Kubernetes: Use it, Contribute to it, and Enjoy it! Xiangpeng Zhao, Software Engineer, ZTE Corporation Github: @xiangpengzhao Agenda 1. The community 2. How to contribute 3. Versioning 4. The easy easy way to use it 5. Demo 6. Q & A The community Orgs/Repos SIGs/WGs Communication Resources Ecosystem Orgs/Repos Kubernetes Kubernetes SIGs Kubernetes Incubator Orgs kubernetes- retired verview/ More: Agenda 1. The community 2. How to contribute 3. Versioning 4. The easy way to use it 5. Demo 6. Q & A Where to all repos docs bug report code code review PR workflow git

Dockerfile 2. Reduce image size 3. Don’t run installs 4. Use better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use a Maven plugin github.com/GoogleContainerTools/jib What Dockerfile 2. Reduce image size 3. Don’t run installs 4. Use better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use a Maven plugin Download and install Docker github.c Dockerfile 2. Reduce image size 3. Don’t run installs 4. Use better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use a Maven plugin Download and install Docker Order of

default interface E0430 11:16:34.506062 1 main.go:204] Failed to find any valid interface to use: failed to get default interface: Unable to find default route 原因是没有找到有效的网卡，因为默认没有在kube-flannel 在创建pod时直接指定volumes为hostPath（node结点上的本地目录） # vi pod-nginx-use-volume.yml #内容如下 apiVersion: v1 kind: Pod metadata: name: pod-nginx-use-volume #pod名，这个名称可带小数点 labels: #给pod打标签，便于其他资源对它的选择 lbname: lbvalue-nginx-use-volume spec: containers: #在spec次级，定义一组容器，-表示数组 - name: nginx-v1-19-5 #容器名，小写字母开头，后可接数字-减号，不可

applications at build or run time Why protect secrets? ● Attractive target ○ Controls access or use of sensitive resources ● Common attack vector ○ Checked into Github ○ Accessible by users who shouldn’t management requirements Identity Require strong identities and least privilege Auditing Verify the use of individual secrets Encryption Always encrypt before writing to disk Rotation Change a secret managed Encryption at different layers (or turtles) disks file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer … then tries to decrypt it https://xkcd

devices: # specific devices to use for storage can be specified for each node - name: "sdc" - name: "k8s-node3" devices: # specific devices to use for storage can be specified for for each node - name: "sdc" - name: "k8s-node4" devices: # specific devices to use for storage can be specified for each node - name: "sdc" kubectl apply -f cluster.yaml mongo --host mongodb-replicaset rs0:PRIMARY> rs.secondaryOk() rs0:PRIMARY> show dbs rs0:PRIMARY> use admin rs0:PRIMARY> db.device.find() O.Helm 安装 influxdb Step1. 下载 influxdb helm chart helm

caSet对象：使⽤Deployment替代，并在spec部分中定义应⽤程序。 示例 apiVersion: apps/v1beta2 # for versions before 1.6.0 use extensions/v1beta1 kind: ReplicaSet metadata: name: frontend labels: app: guestbook （扩展Deployment，以便更多的负载） Pause the Deployment （暂停Deployment），从⽽将多个补丁应⽤于其PodTemplateSpec，然后恢复它，开始新 的升级。 Use the status of the Deployment （使⽤Deployment的状态）作为升级卡住的指示器。 清理您不再需要的 Clean up older ReplicaSets （清理旧的ReplicaSet） gExecution affinity以及anti-affinity相关联的 matchExpressions 必须满⾜， 才会将Pod调度到Node上。 More Practical Use-cases（更多实⽤的⽤例） Interpod Affinity和AnitAffinity在与更⾼级别的集合（例如ReplicaSets、Statefulsets、Deployments等）⼀起使⽤时可能

● ● Cloud Native Hybrid ● ● ● Up Agile Portable Elastic Transform Efficient Secure Pay for use Out ● ● Migrate Move up, out or both? Google is a recognized leader in Open Source Cloud Kubernetes like to use existing CA? [1] I'll provide CA certificate and key [2] Generate CA certificate and key Please enter your numeric choice [2]: 2 Enter the path to the SSH private key to use (leave empty "http://" or "https://" (leave blank if none): username:password@1.1.1.1:5413/ Enter Docker registry to use [gcr.io/k8s-cluster-api]: CLI (Installation) Register with Google Cloud Console On-Prem/Public

encrypted prior to storage in etcd • Secrets decrypted on API Server prior to use • Encryption keys stored in a remote KMS • Use envelope encryption scheme • DEK & KEK Motivation: K8s Secrets Protection Plugin (cont.) • Deployment Modes • One kms-plugin container per Master Node: sidecar to apiserver • Use Annotation to enable encrypted secret read / write • LivenessProbe for health check • Configurations Plan Summary & Next Steps • Summary • A TEE-based E2E solution aiming to guard K8s secrets while in use, at rest, and in transit • TEE transparency empowered by LibOS (e.g. Occlum) • Where we are? • TEE-based

l https://github.com/apache-spark-on-k8s/spark l The goal is to bring native support for Spark to use Kubernetes as a cluster manager like YARN, or Mesos. l Spark 2.3 added native support for Kubernetes Volcano batch system l Use delay pod creation feature to deal with high concurrent job submission l Use queue proportion/namespace fair-share, job fair-share to share resource l Use task-topology to improve

battlefield. Booz Allen is transforming military opera- tions in complex and remote locations with the use of groundbreaking technologies, to enable decision-making at the point of data collection. Fast Allen Hamilton KubeEdge and K3s seemed the most natural starting point, given the device-centric use case. After assessing other leading Kuber- netes distributions, it was clear that many stayed focused SmartEdge on the evolution of the device landscape. According to the team, Booz Allen’s clients can use a range of devices as the software knows how to talk to an array of sensors. If users want to lift