Invisible Shield on Kubernetes Secrets Agenda • K8s Secrets: Overview • TEE-based K8s Secrets Protection: Solution • Production Experience @ Ant Group • Demo • Summary & Plan K8s Secrets: Overview Background: Background: K8s Secrets Cluster • What they are? • Sensitive information • Passwords • OAuth tokens • ssh keys etc. • Stored in etcd • distributed Key-Value data store • How about their security? Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets encrypted prior to storage in etcd • Secrets decrypted on API Server prior to use • Encryption

Turtles all the way down: securely managing Kubernetes secrets with secrets Alexandr Tcherniakhovski, Google Cloud Maya Kaczorowski, Google Cloud Nov 14 2018 Turtles all the way down Turtles @MayaKaczorowski Protecting secrets What’s a secret? Credentials, configurations, API keys, and other small bits of information needed by applications at build or run time Why protect secrets? ● Attractive target the use of individual secrets Encryption Always encrypt before writing to disk Rotation Change a secret regularly in case of compromise Isolation Separate where secrets are used vs managed

Secrets Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com managing many? How do we address: Networking, Security, Scheduling, Automation, etc? 6 Why Kubernetes ? Common compute platform across any infrastructure DEV DATA CENTER CLOUD BRANCH 5G / EDGE infrastructure capabilities Kubernetes architecture ● Controlplane: Manages the cluster and exposes an API for control ● Etcd: a key value store used as Kubernetes’ backing store for all cluster

Jason Turner @le�icus emptycrate.com/idocpp 1Copyright Jason Turner @le�icus emptycrate.com/idocpp Secrets of Scripting Bindings for C++ 2 . 1Copyright Jason Turner @le�icus emptycrate.com/idocpp Jason com/le�icus/5d94357725413dce5005b0b1b7f77836 25 . 8Copyright Jason Turner @le�icus emptycrate.com/idocpp Secrets of Scripting Bindings for C++ 26 . 1Copyright Jason Turner @le�icus emptycrate.com/idocpp Jason

ClickHouse on Kubernetes! Alexander Zaitsev Altinity Background ● Premier provider of software and services for ClickHouse ● Incorporated in UK with distributed team in US/Canada/Europe 24x7 support for ClickHouse deployments ○ Software (Kubernetes, cluster manager, tools & utilities) ○ POCs/Training What is Kubernetes? “Kubernetes is the new Linux” Actually it’s an open-source machine resources efficiently ● automate application deployment Why run ClickHouse on Kubernetes? Other applications are already there Easier to manage than deployment on hosts Bring

ClickHouse on Kubernetes! Alexander Zaitsev, Altinity Limassol, May 7th 2019 Altinity Background ● Premier provider of software and services for ClickHouse ● Incorporated in UK with 24x7 support for ClickHouse deployments ○ Software (Kubernetes, cluster manager, tools & utilities) ○ POCs/Training What is Kubernetes? “Kubernetes is the new Linux” Actually it’s an open-source machine resources efficiently ● automate application deployment Why run ClickHouse on Kubernetes? 1. Other applications are already there 2. Portability 3. Bring up data warehouses quickly

Serverless Kubernetes: Container in Cloud Native Way 阿里云容器服务团队 张维 KUBECON CHINA 2018 应用部署演化： Going native with cloud Virtual Machine/Bare Metal Increasing focus on business logic Decreasing 厂商 发布日期 Kubernetes API支持 Hyper.sh 2016.11 Y(2018.5支持) Azure Container Instances 2017.7 N AWS Fargate 2017.11 计划2018年支持 Huawei CCI 2018.2 Y Alibaba Cloud Serverless Kubernetes 2018.5 Serverless Kubernetes容器服务 - 按照应用使用资源付费 - 无需管理服务器节点 容器调度与编排 经典Kubernetes容器服务 - 按照集群节点数量付费 ECS Pod Pod Pod Pod ECS Pod Pod Pod Pod ECS Pod Pod Pod Pod 经典Kubernetes集群 容器调度与编排

第1 章 Kubernetes 入門 1.1 Kubernetes 是什麼？ Kubernetes 是什麼？ 首先，它是一個全新的基於容器技術的分散式架構解決方案。這個方案雖然還很 新，但它是 Google 十幾年來大規模應用容器技術的經驗累積和演進的一個重要成 果。確切地說，Kubernetes 是 Google 嚴格保密十幾年的秘密武器——Borg 的開源 專案版本。Borg 是 論文伴 隨著 Kubernetes 的發布宣傳被 Google 首度公開，大家才得以瞭解它的更多內幕。 正因站在 Borg 這個前輩的肩膀上，吸取了 Borg 過去十年間的經驗與教訓，所以 Kubernetes 一經開源就一鳴驚人，並迅速席捲了容器技術領域。 1-9 1.3 從一個不簡單的 Hello World 範例說起 瀏覽器訪問 讀 寫 虛擬機 Kubernetes 服務 圖 圖 1.3 Kubernetes 部署架構圖 1.3.1 建立 redis-master Pod 及服務 我們可以先定義 Service，然後再定義一個 RC 來建立和控制相對應的 Pod，或者先 定義 RC 來建立 Pod，然後定義與其關聯的 Service，這兩種方式最終的結果都一 樣，這裡我們採用後面這種方式。 首 先 為 redis-master 服 務 建 立 一 個 名 為

Автоматизация управления ClickHouse-кластерами в Kubernetes Владислав Клименко и Валерий Панов K8s? Что это? K8s is the new Linux Это платформа с открытым кодом. позволяющая: • строить системы на ClickHouse в Kubernetes? • Все компоненты системы уже в k8s. • Максимальная унификация управления. • Нужно быстро строить хранилища данных. • Нужна максимальная переносимость. ClickHouse в Kubernetes – это это просто? НЕ ОЧЕНЬ! Почему? Потому что ClickHouse + Kubernetes ClickHouse в Kubernetes? Что будем делать? Одна кнопка ClickHouse Оператор? Что это? • Программа, управляющая другими программами

Kubernetes Native DevOps Practice — 王磊磊 @TenxCloud Agenda • Our DevOps Expectations • Kubernetes Capabilities/Advantages to Build DevOps Solution • Architecture and Features • CRD and operator design experience and data, leverage with PaaS capability • Facilitate our PaaS and micro-service product Kubernetes Capabilities/Advantages to Build DevOps Solution Pod Job CronJob • k8s itself is NOT a PaaS or Volumes ConfigMap Secret ResourceQuota / LimitRanges • Scheduler / Affinity • And more … Kubernetes Capabilities/Advantages to Build DevOps Solution [] InitContainers Pod Spec [] Containers Affinity