privileged users, no scans, trust • code analysis • source available? • gotchas: big surface, many languages { } } • sanitizing user input • static code analysis • gotchas: log-leaking} • sensitive

Inc. 20 Kubernetes.平台只是最後一站，前面各站也都要安全管控才不會前功盡棄 在整個CI/CD管線的各個環節都需要各種控制措施涵蓋 靜態應用安全測試 (白箱測試): Static Application Security Test (SAST) 靜態應用安全測試 : Interactive Application Security Test (IAST) 動態應用安全測試 動態應用安全測試 (黑箱測試): Dynamic Application Security Test (DAST) 軟體元件分析: Software Component Analysis (SCA) 測試 提交 部署 生產 持續整合 持續交付與部署 預提交 提交 監控 滲透測試 紅隊測試 互動應用安全測試 動態應用安全測試 安全強化檢查

Data Collect Audit log Event The unhealthy node Monitoring Isolation Recover Degrade Data Analysis Failures/Machine Failures/Reason Report Lifecycle of Pod Failure Reason Target Kubelet Apiserver Daily Report Validation Housekeepi ng High Available Fast Recovery Display Board Alert Analysis Platform Weekly Report SLO： Indicate the cluster is healthy or there is something unexpected happened Storage Analysis Platform Trace Report Weakness The trace system Data Collect: Collect Audit log for the whole cluster. Data analysis: Analyze failure reason if pod is failed. Reason analysis: Analyze

computing solution, SmartEdge, addresses the increasing need to gather data in real time and perform analysis at the point of collection, supplying imme- diate insight which results in faster deci- sion-making embedded sensors perform a variety of distinct functions, gathering data in real time and performing analysis at the point of collection. Whether it’s a camera scanning the environment or biometrics that

and stateful apps. Benefit: l Autoscaling in Cloud l Consolidate online service and offline analysis l Ecosystem( Monitor, logging etc) l Fine grained resource isolation l …… About Spark on Kubernetes

Availability guarantee • KMS • API server & kms-plugin • Cron job backup for KEKs (from KMS) • Static key configuration support in kms-plugin • One click decryption • Key force update • Liveness probe

etcd state or etcd backup. ● Need to start a temporary replacement api-server ○ Could be binary, static pod, new tool, bootkube, etc. ● Recovery once etcd+api is available can be done via kubectl (as

的pod 容器能够直接通信。 13 www.h3c.com Confidential 秘密 13 13 K8s基本概念和术语介绍（Pod） Pod： pod分两种：普通pod和静态pod（static pod） 普通pod：一旦被创建，会被放到etcd中存储，随后被k8s master调度到某个具体的node上并进行绑定，随后该pod被 对应的node上的kubelet进程实例化成一组相关的

k8s-master 设置网络： cd /etc/sysconfig/network-scripts vi ifcfg-ens160 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no NAME=Internet UUID=b23

od， 例如在Node故障或Node被中断维护（例如内核升级）的情况下。因此，您应该使⽤DaemonSet⽽⾮单独创建Pod。 Static Pods（静态Pod） 可通过将⽂件写⼊由Kubelet监视的某个⽬录来的⽅式来创建Pods。 这些被称为 static pods 。 与DaemonSet不同，静 态Pod⽆法使⽤kubectl或其他Kubernetes API客户端进⾏管理。静态