up a Kubernetes Cluster Part 2: Fork the Sock Shop Repository Part 3: Setup CI and Connect a Container Registry Part 4: Let’s Get Started with GitOps Further Resources 11 14 21 23 integration tool kicks off unit tests that eventually build the Docker image that gets pushed to the container registry. With a typical CI/CD pipeline, Docker images are deployed using some sort of bash CONTINUOUS INTEGRATION CONTINUOUS DEPLOYMENT Write Code VCS Code Base Unit Tests Integ Tests Container Registry DEPLOY eBook 8 Security and the Typical CI/CD Pipeline How secure is the typical CI/CD

(cont’d) And, multicluster is not just one approach; in fact, there are 4 categories: Within the same network, ● Primary cluster + Primary cluster ● Primary cluster + Remote cluster On different networks, Second Demo What’s next? @rytswd #IstioCon For the following demos, we will be using: ● Single Network ● Primary + Primary NOTE: we will be taking slightly different approach from Istio official documentation Audience What to expect Istio Multicluster First Demo About GitOps Second Demo What’s next? Single Network Multiple Networks Challenge of Multicluster (cont’d) @rytswd #IstioCon Brush up on Istio resources

Kubernetes [1.5] container platform, in particular, has fostered a whole new way of thinking about application deployment, because con- figuration files are used to declare the creation of container instances the Agile Manifesto changed the game for developers and administrators, Kuber- netes and other container technologies have changed the game for DevOps practi- tioners. The ways in which Kubernetes and autohealing. Kubernetes can achieve autohealing because containers are fungible and immutable. A container can be restarted or scaled at will, making it easy to manage workloads in this model. It is important

Service) Serverless ≈ CaaS + BaaS 用户运维 Serverless 介绍 Physical Machine vs. Virtaul Machine vs. Container vs. Serverless Hardware Virtualization O/S Containers Runtime Applications Functions Physical Virtual Machine Hardware Virtualization O/S Containers Runtime Applications Functions Container Hardware Virtualization O/S Containers Runtime Applications Functions Serverless Hardware ❑ 更细粒度的资源分配，更低的成本 ❑ 实时计算扩缩容 mvm Docker process Docker process … Function Memory CPU Network Serverless 用户 云厂商 Serverless vs. IaaS 运维能力对比 资源创建 业务部署 监控告警 故障排查 性能调优 安全保障 弹性扩缩 故障恢复 基本运维能力

secure network communication. Sidecars, which are language agnostic, act as service proxies and allow for all traffic (ingress and egress) to flow through them before reaching or leaving a container. This sidecar model is, because it is injected alongside and not inside a container, you can independently update the sidecar or the container. The second benefit is that sidecars are injected automatically,

是指云服务中的平台即服务，这个概念的业界定义和理解不是很统一，并 且比较混淆。我们简化一些，指公有云中的 RDS 等中间件、数据库在线服 务，以及容器云。 VLAN Virtual Local Area Network, 虚拟局域网, 是建立在物理网络基础上的一 种逻辑子网，用于隔离多个主机组之前的网络访问。物理位置不同的多个 主机如果划分属于同一个 VLAN，则这些主机之间可以相互通信。物理位 置相同的多个主机如果属于不同的 通常在交换机或路由器上实现，在以太网帧中增加 VLAN 标签来给 以太网帧分类，具有相同 VLAN 标签的以太网帧在同一个广播域中传送。 SDN 软件定义网络（Software Defined Network，SDN）是由美国斯坦福大 学 clean-slate 课题研究组提出的一种新型网络创新架构，是网络虚拟化的 一种实现方式。是当前最热门的网络技术之一，是私有云和公有云相比虚 拟化平台先进的一个部分就是 management-center: image: xxx.xxx.xxx.xxx/management-center container_name: management-center environment: HOST_HOSTNAME: $HOSTNAME networks: - cmp-network 杭州飞致云信息科技有限公司 31 extra_hosts: - "iam-apigateway-proxy

虚拟机服务（vm-service） 虚机自服务及运营 容器云集群服务（container-service） 容器云集群服务 运营分析（operation-analytics） IT 容量管理、趋势分析、健康分析、优化 大屏（screen-display） 可视化大屏，实时展示云管平台各项关键数据 公有云网络管理（network-service） 公有云网络管理 杭州飞致云信息科技有限公司 6 websockify-compose.yml ├── logs # 各个组件的日志文件存放目录 │ ├── billing-center # 账单中心日志 杭州飞致云信息科技有限公司 16 │ ├── container-service # 容器云服务日志 │ ├── dashboard # 首页日志 │ ├── gateway # 网关日志 │ ├── jumpserver-connector # 堡垒机同步日志

GITOPS？ GitOps 是为云原生应用程序实施持续部署的一种声明方式。您可以使用 GitOps 创建可重复进程，用于在 多集群 Kubernetes 环境间管理 OpenShift Container Platform 集群和应用程序。GitOps 以快速的速度处 理和自动化复杂部署，节省部署和发行周期期间的时间。 GitOps 工作流通过开发、测试、临时和生产环境来推送应用程序。GitOps Red Hat OpenShift Container Platform 中，以及 Red Hat OpenShift Container Platform 的好处，以及 Red Hat Enterprise 支持、质量保证并专注于企业安全性。 注意 注意 因为 Red Hat OpenShift GitOps 的发行节奏与 OpenShift Container Platform 不同，所以 Red 此，ArgoCD 可让您提供全局自定义资源，如用于配置 OpenShift Container Platform 集群的资源。 2.1. 主要特性 Red Hat OpenShift GitOps 可帮助您自动执行以下任务： 确保集群具有类似的配置、监控和存储状态 对多个 OpenShift Container Platform 集群应用或恢复配置更改 将模板配置与不同环境关联 在集群间（从调试到生产阶段）推广应用程序。

Test Security Checks Release Deploy Stage Deploy Prod OpenShift Build Automate building container images using Kubernetes tools OpenShift Pipelines Kubernetes-native on-demand delivery pipelines OpenShift Builds 12 Automate building container images using Kubernetes tools GENERAL DISTRIBUTION 13 OpenShift Builds A Kubernative-native way to building container images on OpenShift which is portable with microservices and distributed teams in mind OPENSHIFT PIPELINES Containers Built for container apps and runs on Kubernetes Serverless Runs serverless with no CI/CD engine to manage and

many open-source communities that made it what it is today. Kubernetes brings much-needed container orchestration capabilities like: • Automated rollouts and rollbacks of deployments • Service continuous integration tool kicks off unit tests that eventually build the Docker container image that gets pushed to the container registry. Figure 1 BROUGHT TO YOU IN PARTNERSHIP WITH REFCARD | GITOPS KUBERNETES REFCARD | SEPTEMBER 2022 6 With this typical CI/CD push-based pipeline, Docker container images are then deployed to the actual cluster using some sort of bespoke bash scripts or through