A Day in the Life of a Data Scientist Conquer Machine Learning Lifecycle on Kubernetes Brian Redmond • Cloud Architect @ Microsoft (18 years) • Azure Global Black Belt Team • Live in Pittsburgh, PA Repeatable/consistent • CI/CD • This has worked well for App Dev. Now time for AI/ML • But, must ensure data scientist are not hindered by structure Why Containers, Kubernetes & Helm? • Container • Contains Scalable • Easy to explore hyper-parameters space • Easy to do distributed training But really, Data Scientists shouldn’t have to care about containers, kubernetes and all that stuff • Pachyderm can

etcd ⽤作Kubernetes的后端存储。集群的所有数据都存储在此。请为你Kubernetes集群的etcd数据提供备份计划。 kube-controller-manager kube-controller-manager 运⾏Controller，它们是处理集群中常规任务的后台线程。逻辑上来讲，每个Controller都是⼀ 个单独的进程，但为了降低复杂性，它们都被编译成独⽴的⼆进制⽂件并运⾏在⼀个进程中。 cloud-controller-manager cloud-controller-manager运⾏着与底层云提供商交互的Controller。cloud-controller-manager是在Kubernetes 1.6版中 引⼊的，处于Alpha阶段。 cloud-controller-manager仅运⾏云提供商特定的Controller循环。您必须在kube-controller-manager中禁⽤这些 Controller循环。可在启动kube-controller-manager时将 --cloud-provider 标志设为 external 来禁⽤控制器循环。 cloud-controller-manager允许云供应商代码和Kubernetes内核独⽴发展。在以前的版本中，核⼼的Kubernetes代码依 赖于特定云提供商的功能代码。在未来的版本中，云供应商的特定代码应由云

intensive cryptanalytic attacks ● A cryptoperiod is the time during which a key is used to encrypt data Key rotation: cryptoperiod There are lots of factors that influence the choice of cryptoperiod Strength of cryptographic algorithms used ○ Implementation ○ Operating environment ○ Volume of data ○ Re-keying method ○ Number of key copies ○ Personnel turnover ○ Threat model ○ New and disruptive cardholder data against disclosure and misuse. 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including

scale • Reduce the learning curve for customer and ourselves • Get consistent user experience and data, leverage with PaaS capability • Facilitate our PaaS and micro-service product Kubernetes Capabilities/Advantages agent to collecting log data ElasticSearch ElasticSearch Monitor/Alert Service CronJob Node Pod Node Pod Unified logging、monitoring、alert with PaaS Consistent data Node group of build nodes Service DevOps Manager CronJob k8s API MySQL k8s API MySQL MySQL • Pipeline configuration and history in MySQL • Logging in central logging service - ElasticSearch • Metric data in monitoring

The Kubernetes Master Node Basic Components Master Node ETCD kube-apiserver kube-controller-manager kube-scheduler • Key/Value Store • Leader based clustering • Can be clustered across Master Nodes The Kubernetes Worker Node Basic Components Master Node ETCD kube-apiserver kube-controller-manager kube-Scheduler Worker Node CRI-containerd Kubeproxy Kubelet • Container Runtime Interface selector to provide a LB and Service DNS ReplicaSets A cluster wide Pod manager providing Pod scaling DaemonSets A Pod manager to ensure a Pod is scheduled across a Cluster Node set StatefulSets Replicated

镜像地址规范 镜像地址组成 你好我是分享标题 我是作者名称 每个控制平面节点运行的一个 实例kube-apiserver，kube- scheduler和kube-controller- manager 其中三个控制平台节点运行 keeplived和haproxy,node节点 和api-server通讯通过vip对 接,haproxy将流量转发至 apiserver 每个控制平面节点创建一个本 apiserver controller-manager scheduler etcd master haproxy keeplived apiserver controller-manager scheduler etcd master haproxy keeplived apiserver controller-manager scheduler etcd master node-local-path /data/all-log pod-path /data/all-log kafka-cluster elasticsearch-cluster logstash-cluster kafka-groupid=es topic applog logstash kafka-groupid=file file-storage mkdir -p /data/all- lo

docker # docker info ★配置docker服务使用systemd去管理（以及信任本地镜像仓库） # vi /etc/docker/daemon.json { "data-root": "/docker_data", "registry-mirrors": [ "h�ps://cof-lee.com:5443" ], "insecure-registries": [ "cof-lee /etc/docker/daemon.json <data-root": "/docker_data", "registry-mirrors": [ "h�ps://cof-lee.com:5443" ], "insecure-registries": [ "cof-lee #查看k8s其他组件的docker镜像名，默认用 k8s.gcr.io/的镜像源地址 k8s.gcr.io/kube-apiserver:v1.19.4 k8s.gcr.io/kube-controller-manager:v1.19.4 k8s.gcr.io/kube-scheduler:v1.19.4 k8s.gcr.io/kube-proxy:v1.19.4 k8s.gcr.io/pause:3.2 k8s

CMDB, CI, Security Platform, etc. • Declarative application lifecycle management. • Support big data and AI jobs. • Optimize the isolation of resources, and improve resource utilization using hybrid Training Jobs Big Data Jobs Online Services NodeProblemDetector Dynamic Scheduler DynamicQuotaManager MultiClusterManager De-Scheduler Rosource Manage & Schedule Ceres Job Queue Manager Spark-Operator Scheduler Kubeflow Hybrid Deploy StatefulSetPlus-Operator Tencent Cloud Mesh MultiCluster-Route-Manager Application & Route Management VWA Controller (Vertical Workload Autoscaler) HPAPlus Controller

CipherTrust Transparent Encrypton 的擴展，資料保護可以在每個容器的基礎上應用，兼具保 護容器的內部資料，以及經過容器存取的外部儲存資料， 都統一經由 CipherTrust Manager 集中管理。 優勢 CipherTrust Transparent Encryption for Kubernetes 效益有 : • 合規性 - CipherTrust Transparent 序以及容器內的資源組來建立細粒度存取政策。最後， 該解決方案能夠在容器之間建立隔離，所以只有經過授 權的容器才可以存取機敏資料。 CipherTrust Manager CipherTrust Manager 是 CipherTrust Data Security Platform 的核心，包括 CipherTrust 透明加密，可集中管 理平台上所有產品模組的金鑰、安全策略以及日誌管理。 具有虛擬化和實體版本，可用於儲存具有信任根 向數 位化轉型時，您可以信賴 Thales 來保護您的有價資料。 關鍵時刻 關鍵技術 Pod 容器集 Pod 容器集 應用程式 使用者 PV Claim CipherTrust Manager 持久儲存 儲存區 PV Controller Storage Class 儲存類別 Kubernetes 節點 CTE for Kubernetes Kubernetes 叢集

password) { • business core data • Personal Identifiable Information (PII) • gotchas: leaks, GDPR (in Europe) { host container dependencies code config user data © 2019, Amazon Web Services Amazon Inspector AWS KMS AWS Secrets Manager AWS WAF AWS IAM Amazon GuardDuty Amazon Macie AWS Security Hub AWS CloudHSM AWS Certificate Manager AWS CloudTrail host container dependencies