VMware SIG Purpose, Projects managed, How to join The Roadmap Moving “Out of Tree” : vSphere cloud provider + storage (CSI) How to Get Information on an ongoing basis The VMware SIG How to Contribute Join 6 SIG Sponsored projects vSphere cloud provider (In-tree and Out-of-tree) • A cloud provider is a Kubernetes controller that runs cloud provider-specific loops required for the functioning of kube-controller-manager to cloud- provider specific code. In order to free the Kubernetes project of this dependency, the cloud-controller-manager was introduced. CSI provider for vSphere • Container Storage

wget h�ps://raw.githubusercontent.com/kubernetes/ingress-nginx/controller- v1.2.0/deploy/sta�c/provider/cloud/deploy.yaml 或者 wget h�ps://limaofu.github.io/scripts/ingress-nginx-controller-v1.2.0.yaml #以下是某容器默认挂载的一个存储卷，里面一般有3个文件 ①创建用户账号 # cd /etc/kubernetes/pki # openssl genrsa -out kube-user01.key 2048 #创建用户的私钥 # openssl req -new -key kube-user01.key -out kube-user01.csr \ -subj "/CN=k "/CN=kube-user01/O=kubeusers" #创建证书申请文件 # openssl x509 -req -in kube-user01.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ -days 3600 -out kube-user01.crt #使用ca签名，创建用户证书

token create --ttl 0 kubeadm token list openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt | openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex | sed 's/^.* //' Step2: https://k8s-master:30000/ 输入 step3 上获得的 token Step5: 生成 SSL 证书的 secret //生成自签名 SSL 证书 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=k8s-dashboard service.yaml kubectl apply –f service2default.yaml Step7: 创建 SSL 证书的 secret //生成自签名 SSL 证书 openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=k8s-dashboard

Utilizing Zones to improve scheduling Using vSphere tags to define regions and zones – add cloud provider What is NUMA? How to solve potential issues with CPU and memory intensive workloads Kubernetes Restrictions are engaged when this is exceeded • Unmanaged by default • Mechanisms exist to allow a cloud provider or admin to supply a default and over-ride container specification outside an allowed range • is a load balancer for VMs deployed on a hypervisor cluster. It has advanced features that can provider actual guaranteed resource reservations, not just shares. It also incorporates health monitoring

EncryptionConfig ● Encrypt secrets with a locally managed key ● EncryptionConfig for secrets ● Multiple provider options ○ aesgcm ○ aescbc ○ secretbox Master kube-apiserver etcd SECRETDEK DEK Kubernetes which is then encrypted with a centrally managed key ● EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK service account Kubernetes secrets: requirements Kubernetes default Identity External secrets provider 1.7 EncryptionConfig 1.10 KMS plugin Auditing Encryption Rotation Isolation Node authorizer

encoded) • > K8s 1.7+ • at-rest encryption for etcd (local + remote) Local Encryption Provider KMS Encryption Provider Background: K8s Secrets • Encryption Keys stored on API Server • Secrets encrypted Kubernetes Secrets”, by Raghu Yeluri & Haidong Xia, Intel Corp. TEE-based KMS Provider • Address security threats • Host (KMS provider) compromise Ø leak DEKs Ø leak Secrets • Fraudsters calling DEK decryption similar to apiserver ó etcd (X.509) • Version-based key synchronization • Adaption • apiserver KMS provider endpoint to support https endpoint • KMS plugin to support https [1] https://github.com/Aliy

​Utilizing Zones to improve scheduling ​Using vSphere tags to define regions and zones – add cloud provider ​What is NUMA? ​How to solve potential issues with CPU and memory intensive workloads ​Kubernetes Restrictions are engaged when this is exceeded • Unmanaged by default • Mechanisms exist to allow a cloud provider or admin to supply a default and over-ride container specification outside an allowed range • is a load balancer for VMs deployed on a hypervisor cluster. It has advanced features that can provider actual guaranteed resource reservations, not just shares. It also incorporates health monitoring

ntroller循环。您必须在kube-controller-manager中禁⽤这些 Controller循环。可在启动kube-controller-manager时将 --cloud-provider 标志设为 external 来禁⽤控制器循环。 cloud-controller-manager允许云供应商代码和Kubernetes内核独⽴发展。在以前的版本中，核⼼的Kubernetes代码依 的⾸选模式。 13-Node 38 对于⾃注册，kubelet会使⽤如下的选项启动： --kubeconfig ：凭证向apiserver进⾏身份验证的路径。 --cloud-provider ：如何与云提供商进⾏会话，从⽽获取⾃身的元数据。 --register-node ：⾃动向API server注册。 --register-with-taints ：注册具有给定taint列表的Node（逗号分隔的 io/network-unavailable ：Node的⽹络不可⽤。 node.cloudprovider.kubernetes.io/uninitialized ：当kubelet以外部cloud provider启动时，它会为Node设置⼀个 Taint，将其标记为未使⽤。当来⾃cloud-controller-manager的Controller初始化此Node时，kubelet将删除此 Taint。

功能多样性与上线流程 • 如何实现 • K8s - 单『控制集群』， 多『⽤用户集群』 • 镜像仓库 - 单『默认仓 库』，多仓库集成 管理理集群和节点 • 技术概览 • cloud provider • custom resource • ansible 管理理镜像仓库 • Cargo （内部项⽬目）- ⽣生产级镜像仓库解决⽅方案，基于 • ⼀一键⾼高可⽤用部署和维护 •

Elastic Container Instance (ECI) Pod Pod Node-2 Pod Pod Node-1 Pod Pod Node-N ECI Provider 虚拟节点 • 无限弹性，敏捷扩容 • 支持pod之间互联互通 无需管理服务器 Without managing servers 用户只需关注容器应用 • Zero server