock -- feature-gates=AllAlpha=true"' /etc/systemd/system/kubelet

处 • 支持大规模的数据缓存 • 本地内存加速 • 支持数据预热 • LRU缓存管理 Object storage (Fuse) Worker (local) Worker (remote) Master Training POD Tier0: 1-2GB/S Short Circuit: 1-6GB/S Network: 300M/S Alluxio在Kubernetes上的架构

同的监控界面 方案1 方案2 kube-apiserver Metrics-Server metrics-server通过对 api重定向缓存监控进 入内存 pull opentsdb remote_storage_ adapter test-1 test-2 test-3 dev-1 dev-2 dev-3 dev-mysql-1 中间件 dev-redis-1 test-mq-1

Kubernetes applications. You can iterate on your application source code locally then deploy to local or remote Kubernetes clusters. Skaffold handles the workflow for building, pushing and deploying your application