Scaling a Multi-Tenant k8s Cluster in a Telco Pablo Moncada October 28, 2020 About MasMovil group ● 4th telecom company in Spain ● Provides voice and broadband services to +12M customers ● Several

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce transmission tail latencies for applications and to avoid locking

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce transmission tail latencies for applications and to avoid locking

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts io/docs/setup/learning-environment/minikube/] to demonstrate deployment and operation of Cilium in a single-node Kubernetes cluster. The minikube VM requires approximately 5GB of RAM and supports hypervisors like

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce transmission tail latencies for applications and to avoid locking

Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy Troubleshoo�ng Automa�c Diagnosis network packets emi�ed by the applica�on containers, allowing to validate the iden�ty at the receiving node. Security iden�ty management is performed using a key-value store. Secure access to and from external This means that each host can allocate IPs without any coordina�on between hosts. The following mul� node networking models are supported: Overlay: Encapsula�on based virtual network spawning all hosts.

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts io/docs/getting-started-guides/minikube/] to demonstrate deployment and operation of Cilium in a single-node Kubernetes cluster. The minikube VM requires approximately 5GB of RAM and supports hypervisors like

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts io/docs/getting-started-guides/minikube/] to demonstrate deployment and operation of Cilium in a single-node Kubernetes cluster. The minikube VM requires approximately 5GB of RAM and supports hypervisors like

何实现集群内服务间的高效互通、满足应用 SLA 诉求已成为数据中心面临的关键问题，对云基础设施提出了很高的要求。 基于 K8S 的云基础设施能够帮助应用实现敏捷的部署管理，但在应用流量编排方面有所欠缺，服务网格的出现很好的 弥补了 K8S 流量编排的缺陷，与 K8S 互补，真正实现敏捷的云应用开发运维。但随着对服务网格应用的逐步深入，当前服 务网格的代理架构，数据面引入了额外的时延底噪开销，已成为业界共识的性能问题。 Kmesh 使用介绍。 应用场景 Pod1 Pod2 socket socket socket 业务程序 envoy socket socket socket envoy server Node 特性增强 21 openEuler 23.09 技术白皮书 sysMaster 相关特性 sysMaster 是一套超轻量、高可靠的服务管理程序集合，是对 1 号进程的全新实现，旨在改进传统的 GALA 项目将全面支持 K8S 场景故障诊断，提供包括应用 drill-down 分析、微服务 &DB 性能可观测、云原生网络监控、 云原生性能 Profiling、进程性能诊断等特性，支撑 OS 五类问题（网络、磁盘、进程、内存、调度）分钟级诊断。 • K8S 环境易部署：gala-gopher 提供 daemonset 方式部署，每个 Worker Node 部署一个 gala-gopher

功能，策略配置淘汰的冷内存交换到用户态存储，用户无感知，性能 优于内核态 swap。 夯实云化基座 容器操作系统 KubeOS：云原生场景，实现 OS 容器化部署、运维，提供与业务容器一致的基于 K8S 的管理体验。 • 安全容器方案：iSulad + shimv2 + StratoVirt 安全容器方案，相比传统 docker + qemu 方案，底噪和启动时间 优化 40%。 • 双平面部署工具 MySQL、Redis、Nginx 等）和 CPU 消耗且时延不敏感的业务（如 AI 离线训练） 混合部署，包括容器与容器、容器与进程、容器与虚机、虚机与虚机混合部署等多种场景。 容器操作系统 云原生是云计算发展的下一跳、k8s 事实上已经成为云原生软件基础设施的底座。业界主流操作系统厂商都推出了针对 云原生场景的 OS，如 Rehat RCHOS，AWS BottleRocket 等，实现 OS 容器化部署、运维，提供与业务容器一致的管理和 容器化部署、运维，提供与业务容器一致的管理和 运维体验。 openEuler 适应云原生发展趋势，推出容器化操作系统 KubeOS，实现云原生集群 OS 的统一容器化管理，具备如下特点： 1. OS 容器化管理、对接 K8S，原子化的生命周期管理； 2. OS 轻量化裁剪，减少不必要的冗余包，可实现快速升级、替换等。 容器和容器混部 进程和容器混部 Linux Kernel cgroup 容器和虚机混部