Scaling a Multi-Tenant k8s Cluster in a Telco Pablo Moncada October 28, 2020 About MasMovil group ● 4th telecom company in Spain ● Provides voice and broadband services to +12M customers ● Several

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter this: ♻ Restarted unmanaged pod kube-system/event-exporter-gke-564fb97f9- rv8hg ♻ Restarted unmanaged pod kube-system/kube-dns-6465f78586-hlcrz ♻ Restarted unmanaged pod kube-system/kube-dns-autoscaler- Restarted unmanaged pod kube-system/l7-default-backend-7fd66b8b88- qqhh5 ♻ Restarted unmanaged pod kube-system/metrics-server-v0.3.6- 7b5cdbcbb8-kjl65 ♻ Restarted unmanaged pod kube-system/stackdr

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter paths include with and without service load- balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure 65s pod-to-a-79546bc469-rl2qq 1/1 Running 0 66s pod-to-a-allowed-cnp-58b7f7fb8f-lkq7p 1/1 Running 0 66s pod-to-a-de

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter paths include with and without service load- balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure 67s pod-to-a-allowed-cnp-87b5895c8-bfw4x 1/1 Running 0 68s pod-to-a-b76ddb6b4-2v4kb 1/1 Running 0 68s pod-to-a-denie

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter paths include with and without service load- balancing and various network policy combinations. The pod name indicates the connectivity variant and the readiness and liveness gate indicates success or failure 4m50s pod-to-a-59b5fcb7f6-gq4hd 1/1 Running 0 4m50s pod-to-a-allowed-cnp-55f885bf8b-5lxzz 1/1 Running 0 4m50s pod-to-a-ext

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter this: ♻ Restarted unmanaged pod kube-system/event-exporter-gke-564fb97f9- rv8hg ♻ Restarted unmanaged pod kube-system/kube-dns-6465f78586-hlcrz ♻ Restarted unmanaged pod kube-system/kube-dns-autoscaler- Restarted unmanaged pod kube-system/l7-default-backend-7fd66b8b88- qqhh5 ♻ Restarted unmanaged pod kube-system/metrics-server-v0.3.6- 7b5cdbcbb8-kjl65 ♻ Restarted unmanaged pod kube-system/stackdr

transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container identity (in contrast to IP address identification in traditional systems) and can filter for the TLS certificates between etcd peers to work correctly, a DNS reverse lookup on a pod IP must map back to pod name. If you are using CoreDNS, check the CoreDNS ConfigMap and validate that in-addr.arpa listed as wildcards next to cluster.local. You can validate this by looking up a pod IP with the host utility from any pod: host 10.60.20.86 86.20.60.10.in-addr.arpa domain name pointer cilium-etcd- 972nprv9dp

Kubernetes Endpoint Lifecycle Troubleshoo�ng Monitoring & Metrics Exported Metrics Cilium as a Kubernetes pod Cilium as a host-agent on a node Troubleshoo�ng Component & Cluster Health Connec�vity Problems Policy transparently insert security visibility + enforcement, but does so in a way that is based on service / pod / container iden�ty (in contrast to IP address iden�fica�on in tradi�onal systems) and can filter on The DaemonSet will automa�cally install itself as Kubernetes CNI plugin. K8s 1.15 K8s 1.14 K8s 1.13 K8s 1.12 K8s 1.11 K8s 1.10 kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1

上游请求和下游依赖，以及自身服务实例的 运行情况，进一步提升问题定位能力，通常在已经定位到某个异常节点后使用。 实例 全栈数据源，70+个告警模板开箱即用： 应用级别：Pod/Service/Deployment K8S控制面：apiserver/ETCD/Scheduler 基础设施：节点、网络、存储 云服务界别：Kafka/MySQL/Redis/ 告警 拓扑图排查 根因定位 修复 拓扑图高可用、依赖分 析 面向失败、高可用设计 优化告警 主动发现 智能降噪、去重 系统性解决 系统性解决 关闭 智能告警 全栈数据源，70+个告警模板开箱即用： 应用级别：Pod/Service/Deployment K8S控制面：apiserver/ETCD/Scheduler 基础设施：节点、网络、存储 云服务界别：Kafka/MySQL/Redis/ 告警 拓扑图排查 根因定位 修复

from source to deploy in one click, on any language or stack ● Every developer gets to their own k8s namespace About Okteto A few months ago... GCP was not thrilled Open Source to the rescue! ● Installed automatically reload falco on rule changes ● Rules: monitor well known IPs, binary names, forbidden k8s actions ● Action: Notify to slack for human banhammer ● Use Ubuntu instead of ContainerOS Current