apiVersion: apps/v1beta1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 3 template: metadata: labels: app: nginx spec: 06-理解K8s对象 21 containers: "key1" : "value1", "key2" : "value2" } 类似以下信息可记录到Annotation中： 由declarative configuration layer管理的字段。将这些字段附加为Annotation，可将它们与客户端或服务器设置的默 认值、⾃动⽣成的字段或以及auto-sizing或auto-scaling的系统所设置的字段区分开。 构建信 mysql # RC的POD标签选择器，即：监控和管理拥有这些标签的POD实例，确保当前集群中有且只有repli cas个POD实例在运⾏ template: metadata: labels: # 指定该POD的标签 app: mysql

Solution • Architecture and Features • CRD and operator design • Pipeline / Stage/ Task / Task Template / Version Control • Logging, monitoring, autoscaling, high availability • Extensibility / Integration Capabilities/Advantages to Build DevOps Solution parallelism Job Spec activeDeadlineSeconds completions Pod Template Expected maximum number of parallel build tasks Expected number of completed build tasks The after if finishes CronJob Spec schedule Cron style scheduler configuration concurrencyPolicy Job Template Concurrency policy of CronJob suspend Whether suspend latter jobs if the previous job is still

build 100MB layer 50MB layer registry send github.com/GoogleContainerTools/jib Docker registry Set of layers, container configurations, and manifests build 100MB layer 50MB layer registry cached 100MB layer 40MB layer registry 9MB layer 1MB layer github.com/GoogleContainerTools/jib 1MB layer Docker registry Set of layers, container configurations, and manifests build 100MB layer 40MB 40MB layer registry 9MB layer send github.com/GoogleContainerTools/jib Jib does an optimized build like FROM gcr.io/distroless/java COPY target/dependencies /app/dependencies COPY target/resources

成本优化：按需创建，支持spot和预留实例劵 • Kubernetes兼容性： deployment/statfulset/job/service/ingress/CRD • ALB Ingress: 基于SLB 7 layer • Knative serving on ASK：automatic scaling in knative • 集成ARMS, SLS Elastic Container Instance ASK-Scheduler K8S API Server • 基于云产品控制器降低Kubernetes集群的复杂度 • 使用PrivateZone代替coredns服务发现 • 使用SLB layer-7（ALB）作为默认Ingress Private Zone ALB Serverless容器基础设施 - ECI • 更低的计算成本：弹性成本要低于ECS，long run应用成本要接近ECS包年包月

Scaler K8s Operators Kubernetes + OAM K8s Plugin HPA Deployment scale-to-0 Function Unified Model Layer Platform Capability Pool 统一的模型层 平台统一“能力池” 模块化的交付系统 - GitOps “应用”配置 Git (as source of truth) KubeVela = OAM Kubernetes Runtime + Capability Center + UI (Cli + Dashboard) KubeVela Ø User interface layer - CLI/Dashboard/Appfile Ø KubeVela core - OAM Kubernetes Runtime to provide application level

file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer … then tries to decrypt it https://xkcd.com/538/, https://xkcd.com/license.html Key rotation summary ● Use encryption based on your threat model, e.g., two layers, like full-disk + application-layer ● Rotate keys regularly to limit the impact of a potential key compromise ● Use envelope encryption

different CaaS and PaaS systems • NSX Infra layer: Implements the logic that creates topologies, attaches logical ports, etc. based on triggers from the Adapter layer • NSX API Client: Implements a standardized

provides • Extended with additional APIs • Build your own API server • Requirements of aggregation layer • Running Kubernetes 1.7 Cluster • Enable apiserver flags © 2017 Rancher Labs, Inc. Setup an Extension

check … • Service: LoadBalancer, Headless, Service Discovery(PrivateZone) • Ingress: Aliyun 7-Layer LoadBalancer • Volumes: emptyDir, NFS, SecretVolume, ConfigMapVolume • Secret, ConfigMap • ServiceAccount

labels: app: traefik spec: selector: matchLabels: app: traefik template: metadata: name: traefik labels: app: traefik spec: vi influxdb2/templates/service.yaml apiVersion: v1 kind: Service metadata: name: {{ template "influxdb.fullname" . }} labels: {{- include "influxdb.labels" . | nindent 4 }} selectorLabels" . | nindent 4 }} --- apiVersion: v1 kind: Service metadata: name: {{ template "influxdb.fullname" . }}-headless labels: {{- include "influxdb.labels" . | nindent 4