com/GoogleContainerTools/jib ... <plugin> com.spotify dockerfile-maven-plugin 1.4.8 ilovejava.io/petclinic-app ${project.version} plugin> ... github.com/GoogleContainerTools/jib What better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use a Maven plugin github.com/GoogleContainerTools/jib What did we do? 1. Write first Dockerfile 2. Reduce image

Kubernetes Clusters Desired state of Application The difference between PKS and Kubernetes Open Source Project – Google/Pivotal/VMware 21 Container scheduling, scale, resiliency, and Day 2 Desired state of vSphere NSX Manager NSX Controllers T1 NSX Edge Cluster Architecture NSX-T • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, runs in K8s as a standardized interface to the NSX API Network Container Plugin (NCP) NSX Manager Kubernetes Master etcd API-Server Scheduler NSX Container Plugin (NCP) NSX Infra NSX Manager API Client Kubernetes

coupling the kube-controller-manager to cloud- provider specific code. In order to free the Kubernetes project of this dependency, the cloud-controller-manager was introduced. CSI provider for vSphere • Container one plugin that will work for all major container orchestration systems: Kubernetes, Mesos, Docker and Cloud Foundry. Cluster API provider for vSphere • The Cluster API is a Kubernetes project to bring version 1.13) and will graduate to Stable/GA in a couple of releases. Status within the Kubernetes project 9 Moving out of tree: the CSI Provider Why it exists Handles C/R/U/D of storage volumes Coordinate

Version Control sync / watch clean history jobs Basic Concepts（partial） Repository Managed Project Pipeline / Stage / Task Dockerfile / Scripts Common Configuration ConfigMap/Secret Data Volume templates to be added, integrate more CI/CD and project management tools • Optimize UI generation methodology • Improve development experience, such as CLI, plugin for IDE, dev on Cloud • Move forward to

Software Engineer VMware First open source project was to enable GPU on Kubernetes with vSphere. Also actively contributing to kubelet, device manager, device plugin area. GitHub: @figo Steve Wong Hui Luo

describe svc' alias dimg='docker images' alias dps='docker ps|grep -v gcr' alias mtx_log='tailf /opt/matrix/logs/application.log |grep Call' alias etcd-health='/opt/bin/etcdctl cluster-health' alias etcd-

EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK Terminology and Notation DEK Data encryption key KEK kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer Generates a DEK Master kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer Sends DEK to Plugin Master kube-apiserver kube-apiserver etcd kms-plugin Encrypt(DEK) SECRET KMS 1.10 Plugin Forwards to KMS Master kube-apiserver etcd kms-plugin Encrypt(DEK) SECRET Encrypt(DEK) KMS 1.10 KMS Encrypts a DEK Master kube-apiserver

KMS Plugin [1] • Address performance & latency concerns • Reduce / minimize remote KMS interactions w/o compromising security • Address security threats • etcd compromise • Host (KMS plugin) compromise compromise Ø leak DEKs Ø leak KEKs [1] KubeCon NA 2019: "TEE-based KMS Plugin for encryption of Kubernetes Secrets”, by Raghu Yeluri & Haidong Xia, Intel Corp. TEE-based KMS Provider • Address security Experience @ Ant Group KMS Plugin • Workflow • Encryption • Decryption • Engineering decisions • apiserver is responsible for • DEK generation • Secret en/decryption • kms-plugin • keeps KEK cache • only

EKS private endpoints - New Amazon EKS Regions: Sao Paulo, Canada Central - Next-generation CNI plugin © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential © All rights reserved. Amazon Confidential 开源与 Amazon EKS Amazon EKS 的主要模块已经开源 • Amazon VPC CNI plugin • AWS IAM authenticator • Amazon EKS AMI AWS团队贡献或管理着超过20个与Kubernetes相关的开源项目 • /kubernetes • 简单安全 GitHub开源 … { } Amazon VPC CNI Plugin 支持 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon VPC CNI plugin Elastic network interface Secondary

Deamonset Node should be tainted when critical Daemonset is unhealthy. Case 4: Plugin registry Registration of plugin such as CSI plugin should be checked. Case 5: Capacity The QPS Limit and Capacity Limit should