Separate where secrets are used vs managed Encryption at different layers (or turtles) disks file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer … then cardholder data against disclosure and misuse. 3.6 Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data, including the following:

优势。 Kubernetes提供了构建以容器为中⼼的开发环境的基础架构。 Kubernetes满⾜了在⽣产中运⾏的应⽤程序的⼀些常⻅需求，例如： Co-locating helper processes ，促进组合应⽤程序和保留”⼀个应⽤程序的每个容器“模型 Mounting storage systems Distributing secrets Checking application Dashboard 执⾏： kubectl proxy 02-安装单机版Kubernetes 8 访问： http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/overview? namespace=default 参考： https://kubernetes addons（插件） Addon是实现集群功能的Pod和Service。Pod可由Deployment、ReplicationController等进⾏管理。Namespace的插件 对象则是在 kube-system 这个namespace中被创建的。 Addon manager创建并维护addon的资源。详⻅这⾥： here 。 DNS 虽然其他Addon不是严格要求的，但所有Kubernetes集群都应该有

cgroupdriver=systemd" ] } # mkdir -p /etc/systemd/system/docker.service.d # docker info ★docker会修改防火墙规则，导致pod网络不通 # vi /usr/lib/systemd/system/docker.service #在[Service]下的ExecStart=/usr/bin/dockerd 置文件并编辑 # vi /etc/kubeadm-init.yaml apiVersion: kubeadm.k8s.io/v1beta2 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef �l: 24h0m0s usages: 置文件并编辑 # vi /etc/kubeadm-init.yaml apiVersion: kubeadm.k8s.io/v1beta3 bootstrapTokens: - groups: - system:bootstrappers:kubeadm:default-node-token token: abcdef.0123456789abcdef �l: 24h0m0s usages:

failure reason Unhealth node is healed or removed. Reason classification: Source Feature Example System Failure caused by cluster itself RuntimeError, ImageFailed, Unscheduled, KubeletDelay... End Users Users Failure caused by end users ContainerCrashLoopBackOff, FailedPostStartHook, Unhealthy… Trace system Increase of SLO Data Collect Audit log Event The unhealthy node Monitoring Isolation Recover Weekly Report SLO： Indicate the cluster is healthy or there is something unexpected happened. Trace system： Collect and analyze logs in cluster. So we can known what happened about the cluster. Increase

Farabi KubeCon + CloudNativeCon China 2018 Hello! Giri Kuncoro System Engineer Go-Jek Indonesia @girikuncoro Iqbal Farabi System Engineer Go-Jek Indonesia @iqbal_farabi We’re from Jakarta, Indonesia International Expansion Projects • High availability DBs lead to fewer outage Higher Uptime • System resources like CPU, memory, etc. are more effectively utilized in container world than in VMs. https://github.com/gojektech/charts/tree/master/incubator/stolon Credits Vijay Dhama – Go-Jek System Team Prashant Mittal – Go-Jek Lambda Team Irfan Shah – Go-Jek Atlas Team Sumit Gupta – Go-Jek

Scalable Kubernetes Applications • Scalable Infrastructure for Applications Application Operating System Physical Infrastructure Platform Containers as Enabler Fast Boot Environments Rapidly Portable Needed Application Operating System Physical Infrastructure Containers and VMs - A Practical Comparison Containers Containers virtualize the operating system limiting the the number of application applications on the same OS Allows you to run multiple OS on the same hardware Application Operating System Physical Infrastructure Containers VMware Hypervisor VMs Docker Containers User Cases 9

Huawei CloudBU Principal Engineer 王雷博 Principal Software Engineer • Huawei(Now) - Cloud Native batch system (Volcano) development • IBM spectrum computing - Cluster resource and workload scheduling platform reservation p Binpack p Task topology p Zone aware scheduling p … Volcano: A Kubernetes native batch system Gaps for spark Architecture Gaps for spark Architecture 1. Kubectl creates a JobEx object in Spark Job2 Executor Executor Executor Executor l How spark on Kubernetes works l Volcano batch system l Use delay pod creation feature to deal with high concurrent job submission l Use queue proportion/namespace

history in MySQL • Logging in central logging service - ElasticSearch • Metric data in monitoring system - prometheus • Alertmanager to invoke various alert and related actions docker registry Kubernetes secret Query artifact data DevOps Operator Manage the Job CI/CD Examples - Human/Manual Task system email config using secret activeDeadlineSeconds environment variable approver list Job • send notification • Encapsulate API / SDK of third party tools to docker image • Pass events from other system to build task, user can do what they want based on the payload CI/CD Examples - Gitlab/Harbor/Jira

Disadvantages • Inconsistency • Non-failure-aware • Complicated architecture Work order deployment system can not meet the requirements of resource management. Operator Observe Action Analyze • Observe: actual config • Action: manage resource to desired config Operator: Advantages • Declarative system • Manage resource to final state continually • kube-apiserver oriented programming • CustomResourceDefinition

Xiang Li xiang.li@coreos.com | Head of distributed system Self driving infrastructure Topics ● Cluster management systems ● Today’s problems with operating cluster management systems ● A self-driving components ○ dynamic dependencies ○ fast deployment iteration ● Solution: automation Cluster management system ● Automation ○ Scheduling ○ Deployment ○ Healing ○ Discovery/load balancing ○ Scaling Scheduling