--kubernetes- version=v1.19.4 \ --apiserver-adver�se- address=10.99.1.51 \ # api server地址 --pod-network-cidr=10.244.0.0/16 \ # pod容器网段 --service-cidr=10.7.0.0/16 \ # service网段，即cluster ip网段 --ignor --kubernetes- version=v1.28.2 \ --apiserver-adver�se- address=10.99.1.51 \ # api server地址 --pod-network-cidr=10.244.0.0/16 \ # pod容器网段 --service-cidr=10.7.0.0/16 \ # service网段，即cluster ip网段 --ignor h�ps://limaofu.github.io/scripts/kube-flannel-v0.13.0.yml # vi kube-flannel.yml #将里面的net-conf.json下面的Network网段改为规划的pod网段 #默认使用的docker镜像是quay.io/coreos/的仓库，可改为自己集群的docker仓库 保存，退出 # kubectl apply -f kube-flannel

polling even when network is idle. • Why not use a pure eBPF service? • Not mature enough eBPF brief • Write C • Compile into eBPF assembly code • Inject to kernel • Attach to network tc hooks • Triggered Performance of a cluster in different time slot may differ • Due to CPU oversold • Suggestion: • Run the test against the same cluster during near time • Make CPU the bottleneck • 1 CPU handles 500,000 pps measurement Test topology Test result Service type Short connection cps Short connection P99 latency Long connection pps ClusterIP +40% -31% not available NodePort +64% -47% +22% Test result • Perf

want to have a Network object into k8s API • I want a controller to handle add/update/delete of all Network instances • onAdd: create Neutron network • onDelete: delete Neutron network • onUpdate: onUpdate: update Network object status • https://github.com/openstack/stackube/blob/master/pkg/network- controller/network_controller.go Pattern 2: Gode Generator • client-gen: generate typed Kubernetes AP micro-services with container?” Programming Pattern • Sidecar apiVersion: v1 kind: Pod metadata: name: test-app spec: containers: - name: app-container image: gcr.io/google_containers/testapp:v1

⾼级活动探针示例 活动探测由kubelet执⾏，因此所有请求都会在kubelet⽹络命名空间中进⾏。 apiVersion: v1 kind: Pod metadata: labels: test: liveness name: liveness-http spec: containers: - args: - /server image: gcr. Ordinal Index（有序的索引） 对于⼀个有N个副本的StatefulSet，StatefulSet中的每个Pod将被分配⼀个整数序号，范围[0，N），并且唯⼀。 Stable Network ID（稳定的⽹络ID） StatefulSet中的每个Pod，从StatefulSet的名称和Pod的序数派⽣其主机名。 构造的主机名的模式是 $(statefulset name)-$(ordinal) ），你应该附加标识语义的Label属性，例如 { app: myapp, tier: frontend, phase: test, deployment: v3 } 。 这将允许您选择适⽤于上下⽂的对象组——例如，所有标记了 tier: frontend 的Pod的 Service；或“myapp”应⽤的所有“test”阶段的组件。有关此⽅法的示例，请参阅 guestbook 应⽤程序。 可通过简单的、从其选择器

k8s-app-name app-name ai-test ai-dc-server ai-dc-server ai-dc-servedr ai-preview ai-dc-web ai-dc-web ai-dc-web ai-prod ai-dc-api ai-dc-api ai-dc-api 业务线名称 ai dt ad 现有环境名 test preview prod 统一规划环境名和业务应用名，适配标准自动化运维。 k8s-namespaces 环境名称定义采用业务线缩写名加环境名组成 k8s-service名称、app名称和应用名称包名保持一致 k8s-api配置对象 作用 k8s-namespace 通过配置文件关键字dev/test/prod等声明应用所属的环境，隔离不同环境业务，通过特定标识来识别业务线。 k8s-service k8s-dns注册服务名，通过配置文件关键字关联业务线应用名称，保持应用和k8s之间的关联。 仓库域名+路径 空间名 应用名称 日期-时间戳 git版本库 镜像完整地址 registry.hz.local/huize ai-test ai-dc-web 20190510-1033 v20 registry.hz.local/huize/ai-test_ai-dc-web:20190510-1033_v20 k8s镜像构建过程 domain/path namespaces app-name

File System Hardening c. Boot Security d. Process Security e. Minimization of Attack Surface f. Network Security g. Auditing h. Authentication and Authorization i. Compliance j. File System Permissions 靜態應用安全測試 (白箱測試): Static Application Security Test (SAST) 靜態應用安全測試 : Interactive Application Security Test (IAST) 動態應用安全測試 (黑箱測試): Dynamic Application Security Test (DAST) 軟體元件分析: Software Component Analysis

Amazon Confidential Amazon VPC CNI plugin Elastic network interface Secondary IPs: 10.0.0.1 10.0.0.2 10.0.0.1 10.0.0.2 Elastic network interface 10.0.0.20 10.0.0.22 Secondary IPs: 10.0 / DX Pod Outbound Traffic SNAT EKS worker node Primary elastic network interface Pod Secondary elastic network interface Pod – 100.64. 0.200 © 2019, Amazon Web Services, Inc. or its Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Service load balancer: Network Load Balancer apiVersion: v1 kind: Service metadata: name: nginx namespace: default labels:

Chaos Mesh 的结构 以 NetworkChaos 为例 ● Controller 向 chaos-daemon 发送请求 ● [Pod network namespace] 设置 ipset 和 iptables ● [Pod network namespace] 设置 qdisc Chaos-daemon loss/delay/dup/c orrupt netem ipset+iptables bandwidth tbf NetworkChaos 实现方法 如何进入目标 Pod 的 Network Namespace ● setns 系统调用 ● nsenter 命令 或在其他进程中 setns ○ 开发、测试更加方便 ○ 使用起来更加简单 ● SideCar 共享 Network Namespace ○ 范围和权限更加可控 Chaos Mesh 使用案例 以 TiDB

compatible with GKE Built for Day 2 Operations PKS simplifies Day 2 operations with built-in network security—powered by NSX, high availability, logging, monitoring, analytics, and automated health K8s-2 n=3 #pks create-cluster K8s-3 n=3 #pks resize K8s-3 n=5 Architecture NSX-T Bosh PKS Admin Network NCP POD 1 POD 4 POD 2 POD 3 POD 5 POD 6 T0 kube-system PODs – Logical Switch Namespace from the Adapter layer • NSX API Client: Implements a standardized interface to the NSX API Network Container Plugin (NCP) NSX Manager Kubernetes Master etcd API-Server Scheduler NSX Container

•NetworkScope Provision •OS •Flavor •ComputeNode Configuration •Kernel params •Environment config •Network Kubernetes •Core components •Addon •Taint Operations Our thinking of datacenter modeling by K8sAddons, K8sDeployment KafkaCluster, HadoopCluster, MongoDB, ESCluster …… Fleet (Compute, Network, Storage) Configuration Management Infrastructure Service Application Service Recap We are