operator – управление кластером как ОДНИМ РЕСУРСОМ ClickHouse Operator ClickHouseInstallation YAML file Лицензия: Apache 2.0, Распространяется как Docker image ClickHouse cluster resources kubectl "clickhouse.altinity.com/v1" kind: "ClickHouseInstallation" metadata: name: "demo-01" spec: configuration: clusters: - name: "demo" Здесь нет storage Еще вернемся к этому kubectl – наше всё "clickhouse.altinity.com/v1" kind: "ClickHouseInstallation" metadata: name: "demo-01" spec: configuration: clusters: - name: "demo" layout: shardsCount: 2 replicasCount:

y⽂件 ~]# declare -a IPS=(172.20.0.88 172.20.0.89 172.20.0.90 172.20.0.91 172.20.0.92) ~]# CONFIG_FILE=inventory/mycluster/hosts.ini python36 contrib/inventory_builder/inventory.py ${IPS[@]} 此时，会看到 i "annotations": { "key1" : "value1", "key2" : "value2" } 类似以下信息可记录到Annotation中： 由declarative configuration layer管理的字段。将这些字段附加为Annotation，可将它们与客户端或服务器设置的默 认值、⾃动⽣成的字段或以及auto-sizing或auto-scaling的系统所设置的字段区分开。 原⽂ https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/ 18-Daemon Set 78 Configuration Best Practices 本⽂档强调并整合了整个⽤户指南、⼊⻔⽂档和示例中引⼊的配置最佳实践。 这是⼀个“活”的⽂件。如果你想到的东⻄不在这个名单上，但可能对他⼈有⽤，请不要犹豫，提交issue或提交PR（pull

Google does GKE On-Prem ● Turn-key, production-grade, conformant Kubernetes with best-practice configuration ● Easy upgrade path to the latest Kubernetes releases that have been validated and tested On-Prem ● Cluster environments are consistent (k8s version, OS image, plug-ins, components configuration) Orchestrate and manage on-prem containers just like GKE in the cloud Consistent operating Installation and Configuration $ gke-on-prem create cluster --dry-run Welcome! This command will take you through the installation of a cluster. --dry-run saves your configuration to a YAML file. Please enter

Services (w/API) • Node = Container Host w/agent called “Kubelet” • Application Deployment File = Configuration File of desired state • Container Image = Runs in a Pod (~1:1) • Replicas = QTY of Pods that Structured Data Metrics Alerts Events VMware vRealize Operations Capacity, Performance and Configuration Management Events Launch in Context Unstructured Data Logs Messages VMware vRealize Log

production- grade container orchestration platform § Declarative management of objects using configuration files. § More introductions, go to • K8s official document http://kubernetes.io • Open Zookeeper – Redis Other objects used in OW charts • ConfigMap: like nginx deployment configuration • Secrets: like DB access credentials • Ingress Component Launch Sequence • In Kubernetes Create a namespace 2. Label worker nodes to execute user actions 3. Create a mycluster.yaml file to customize the deployment 4. Deploy with Helm 5. Wait…and done

原因理由 如何查核 1. 控制平面元件 (Control Plane Components) 2. etcd 狀態資料庫 3. 控制平面設置 (Control Plane Configuration) 4. 工作節點 (Worker Node) 5. 政策 (Policies) ©2019 VMware, Inc. 10 Use Cases: Security Architecture b. File System Hardening c. Boot Security d. Process Security e. Minimization of Attack Surface f. Network Security g. Auditing h. Authentication and Authorization i. Compliance j. File System

Operator管理理⽆无状态的服务 特性 A. ⽆无状态⽔水平弹缩： ⽀支持动态扩缩容 B. 容错处理理： 通过kubernetes validating admission configuration校验⽤用 户下发的编排的crd实例例，同时⾃自动恢复⽤用户误操作的该crd维护的资源 C. ⽀支持原⽣生istio特性，如负载均衡，限流，熔断，L7路路由控制等 stateless Exporter AZ 2 (Local File) Alert Manager gossip Kubernetes 互相监控 AZ 1 Kube-State-Metrics Kubernetes APIServer cAdvisor Node-Exporter KUN-Agent Alert Manager Prometheus (Local File) Monitor Manager

Separate where secrets are used vs managed Encryption at different layers (or turtles) disks file system etcd Recommendation: Use two-layers of encryption, e.g., full-disk & application-layer an external secret store Learn more Kubernetes secrets: https://kubernetes.io/docs/concepts/configuration/secret/ ● Secret encryption: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/

•Rack •NetworkDevice •ComputeAsset •Region/AZ •NetworkScope Provision •OS •Flavor •ComputeNode Configuration •Kernel params •Environment config •Network Kubernetes •Core components •Addon •Taint Operations Kubernetes Onboard Provision Configuration Kubernetes You need onboard something from nothing! Let’s model a datacenter running Kubernetes Onboard Provision Configuration Kubernetes After you define + Flavor + OS = ComputeNode Let’s model a datacenter running Kubernetes Onboard Provision Configuration Kubernetes After you define your fleet, you want a accessible compute node: Asset + Flavor +