Spring Cloud Alibaba 在 Kubernetes 下的微服务治理最 佳实践 方剑 阿里云云原生应用平台 高级开发工程师 观看视频回放 • Spring Cloud Alibaba PMC member • Apache RocketMQ Committer • Alibaba Nacos Committer • 阿里云 MSE 云产品核心研发 方剑(洛夜)自我介绍 vmware.com/content/blog/ monoliths-to-microservices 微服务拆分原则 DevOps 服务框架 Dubbo 可观测性 混沌工程 服务治理 Spring Cloud 多语言微服务 API管理 服务压测 分布式事务 分布式调度 API网关 服务注册发现 负载均衡 服务配置 无损下线 服务容错 服务路由 服务鉴权 限流降级 服务元数据 服务测试 / 2018 年 11 月 Spring Boot 下载量 5000w+/月 2019 年 11 月 Spring Boot 下载量 9000w+/月 JetBrains Java 开发生态报告 https://jakarta.ee/documents/insights/2019-jakarta-ee- developer-survey.pdf Spring Boot 是开发者构建云原生应用的首选

试验 84. .NET Minimal API 85. Ajv 86. Armeria 87. AWS SAM 88. Dart 89. fast-check 90. Kotlin with Spring 91. Mockery 92. Netflix DGS 93. OpenTelemetry 94. Polars 95. Pushpin 96. Snowpark 评估 97. 基准配置文件 101. htmx 102. Kotlin Kover 103. LangChain 104. LlamaIndex 105. promptfoo 106. Semantic Kernel 107. Spring Modulith 暂缓 — 工具 语言和框架 © Thoughtworks, Inc. All Rights Reserved. 技术 1 21 29 33 34 35 36 试验 84. .NET Minimal API 85. Ajv 86. Armeria 87. AWS SAM 88. Dart 89. fast-check 90. Kotlin with Spring 91. Mockery 92. Netflix DGS 93. OpenTelemetry 94. Polars 95. Pushpin 96. Snowpark 评估 97. 基准配置文件

jib) github.com/GoogleContainerTools/jib Demo $ git clone https://github.com/spring-projects/spring-petclinic && cd spring-petclinic $ ./mvnw compile jib:build -Dimage=coollog/petclinic github.com/G

面向行业解 决方案 边缘计算 数据通道 数据分析 API 海尔工业互联网 - 微服务之框架支持 Netflix Config Server （git based） spring boot spring boot Kubernetes Eureka Ribbon Hystrix Zuul Feign Apidoc Metrics Trace Zuul Feign Springcloud：

务注册发现、配置管理、流量治理、服务级别的链路追踪、API 管理、域名管 理、监控告警等，覆盖了微服务生命周期中的各种管理场景。微服务引擎具有 很强的兼容性，不仅可以无缝对接 DCE 5.0 的其他组件，也可以完美兼容 Spring Cloud、Dubbo 等开源生态，帮助您更便捷地使用开源微服务技术构建自 己的微服务体系。 微服务注册与发现 统一纳管传统微服务和云原生微服务，实现从传统微服务生态向云原生微服务 生态的平稳过渡，助力企业走向云原生化。

隨便Google就可找到好幾卡車的Kubernetes安全最佳實務/指南.... 6 ©2019 VMware, Inc. Kubernetes安全最佳實務 Kubernetes Security Best Practices ©2019 VMware, Inc. 7  關閉公開存取 (Disable public access)  實施角色型存取權控管 (Implement (Keep your Kubernetes version up to date) Kubernetes Security Best Practices Kubernetes安全性的最佳實務指導 資料來源: https://blog.sqreen.com/kubernetes-security-best-practices/ ©2019 VMware, Inc. 8 NIST在容器安全指南中揭露了五種容器應用最應關注的風險 (Worker Node) 5. 政策 (Policies) ©2019 VMware, Inc. 10 Use Cases: Security Architecture Guidance / Replacement for Checklist / Security Training OWASP CSVS – 對Docker容器應用開發/調度平台的控制措施 組織面 基礎架構 容器 調度管理

tokens • ssh keys etc. • Stored in etcd • distributed Key-Value data store • How about their security? • Default K8s setup • etcd contents not encrypted (only base64 encoded) • > K8s 1.7+ • at-rest scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret in the clear in memory • kubeconfig in the clear in memory User access management => raw and extensive! ü Secrets management => crucial! • Financial-grade security [1] KubeCon China 2018: Node Operator: Kubernetes Node Management Made Simple - Joe Chen, Ant Financial

the way down Turtles all the way down Alex Tcherniakhovski Security Engineer, Google Cloud Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Protecting secrets What’s a secret combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.” {SECRET}DEK + {DEK}KEK Envelope Source for crypto notation: https://en.wikipedia.org/wiki/Security_protocol_notation KMS 1.10 Envelope Encryption Sequence Master kube-apiserver etcd kms-plugin

集成第三方插件 2. Feature parity with kubectl 功能与kubectl保持一致 3. Multi-cluster management 多集群管理 4. Improved security 提高安全性 Top requested changes 1. Third-party plugins or integrations 集成第三方插件 Which third-party 有多重要？ https://github.com/kubernetes/dashboard/issues /3256#issuecomment-437199403 4. Improved security “During the week of June 1st, 2018, [researchers] discovered more than 21,000 publicly facing Kubernetes represented more than 78% of all open IP's.” → Lacework: Container Security Research 4. Improved security bit.ly/securing-dashboard Securely running Dashboard is possible! “We operate

KubeVirt RancherVM Kata Container Focus : deploy REAL vm (traditional vm app) Focus : container security Virtlet Virtlet is a Kubernetes runtime server which allows you to run VM workloads, based on scale. RancherVM Architecture RancherVM Networking Container Security gVisor NFV? Kata Container The speed of containers, the security of VMs https://github.com/kata-containers Kata Container Architecture