Features • CRD and operator design • Pipeline / Stage/ Task / Task Template / Version Control • Logging, monitoring, autoscaling, high availability • Extensibility / Integration • CI/CD examples operator design • Pipeline/Stage/Task/Task Template/Version Control/UI generation/Volume... • Logging, monitoring, autoscaling, high availability • Extensibility/Integration • CI/CD examples • ElasticSearch ElasticSearch Logging Service agent to collecting log data ElasticSearch ElasticSearch Monitor/Alert Service CronJob Node Pod Node Pod Unified logging、monitoring、alert with PaaS

container orchestration and management project created by Google • Successor of Google Borg/Omega system • One of the most popular open source projects in this world • Written by, and heavily depends runtime=remote --container-runtime-endpoint=/var/run/xxx.sock -- feature-gates=AllAlpha=true"' /etc/systemd/system/kubelet.service.d/10- kubeadm.conf • kubeadm init • kubeadm join --token $token ${master_ip:port} io/google_containers/testapp:v1 volumeMounts: - name: varlog mountPath: /var/log - name: logging-agent image: gcr.io/google_containers/fluentd:1.30 env: - name: FLUENTD_ARGS value:

Dashboard 执⾏： kubectl proxy 02-安装单机版Kubernetes 8 访问： http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview? namespace=default 参考： https://kubernetes addons（插件） Addon是实现集群功能的Pod和Service。Pod可由Deployment、ReplicationController等进⾏管理。Namespace的插件 对象则是在 kube-system 这个namespace中被创建的。 Addon manager创建并维护addon的资源。详⻅这⾥： here 。 DNS 虽然其他Addon不是严格要求的，但所有Kubernetes集群都应该有 Container Resource Monitoring 将容器的通⽤时序指标记录到⼀个中⼼化的数据库中，并提供⼀个UI以便于浏览该数 据。 Cluster-level Logging（集群级别的⽇志） Cluster-level logging 机制负责将容器的⽇志存储到具有搜索/浏览界⾯的中央⽇志存储中去。 Node组件 Node组件在每个Node上运⾏，维护运⾏的Pod并提供Kubernetes运⾏时环境。

分隔敏感的工作負載 (Segregate sensitive workloads)  掃描容器映像 (Scan container images)  開啟稽核日誌 (Enable audit logging)  跟上最新的 Kubernetes版本 (Keep your Kubernetes version up to date) Kubernetes Security Best Practices File System Hardening c. Boot Security d. Process Security e. Minimization of Attack Surface f. Network Security g. Auditing h. Authentication and Authorization i. Compliance j. File System Permissions Image kubectl run Image Registry Image Scanning Image Signing Harbor Projects AUDIT LOGGING 如果沒有企業私有的映像倉庫而只用Internet上的映像，您真的知道裡面有什麼嗎? 只有經過簽章 的受信任映像 才能被部署 即時弱點掃描 並標示弱點， 可限制有弱點 映像無法存取

Farabi KubeCon + CloudNativeCon China 2018 Hello! Giri Kuncoro System Engineer Go-Jek Indonesia @girikuncoro Iqbal Farabi System Engineer Go-Jek Indonesia @iqbal_farabi We’re from Jakarta, Indonesia International Expansion Projects • High availability DBs lead to fewer outage Higher Uptime • System resources like CPU, memory, etc. are more effectively utilized in container world than in VMs. custom resources to support sharding with Kubernetes namespaces. Barito Log Open source on-demand logging infrastructure platform. Visit: https://github.com/BaritoLog/. Cloud Native Saturdays Internal

Scalable Kubernetes Applications • Scalable Infrastructure for Applications Application Operating System Physical Infrastructure Platform Containers as Enabler Fast Boot Environments Rapidly Portable Needed Application Operating System Physical Infrastructure Containers and VMs - A Practical Comparison Containers Containers virtualize the operating system limiting the the number of application applications on the same OS Allows you to run multiple OS on the same hardware Application Operating System Physical Infrastructure Containers VMware Hypervisor VMs Docker Containers User Cases 9

Huawei CloudBU Principal Engineer 王雷博 Principal Software Engineer • Huawei(Now) - Cloud Native batch system (Volcano) development • IBM spectrum computing - Cluster resource and workload scheduling platform Autoscaling in Cloud l Consolidate online service and offline analysis l Ecosystem( Monitor, logging etc) l Fine grained resource isolation l …… About Spark on Kubernetes l https://github.com/a reservation p Binpack p Task topology p Zone aware scheduling p … Volcano: A Kubernetes native batch system Gaps for spark Architecture Gaps for spark Architecture 1. Kubectl creates a JobEx object in

Separate where secrets are used vs managed Encryption at different layers (or turtles) disks file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer … then 1.10 KMS plugin Auditing Encryption Rotation Isolation Node authorizer K8s audit logging In etcd, not in applications aescbc, aesgcm, or secretbox Additional KMS logs

Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential Amazon EKS logging EKS managed Customer account Internet Amazon CloudWatch AWS CloudTrail © 2019, Amazon Web Services DaemonSet Kubectl logs Elasticsearch (index), Fluentd (store), and Kibana (visualize) Amazon EKS logging © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential 借助 借助 FluentBit 进行日志管理 https://aws.amazon.com/blogs/opensource/ centralized-container-logging-fluent-bit/ • 新增 AWS FluentBit 容器插件 • 优化成本. Route logs from Amazon EKS 和 Amazon ECS 集群的日志会直接发送到S3， 并且通过

by Google ● Access to Container services on GCP such as Cloud Build, Container Registry, Audit Logging, and more. ● Integration with Istio, Knative, Marketplace Solutions ALPHA IN FALL Run your cluster any instrumentation changes ● Aggregate logs from many clusters -- whether GKE or GKE On-Prem Logging and Monitoring Cloud Services Platform 立刻註冊即可免費體驗 https://cloud.google.com Wayne An waynean@google