Scaling a Multi-Tenant k8s Cluster in a Telco Pablo Moncada October 28, 2020 About MasMovil group ● 4th telecom company in Spain ● Provides voice and broadband services to +12M customers ● Several

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce transmission tail latencies for applications and to avoid locking

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce transmission tail latencies for applications and to avoid locking

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts io/docs/setup/learning-environment/minikube/] to demonstrate deployment and operation of Cilium in a single-node Kubernetes cluster. The minikube VM requires approximately 5GB of RAM and supports hypervisors like

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts EDT-based (Earliest Departure Time) rate-limiting with eBPF for container traffic that is egressing a node. This allows to significantly reduce transmission tail latencies for applications and to avoid locking

Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy Troubleshoo�ng Automa�c Diagnosis network packets emi�ed by the applica�on containers, allowing to validate the iden�ty at the receiving node. Security iden�ty management is performed using a key-value store. Secure access to and from external This means that each host can allocate IPs without any coordina�on between hosts. The following mul� node networking models are supported: Overlay: Encapsula�on based virtual network spawning all hosts.

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts io/docs/getting-started-guides/minikube/] to demonstrate deployment and operation of Cilium in a single-node Kubernetes cluster. The minikube VM requires approximately 5GB of RAM and supports hypervisors like

packets emitted by the application containers, allowing to validate the identity at the receiving node. Security identity management is performed using a key-value store. Secure access to and from external means that each host can allocate IPs without any coordination between hosts. The following multi node networking models are supported: Overlay: Encapsulation-based virtual network spanning all hosts io/docs/getting-started-guides/minikube/] to demonstrate deployment and operation of Cilium in a single-node Kubernetes cluster. The minikube VM requires approximately 5GB of RAM and supports hypervisors like

of our private cloud service since 2017 • 5100 private, 760 public VIPs • k8s CCM integration (Type: LoadBalancer) L4LB Node L4LB Architecture XDP DPlane L3DSR with IPIP, Magrev Hashing, Session caching Advertise VIP with eBGP Configure with RPC Health check daemon etc… Service Discovery Per-flow ECMP k8s CCM Frontend (dash board) To Backends User For More Information • Our motivation, detailed architecture

from source to deploy in one click, on any language or stack ● Every developer gets to their own k8s namespace About Okteto A few months ago... GCP was not thrilled Open Source to the rescue! ● Installed automatically reload falco on rule changes ● Rules: monitor well known IPs, binary names, forbidden k8s actions ● Action: Notify to slack for human banhammer ● Use Ubuntu instead of ContainerOS Current