Scheduler Scheduler Scheduling Scheduler Scheduling color=yellow Discovery Select color = yellow color=yellow Discovery yellow.mycluster Select color = yellow Load balancing Controller manager 5 Healing it wrong, lose the cluster! gcc // gcc source code #include int main() { compile_c(argv[1]); } gcc Self hosting go // golang source code package main import "os" func main() { compile_go(os

b Compiler + Containerizer github.com/GoogleContainerTools/jib Code Executable Compile github.com/GoogleContainerTools/jib Code Executable Compile Java Container Containerize github.com/G facilitates continuous development for Kubernetes applications. You can iterate on your application source code locally then deploy to local or remote Kubernetes clusters. Skaffold handles the workflow for building github.com/GoogleContainerTools/skaffold official website code Development Process application k8s config build push deploy connect update code Development Process application k8s config skaffold

unnecessary privileged users, no scans, trust • code analysis • source available? • gotchas: big surface, many languages { } } • sanitizing user input • static code analysis • gotchas: log-leaking} • sensitive Identifiable Information (PII) • gotchas: leaks, GDPR (in Europe) { host container dependencies code config user data © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Security Hub AWS CloudHSM AWS Certificate Manager AWS CloudTrail host container dependencies code config userdata © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon

Decision Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 7 Kubenetes scheduling What does the scheduler do: As pod are created, they Decision Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible Decision Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible

Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 7 Kubenetes scheduling What does the scheduler do: As pod are created, they Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible Stages: 1. Filter out impossible worker nodes a. Filters are called predicates - extensible in code with a default list 2. Rank remaining nodes a. ranking is driven by priorities - this is extensible

resilient systems at scale” (Jez Humble) • Applying Agile practices to operations • Infrastructure as code • Ops teams embracing source control (git) • Automated testing • Repeatable/consistent • CI/CD • Production accuracy vs expected accuracy when possible • Rolling-updates • … Resources • Source code for this talk: https://github.com/ritazh/kubecon-ml • Kubeflow labs for AKS: https://github.

Versioning 4. The easy way to use it 5. Demo 6. Q & A Where to all repos docs bug report code code review PR workflow git workflow CI bot/commands https://prow.k8s.io/command-help /approve

use a pure eBPF service? • Not mature enough eBPF brief • Write C • Compile into eBPF assembly code • Inject to kernel • Attach to network tc hooks • Triggered by ingress/egress packets IPVS bypass Udp for A Srcport=x Udp for AAAA Srcport=x Udp for A Srcport=x DROP • Solution • In eBPF code, add a loop to wrap port alloc and insert. • If insert fails, it will retry alloc.

ConfigMap Job - pod template - volumes user build task • build the docker images init task • prepare code repository - volumes DevOps Operator Manage the Job environment variables image information completes - volumes Storage APIs user build task • build the application package init task • prepare code repository sidecar build task lifecycle - preStop - volumes storage config using secret Query

Controller Kubernetes metrics traffic Workloads (YAML) Continuous Delivery is in k8s now! code 三者结合呢？ • 基于 CUE 的客户端抽象 • 基于 OAM 的应用模型 • 围绕 GitOps 的持续交付 = “以应用为中心”的 K8s KubeVela Git (as source Controller Rollout Controller GitOps OAM K8s Plugin + CUE Abstraction Processor Kubernetes traffic code Raw k8s API resources 面向应用开发者的 appfile • 基于 CUE 进行抽象 • 兼容 OAM Spec metrics Deployment Controller