github.com/GoogleContainerTools/jib Build containers faster with Jib A container image builder for Java applications Our Team Cloud Tools for Java Appu Goundan @coollog @loosebazooka Qingyang com/GoogleContainerTools/jib What did we do? 1. Write first Dockerfile 2. Reduce image size 3. Don’t run installs 4. Use better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use com/GoogleContainerTools/jib What did we do? 1. Write first Dockerfile 2. Reduce image size 3. Don’t run installs 4. Use better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use

application development • 12-factor apps, PCF Cloud Native •Simplify app maintenance •Improve developer workflow Application Repackaging The need for containers and containers orchestrators v v Legacy Application called “Kubelet” • Application Deployment File = Configuration File of desired state • Container Image = Runs in a Pod (~1:1) • Replicas = QTY of Pods that must be running Worker Node Worker Node • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, runs in K8s as a Pod • Kubernetes Adapter: NCP is built in a modular way, so that individual

Agenda • What is the typical ML workflow and some of their shortcomings • Why DevOps? • Why Containers, Kubernetes, and Helm? • Intro to Kubeflow, Helm, Argo • Demos • Image classification with Inception TF Serving • Rapid prototyping with self-service Jupyter notebook from JupyterHub Simplified ML Workflow/Pipeline What is DevOps? • “A cross-disciplinary community of practice dedicated to the study Serving or Seldon • Additional components for storage, workflow, etc. Artificial Intelligence solves critical life problems Demo: Find ��� Image classification with Inception v3 and transfer learning

1min pod is removed from etcd Unhealthy Node Taint/Degrade 1min Node has taints or is degraded Processing Base on the failure reason Unhealth node is healed or removed. Reason classification: Source and Log. 2. Analyze the problem of the node, such as DiskRO, critical Daemonset is not ready. 3. Processing unhealthy node: Heal, Degrade or Isolate. With scoring mechanism and historical operation records Daily Report Tips on increasing SLO Case 1: Image Download Image lazyload technology provides the ability to run a container without downloading image. Case 2: Retry Pod should be recreate when the

Registry与P2P Agent流量占比对比 • 镜像下载引入BT协议 • 对Docker Daemon零入侵 • 每层分别做种 • 优化blob下载策略 发表论文：《FID: A Faster Image Distribution System for Docker Platform》 2017 IEEE 2nd International Workshops on FASW 安全 能力扩展：弹性伸缩 11:46:38 V7版本开时候运行 • 2018-02-09 09:33:02 对该实例做灰度升级，从V7版本升级到V8 版本 • 2018-02-09 09:33:02 开始pull V8版本的image PS：灰度升级属于原地升级，因此不需要重新过调度，升级的效率 也会提升。 每次升级可以选择要升级的实例个数以及具体哪些(个)实例。 能力扩展：存储场景 物理硬盘 cephFS ceph RBD Scheduler Framework》 The IEEE ISPA 2018 (16th IEEE International Symposium on Parallel and Distributed Processing with Applications) 能力扩展：GPU支持 资源-访问代价树 四类通信方式分类中，通信开销最大的是SOC，其次是PXB，再次是PHB，PIX通信方式 的GPU之间的通信开销最小。

strategies and operate our edge devices in a clustered fashion. It really does support distributed processing across devices.” Ben Reif Lead Developer Booz Allen Hamilton 4 www.susergs.com Advancing the strategies and operate our edge devices in a clus- tered fashion. It really does support distrib- uted processing across devices.” Pioneering a New Frontier in Military Tactics As the innovation team at Booz Booz Allen have come to understand, many organiza- tions continue to operate outdated data processing methodologies—struggling to capitalize on the opportunity the edge rep- resents. This has resulted

(remote / local) attestations between entities Production Experience @ Ant Group KMS Plugin • Workflow • Encryption • Decryption • Engineering decisions • apiserver is responsible for • DEK generation en/decryption • kms-plugin • keeps KEK cache • only en/decrypts DEK, not secrets Encryption Workflow Decryption Workflow KMS Plugin (cont.) • Deployment Modes • One kms-plugin container per Master Node: sidecar proxy mode • kubectl ó http/uds ó proxy ó https ó apiserver • X.509 or OIDC Token Secure Kubectl Workflow Secure Kubectl (cont.) • Global CA • One kubeconfig for multiple clusters One binary: TEE Transparency

Istio Apache Beam TensorFlow Service Communication Management Container Orchestration Data Processing Pipelines Data Flow Graphs for Machine Intelligence Kubernetes Contributors opensource.google manage clusters in GKE and GKE On-Prem ● Cluster environments are consistent (k8s version, OS image, plug-ins, components configuration) Orchestrate and manage on-prem containers just like GKE in

use it 5. Demo 6. Q & A Where to all repos docs bug report code code review PR workflow git workflow CI bot/commands https://prow.k8s.io/command-help /approve /cc /lgtm /assign /retest

Registry Private Zone ENI Pod 使用场景 Use cases • Multimedia processing • IoT sensor messages processing • Stream processing at scale • Chat bots • Batch jobs or scheduled tasks • HTTP REST