EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK Terminology and Notation DEK Data encryption key KEK kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer Generates a DEK Master kube-apiserver etcd kms-plugin SECRET KMS 1.10 Kube-ApiServer Sends DEK to Plugin Master kube-apiserver kube-apiserver etcd kms-plugin Encrypt(DEK) SECRET KMS 1.10 Plugin Forwards to KMS Master kube-apiserver etcd kms-plugin Encrypt(DEK) SECRET Encrypt(DEK) KMS 1.10 KMS Encrypts a DEK Master kube-apiserver

/jib ... <plugin> com.spotify dockerfile-maven-plugin <version>1.4.8version> ilovejava ilovejava.io/petclinic-app ${project.version} plugin> ... github.com/GoogleContainerTools/jib What did we better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use a Maven plugin github.com/GoogleContainerTools/jib What did we do? 1. Write first Dockerfile 2. Reduce image

KMS Plugin [1] • Address performance & latency concerns • Reduce / minimize remote KMS interactions w/o compromising security • Address security threats • etcd compromise • Host (KMS plugin) compromise compromise Ø leak DEKs Ø leak KEKs [1] KubeCon NA 2019: "TEE-based KMS Plugin for encryption of Kubernetes Secrets”, by Raghu Yeluri & Haidong Xia, Intel Corp. TEE-based KMS Provider • Address security Experience @ Ant Group KMS Plugin • Workflow • Encryption • Decryption • Engineering decisions • apiserver is responsible for • DEK generation • Secret en/decryption • kms-plugin • keeps KEK cache • only

要求docker<=20.10 k8s 1.24及之后版本： kubelet→cri-containerd→containerd→runC 后来cri-containerd重构进containerd中（CRI Plugin），合为一个containerd进程 默认调用的cri-socket： unix:///var/run/containerd/containerd.sock 本小节讲解k8s v1 #安装k8s二进制组件 （<=1.23版本） # systemctl enable kubelet # systemctl start kubelet ③k8s集群初始化 # kubeadm version #先查看k8s版本 # GitVersion:"v1.19.4" # kubeadm config images list #查看k8s其他组件的docker镜像名，默认用 7个镜像） ★直接使用命令行方式初始化集群 （以下是非HA模式的master初始化，如果要部署高可用集群，则参考第4章） kubeadm init --kubernetes- version=v1.19.4 \ --apiserver-adver�se- address=10.99.1.51 \ # api server地址 --pod-network-cidr=10.244

0 - New Regions: Hong Kong 即将发布 - Service linked role for Amazon EKS - EKS Support for K8s version 1.13 + ECR AWS PrivateLink - EKS-optimized AMI metadata SSM parameter - IAM for Pods - New Amazon EKS private endpoints - New Amazon EKS Regions: Sao Paulo, Canada Central - Next-generation CNI plugin © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential © All rights reserved. Amazon Confidential 开源与 Amazon EKS Amazon EKS 的主要模块已经开源 • Amazon VPC CNI plugin • AWS IAM authenticator • Amazon EKS AMI AWS团队贡献或管理着超过20个与Kubernetes相关的开源项目 • /kubernetes •

Architecture and Features • CRD and operator design • Pipeline / Stage/ Task / Task Template / Version Control • Logging, monitoring, autoscaling, high availability • Extensibility / Integration Solution • Architecture and Features • CRD and operator design • Pipeline/Stage/Task/Task Template/Version Control/UI generation/Volume... • Logging, monitoring, autoscaling, high availability • Exte BuildJob / Job status Pipeline / Stage / Task Task Template Pipeline / Stage / Task build logs Version Control sync / watch clean history jobs Basic Concepts（partial） Repository Managed Project

Container Storage Interface (CSI) is a standard API allowing a storage provider to write just one plugin that will work for all major container orchestration systems: Kubernetes, Mesos, Docker and Cloud What it does The external cloud provider support has been added as Alpha in version 1.6, it is currently in Beta (as of version 1.13) and will graduate to Stable/GA in a couple of releases. Status within

enable GPU on Kubernetes with vSphere. Also actively contributing to kubelet, device manager, device plugin area. GitHub: @figo Steve Wong Hui Luo Presenter Bios 3 Abstract ​Kubernetes allows using topology performance effects. (e.g interleaving get predictable albeit reduced performance) • A cgroup aware version (e.g. Java jre v10) can be deployed • This is often not available – many were developed in a

vSphere NSX Manager NSX Controllers T1 NSX Edge Cluster Architecture NSX-T • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, runs in K8s as a standardized interface to the NSX API Network Container Plugin (NCP) NSX Manager Kubernetes Master etcd API-Server Scheduler NSX Container Plugin (NCP) NSX Infra NSX Manager API Client Kubernetes Creation Workflow NSX Manager NS: foo NS: bar NSX / Kubernetes Topology C C C C NSX Container Plugin (NCP) NSX Infra NSX Manager API Client Kubernetes Adapter 1. NCP creates a ‘watch’ on K8s

Deamonset Node should be tainted when critical Daemonset is unhealthy. Case 4: Plugin registry Registration of plugin such as CSI plugin should be checked. Case 5: Capacity The QPS Limit and Capacity Limit should