Spring Cloud Alibaba 在 Kubernetes 下的微服务治理最 佳实践 方剑 阿里云云原生应用平台 高级开发工程师 观看视频回放 • Spring Cloud Alibaba PMC member • Apache RocketMQ Committer • Alibaba Nacos Committer • 阿里云 MSE 云产品核心研发 方剑(洛夜)自我介绍 vmware.com/content/blog/ monoliths-to-microservices 微服务拆分原则 DevOps 服务框架 Dubbo 可观测性 混沌工程 服务治理 Spring Cloud 多语言微服务 API管理 服务压测 分布式事务 分布式调度 API网关 服务注册发现 负载均衡 服务配置 无损下线 服务容错 服务路由 服务鉴权 限流降级 服务元数据 服务测试 / 2018 年 11 月 Spring Boot 下载量 5000w+/月 2019 年 11 月 Spring Boot 下载量 9000w+/月 JetBrains Java 开发生态报告 https://jakarta.ee/documents/insights/2019-jakarta-ee- developer-survey.pdf Spring Boot 是开发者构建云原生应用的首选

com/GoogleContainerTools/jib ... <plugin> com.spotify dockerfile-maven-plugin 1.4.8 io/petclinic-app ${project.version} plugin> ... github.com/GoogleContainerTools/jib What did we do? 1. Write first better base image 5. Write .dockerignore 6. Improve incremental speed 7. Switch to use a Maven plugin github.com/GoogleContainerTools/jib What did we do? 1. Write first Dockerfile 2. Reduce image

试验 84. .NET Minimal API 85. Ajv 86. Armeria 87. AWS SAM 88. Dart 89. fast-check 90. Kotlin with Spring 91. Mockery 92. Netflix DGS 93. OpenTelemetry 94. Polars 95. Pushpin 96. Snowpark 评估 97. 基准配置文件 101. htmx 102. Kotlin Kover 103. LangChain 104. LlamaIndex 105. promptfoo 106. Semantic Kernel 107. Spring Modulith 暂缓 — 工具 语言和框架 © Thoughtworks, Inc. All Rights Reserved. 技术 1 21 29 33 34 35 36 试验 84. .NET Minimal API 85. Ajv 86. Armeria 87. AWS SAM 88. Dart 89. fast-check 90. Kotlin with Spring 91. Mockery 92. Netflix DGS 93. OpenTelemetry 94. Polars 95. Pushpin 96. Snowpark 评估 97. 基准配置文件

tokens • ssh keys etc. • Stored in etcd • distributed Key-Value data store • How about their security? • Default K8s setup • etcd contents not encrypted (only base64 encoded) • > K8s 1.7+ • at-rest scheme • DEK & KEK Motivation: K8s Secrets Protection • Performance & latency • Network • Security • DEK in the clear in memory • Secret in the clear in memory • kubeconfig in the clear in memory User access management => raw and extensive! ü Secrets management => crucial! • Financial-grade security [1] KubeCon China 2018: Node Operator: Kubernetes Node Management Made Simple - Joe Chen, Ant Financial

the way down Turtles all the way down Alex Tcherniakhovski Security Engineer, Google Cloud Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Protecting secrets What’s a secret combination of a safe. If a safe combination is known to an adversary, the strongest safe provides no security against penetration. Similarly, poor key management may easily compromise strong algorithms.” EncryptionConfig uses aescbc with a KMS provider ● Sidecar pod for the KMS plugin Master kube-apiserver etcd kms-plugin SECRETDEK DEKKEK KEK Terminology and Notation DEK Data encryption key KEK

EKS private endpoints - New Amazon EKS Regions: Sao Paulo, Canada Central - Next-generation CNI plugin © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential © All rights reserved. Amazon Confidential 开源与 Amazon EKS Amazon EKS 的主要模块已经开源 • Amazon VPC CNI plugin • AWS IAM authenticator • Amazon EKS AMI AWS团队贡献或管理着超过20个与Kubernetes相关的开源项目 • /kubernetes • 简单安全 GitHub开源 … { } Amazon VPC CNI Plugin 支持 © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon VPC CNI plugin Elastic network interface Secondary

compatible with GKE Built for Day 2 Operations PKS simplifies Day 2 operations with built-in network security—powered by NSX, high availability, logging, monitoring, analytics, and automated health checks vSphere NSX Manager NSX Controllers T1 NSX Edge Cluster Architecture NSX-T • NSX Container Plugin: NCP is a software component provided by VMware in form of a container image, runs in K8s as a standardized interface to the NSX API Network Container Plugin (NCP) NSX Manager Kubernetes Master etcd API-Server Scheduler NSX Container Plugin (NCP) NSX Infra NSX Manager API Client Kubernetes

面向行业解 决方案 边缘计算 数据通道 数据分析 API 海尔工业互联网 - 微服务之框架支持 Netflix Config Server （git based） spring boot spring boot Kubernetes Eureka Ribbon Hystrix Zuul Feign Apidoc Metrics Trace Zuul Feign Springcloud：

/etc/selinux/config # setenforce 0 #关闭selinux ④ulimit设置 # cat >> vi /etc/security/limits.conf <Plugin），合为一个containerd进程 默认调用的cri-socket： unix:///var/run/containerd/containerd.sock 本小节讲解k8s v1 sandbox_image = "cof-lee.com:5443/k8s/pause:3.9" #和k8s需要的pause镜 像版本保持一致 #如果要启用CRI-Plugin，注释掉其中的 disabled_plugins = ["cri"] #再重启containerd即可有 unix:///run/containerd/containerd.sock 接口 #信

Gaps for spark Ø Dynamic Resource Allocation Ø Spark external shuffle service Ø Performance Ø Security p Kerberos support Ø … Gaps for Spark Ø Resource Management: p Queue p Hierarchical queue task-topology to improve the spark workload efficiency. Summary p Queue priority p Queue reclaim p Queue plugin p Hierarchical queue p Dynamic resource allocation p External shuffle service p Resource reservation