kube-proxy：它负责节点的网络，在主机上维护网络规则并执行连接转发。它还负责对正在服务的pods进行负载平衡。 比如一个服务可能会运行多个副本（Pod），由他来控制具体由哪个Pod提供服务。为Service提供cluster内部的服务发 现和负载均衡。 Docker Engine（docker）：docker引擎，负责本机的容器创建和管理工作。 12 www.h3c.com Confidential 秘密 12 ，这个虚拟IP地 址成为Cluster IP。这样一来，每个服务就变成了具备唯一IP地址的“通信节点”，服务调用就变成了最基础的TCP/IP网 络通信问题。Service一旦创建，k8s就会自动为期分配一个可用的Cluster IP，而且在Service的整个生命周期内，他的 Cluster IP不会发生改变。只要用Service的Name与Service的Cluster IP地址做一个DNS域名映射即可完成服务发现。 k8s通过Add-On增值包的方式引入了DNS系统，把服务名作为DNS域名，这样程序就可以直接使用服务名来建立通信 连接了。 21 www.h3c.com Confidential 秘密 21 21 K8s基本概念和术语介绍（Service） Service（服务）： 理解k8s系统里面的三种IP： Node IP：Node节点的IP地址 Pod IP： Pod的IP地址 Cluster IP：

proxy/#!/overview? namespace=default 参考： https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/ 02-安装单机版Kubernetes 9 使⽤Kubespray部署⽣产可⽤的Kubernetes集群 （1.11.2） 前提：科学上⽹，或⾃⾏将gcr 部署⽅案 优点 缺点 Kubeadm 官⽅出品 部署较麻烦、不够透明 Kubespray 官⽅出品、部署较简单、懂Ansible就能上⼿ 不够透明 RKE 部署较简单、需要花⼀些时间了解RKE的cluster.yml配置 ⽂件 不够透明 ⼿动部署 第三⽅操作⽂ 档 完全透明、可配置、便于理解K8s各组件之间的关系 部署⾮常麻烦，容易出 错 其他诸如Kops之类的⽅案，由于⽆法跨平台，或者其他因素，被我pass了。 contrib/inventory_builder/inventory.py ${IPS[@]} 此时，会看到 inventory/mycluster/host.ini ⽂件内容类似如下： [k8s-cluster:children] 03-使⽤Kubespray部署⽣产可⽤的Kubernetes集群（1.11.2） 12 kube-master kube-node [all]

aliyuncs.com/google_containers controlPlaneEndpoint: "k8s-master:6443" networking: dnsDomain: cluster.local podSubnet: 10.98.0.0/16 serviceSubnet: 10.96.0.0/16 --- apiVersion: kubeproxy.config -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' Step2: k8s node 上执行加入到 k8s cluster kubeadm join k8s-master:6443 --token xvxx9v.ugbbvrdncqv061hk \ --discovery-token-ca-cert-hash sessionAffinity: None type: ExternalName externalName: kubernetes-dashboard.kubernetes-dashboard.svc.cluster.local kubectl apply –f service.yaml kubectl apply –f service2default.yaml Step7: 创建 SSL

an Operand or configures off- cluster resources • Operator waits for managed resources to reach a healthy state • Operator conveys readiness of application or managed resources to the user leveraging • Operator reconciles configuration and updates to it with the status of the managed resources Upgrade of the managed workload • Operand can be upgraded in the process of upgrading the Operator, or part of changing the CR • Operator understands how to upgrade older versions of the Operand, managed previously by an older version of the Operator Upgrade of the Operator • Operator can be upgraded

Catalog | Monitoring | Logging Management Plane Infrastructure Services - Policy Management - Cluster Operations - User Management - Lifecycle Management Infrastructure Services (Networking, Storage way to extend managed resource into a current Kubernetes cluster • Auto-generated API in Kubernetes API server • Customized resource controller to implement your business logic of managed resource • APIs • Build your own API server • Requirements of aggregation layer • Running Kubernetes 1.7 Cluster • Enable apiserver flags © 2017 Rancher Labs, Inc. Setup an Extension API Server • Use apiserver-builder

Change a secret regularly in case of compromise Isolation Separate where secrets are used vs managed Encryption at different layers (or turtles) disks file system etcd Recommendation: Use two-layers kube-apiserver etcd SECRET Kubernetes secrets: 1.7 EncryptionConfig ● Encrypt secrets with a locally managed key ● EncryptionConfig for secrets ● Multiple provider options ○ aesgcm ○ aescbc ○ secretbox Kubernetes secrets: 1.10 KMS plugins ● Encrypt secrets with a locally managed key, which is then encrypted with a centrally managed key ● EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod

Fixed price $11B Mobile Our fleet 15 3 US Data Centers POPs 200K+ Managed Vms 4K 100K Managed BMs Applications 4.5PB Managed Storage All of us know that... It’s not easy to manage fleet and infrastructure running Kubernetes Onboard Provision Configuration Kubernetes It’s time to spin up a Kubernetes cluster! Let’s model a datacenter running Kubernetes Easy operation Step 1. Find some assets not used What if salt master down? Upgrade Kubernetes core components Upgrade addons How to upgrade a cluster? ● Kubernetes is amazing on its simple architecture ● Model + Controller is the key concept of

parameter - IAM for Pods - New Amazon EKS Regions: Ningxia 研发中 - Amazon EKS on Fargate - Managed Nodes - Managed add-ons - DNS resolution of Amazon EKS private endpoints - New Amazon EKS Regions: Sao rights reserved. Amazon Confidential eksctl–安装管理 Amazon EKS 集群的利器 • 最简单的命令行创建集群工具 eksctl create cluster –nodes=4 • 在GitHub上已开源 https://eksctl.io/ • 由Weave 和 AWS 共同构建 • Amazon EKS 官方支持的CLI工具 © 2019 Affiliates. All rights reserved. Amazon Confidential ALB Ingress controller AWS Resources Kubernetes Cluster Node Node Kubernetes API Server ALB Ingress Controller Node HTTP Listener HTTPS Listener

負載平衡 整合無流量上 限的Google Cloud Load Balancer Demo: Create Your First Service in 10 Mins Run your cluster the way Google does GKE On-Prem ● Turn-key, production-grade, conformant Kubernetes with best-practice Solutions ALPHA IN FALL Run your cluster the way Google does ● The same tools are used to install, configure, and manage clusters in GKE and GKE On-Prem ● Cluster environments are consistent (k8s Installation and Configuration $ gke-on-prem create cluster --dry-run Welcome! This command will take you through the installation of a cluster. --dry-run saves your configuration to a YAML file. Please

Extensibility/Integration • CI/CD examples • Future plan Overall Architecture Kubernetes Cluster Kubernetes Cluster Node Node Node Node Job Job Job Job Pod Pod Pod Pod ElasticSearch ElasticSearch Logging Consistent data Node group of build nodes Node group of user applications Scheduling customization Cluster Resource Auto Scaling kubelet can do image GC DevOps Service DevOps Operator DevOps Operator • Alertmanager to invoke various alert and related actions docker registry Kubernetes Cluster Kubernetes Cluster CRD and Operator Design BuildJob DevOps Operator Job Job Job Job BuildJob BuildJob