Operating System Physical Infrastructure Containers VMware Hypervisor VMs Docker Containers User Cases 9 •Ready-to-go development •Self-service portal Developer Sandbox • New application development Contains all state known about cluster • Kubernetes Front-end Control Plane • Provides RESTful interface • Returns state objects as JSON • Provides core control loops for platform • Watches shared state Kubeproxy Kubelet • Container Runtime Interface • Responsible for downloading images • Runs containers • Can use other runtimes such as rkt • Load-balance interface for Pods • Creates virtual IP for external

/iptables -P FORWARD ACCEPT # systemctl daemon-reload # systemctl restart docker ★默认还加了DOCKER-USER这个forward链，默认全部return，导致不通，也得 放开，具体得看下iptables规则），以下操作目的为 在系统启动后等待60秒待 k8s把iptables规则设置完毕再在以下几个chain里放通所有流量，如果对防火墙 sleep 60 /usr/sbin/iptables -I DOCKER 1 -s 0.0.0.0/0 -j ACCEPT /usr/sbin/iptables -I DOCKER-USER 1 -s 0.0.0.0/0 -j ACCEPT /usr/sbin/iptables -I DOCKER-ISOLATION-STAGE-1 1 -s 0.0.0.0/0 -j go:518] Determining IP address of default interface E0430 11:16:34.506062 1 main.go:204] Failed to find any valid interface to use: failed to get default interface: Unable to find default route 原因是

商业化 8 面向大数据和AI应用的内存级数据编排系统 数据编排层(Data Orchestration) Java File API HDFS Interface S3 Interface REST API POSIX Interface Alluxio是什么 HDFS Driver S3 Driver OSS Driver Web Driver Alibaba Cloud OSS Client Master Meta Cache First Access LRU listStatus() 2. Alluxio缓存行为控制 参数 取值 含义 alluxio.user.ufs.block.read.location.policy LocalFirstAvoidEvictionPolicy Alluxio读取的数据块优先保存到本地，但是当本地空间不足时， 不会驱 后台驱逐任务启动条件，本例子中条件本地空间超过100 x 0.99=99GiB触发驱逐 alluxio.user.block.avoid.eviction.policy.reserved.size .bytes 1056MB 当本地节点的空间少于1056MB时，数据缓存的调度器不会选择该 节点；转而选择其他节点。 alluxio.user.file.passive.cache.enabled false 当从Allu

Confidential Amazon VPC CNI plugin Elastic network interface Secondary IPs: 10.0.0.1 10.0.0.2 10.0.0.1 10.0.0.2 Elastic network interface 10.0.0.20 10.0.0.22 Secondary IPs: 10.0.0.20 10.0 Outbound Traffic SNAT EKS worker node Primary elastic network interface Pod Secondary elastic network interface Pod – 100.64. 0.200 © 2019, Amazon Web Services, Inc. or its Affiliates code analysis • source available? • gotchas: big surface, many languages { } } • sanitizing user input • static code analysis • gotchas: log-leaking} • sensitive config (passwords, API keys,

Rancher 与 Kubernetes User Interface | Application Catalog | Monitoring | Logging Management Plane Infrastructure Services - Policy Management - Cluster Operations - User Management - Lifecycle • Support for extensible admission controllers • Pluggable cloud providers • Container runtime interface (CRI) enhancements © 2017 Rancher Labs, Inc. CustomResourceDefinition(CRD) • What CRD provides

patterns of Kubernetes (Controller, codegen etc) • Write your own Controller • gPRC based interface design in Kubernetes (CRI as example) • For Kubernetes users: • Effective pattern of programming register AstaXie Controller astaxie1 OnDelete OnUpdate OnAdd Kubernetes Custom Controller User operation A Real World Example • I want to have a Network object into k8s API • I want a controller com/kubernetes/gengo • github.com/kubernetes/kubernetes/tree/master/cmd/libs/go2idl Pattern 3: gRPC based Interface • Decouple Kubernetes from external dependencies • kubelet -> gRPC -> dockershim -> dockerd

DATASTORE_TYPE value: kubernetes - name: IP_AUTODETECTION_METHOD #DaemonSet 中添加该环境变量 value: interface=ens160 #指定内网网卡 - name: WAIT_FOR_DATASTORE value: "true" ...... kubectl apply -f calico ClientUsername: drop headers: defaultMode: keep names: User-Agent: redact Authorization: drop Content-Type: keep kubectl apply -n kubernetes-dashboard describe secret $(kubectl -n kubernetes-dashboard get secret | grep admin-user | awk '{print $1}') Step4: 浏览器上访问: https://k8s-master:30000/ 输入 step3 上获得的 token Step5:

。在内核层，通过 cgroup 来提供硬件环境的隔离（例如 CPU，Memory， Block I/O，网络等等 和通过 namespace 来提供软件层面 的隔离（例如 process tree，网络，user IDs 和挂载的文件 系统 。 Container 框架 通过在 Kernel 层面提供的 API 来达到上层可以容器化应 用程序。 Container VS VM (Virtual Container 行 业的领导人推出。 • OCI目前包含两个规范： • 运行时规范（runtime-spec • Image 规范（image-spec Container 管理工具 (User Space) 如何通过 Docker 启动 Container 并与硬件绑定 官方文档参考： https://docs.docker.com/engine/admin/resource_constraints/ kube-apiserver • kube-scheduler Kubernetes 与 Container 通信框架 Kubernetes 通过 CRI (Container Runtime Interface) 层将 Kuernetes 与具体的 Container 管理工具隔离，并且可以进行 Container 的操作。 在 Node 上的层次关系 通过 Label 的方式将 Node

broadcaster TV2 asked us ● To create an application which works on all devices ● To create an admin interface to run the show ● The application should be able to scale quickly but keep lowest cost possible Kubernetes Take control Easy to manage and scale Experience KOPS: Installation + Create AWS user + Make a CI host + wget and install kops and kubectl + Configure AWS cli + Create S3 Bucket +

Secrets Protection • Kube-on-Kube [1] ü Components => too many! ü Interactions => complicated! ü User access management => raw and extensive! ü Secrets management => crucial! • Financial-grade security com/occlum/occlum Occlum: SGX Dev Made Easy Occlum: Major Features Occlum: Container-Inspired Interface Demo • The purpose of this demo is to • Demonstrate TEE Transparency w/ Occlum’s Golang support