Hao Liang's Blog

Embrace the World with Cloud Native and Open-source

KubeCon AI_dev 中国香港 2024 回顾

1. KubeCon 简介 2024 年 8 月 21 日至 23 日，云原生计算基金会的旗舰会议联合开源峰会和 AI_dev 在香港汇聚来自领先开源和云原生社区的应用者和技术专家。 KubeCon 每年会在欧洲、

Posted by Hao Liang's Blog on Friday, August 30, 2024

Recap of KubeCon AI_dev HongKong 2024

1. Introduction to KubeCon The Cloud Native Computing Foundation’s flagship conference joins with Open Source Summit and AI_dev to gather adopters and technologists from leading open source and cloud native communities in Hong Kong from 21-23 August 2024. KubeCon is held every year in 3 places in Europe, America, and Asia. It has entered China since 2018. This is the third time I have attended in KubeCon. The first two times I attended as a speaker.

Posted by Hao Liang's Blog on Friday, August 30, 2024

Kubelet Streaming Server Port Closed Unexpectedly

1. Description Kernel version: 5.4.241 kubelet version: 1.22.5 nvidia driver version: 535.161.08 and 535.154.05 After the kubelet process on the node is started, it listens to a random port (46127) in the range of ip_local_port_range ss -lntpe |grep kubelet code snippets: After running for a while, the listen port suddenly disappeared The corresponding fd (fd=13) is also closed, but the kubelet process still exists 2. Analysis From the corresponding kubelet code snippets, we found that the streaming server is pulled up through a separate goroutine.

Posted by Hao Liang's Blog on Saturday, July 13, 2024

Kubelet Streaming Server 端口异常关闭

1. 问题描述内核版本：5.4.241 kubelet版本：1.22.5 nvidia驱动版本：535.161.08 和 535.154.05 节点上的 kubelet 进程启动后，监听了

Posted by Hao Liang's Blog on Saturday, July 13, 2024

The Road to Kubestronaut: Guide

1. What is Kubestronaut I believe some people in the CNCF community already notice the Kubestronaut Program has been released recently. Brief introduction: The Kubestronaut program recognises community leaders who have consistently invested in their ongoing education and grown their skill level with Kubernetes. Individuals who have successfully passed every CNCF’s Kubernetes certifications – CKA, CKAD, CKS, KCNA, KCSA – will receive the title of “Kubestronaut” 2. Why do I want to become a Kubestronaut To be honest, I’ve joined the CNCF community for over 5 years.

Posted by Hao Liang's Blog on Sunday, May 19, 2024

【Envoy-04】Envoy xDS Dynamic Configuration and Control Plane Interactions

1. Interacting with Control Plane What’s a control plane To manage all these configuration files in a central place, we need to introduce a control plane. Control plane propagates all the network configuration to the data plane. Why is it useful Control plane subscribes for configuration updates, whenever cluster changed, routes added, listeners added, the control plane will send those updates to envoy and it apply the new configuration dynamically without restarting.

Posted by Hao Liang's Blog on Sunday, December 24, 2023

Renaming Node Name without Resetting kubelet Environment

Goal Rename any node name in Kubernetes cluster. No need to reset the whole kubelet environment like most of the approaches. No need to drain any Pods running on the Node. Bootstrap Process of kubelet Doc refer to: https://kubernetes.io/docs/reference/access-authn-authz/kubelet-tls-bootstrapping/ Chinese version introduction refer to: https://cloud.tencent.com/developer/article/1656007 The kubelet process starts. Try to find kubeconfig file specified by arg --kubeconfig=xxx, if not found, try to find bootstrap-kubeconfig file specified by arg --bootstrap-kubeconfig=xxx instead.

Posted by Hao Liang's Blog on Friday, December 22, 2023

【Envoy-03】Securing Envoy Proxy

1. Envoy Threat model refer to: threat_model The Threat Model is: Identifying and enumerating threats and vulnerabilities Devising mitigations Prioritising residual risks Escalating the most important risks Why Treat Model? Identify security flaws early Save money and time consuming redesigns Focus your security requirements Identify complex risks and data flows for critical assets 2. Configuration Best Practices refer to: best_practices/edge An example to run envoy with secure config: # https://github.com/solo-io/hoot/blob/master/03-security/edge.yaml admin: # access log to admin interface access_log_path: "/tmp/envoy_admin.

Posted by Hao Liang's Blog on Sunday, December 17, 2023

Something you might need to know when developing a CNI plugin

Introduction CNI, as in Container Networking Interface for kubernetes, dedicated to provide network solution for Kubernetes containers. There are tons of CNI plugin for kubernetes networking on the market, some of them are opensource projects.(e.g. flannel, calico, cilium) Besides, the CNI officially provides some sample cni demo for end users. How does kubelet interact with CNI Implemented by Dockershim In preview version of Kubernetes(less or equal 1.23), if the container runtime is specified to docker, CNI plugin will be called in dockershim#cni.

Posted by Hao Liang's Blog on Friday, December 15, 2023

What's inside Nvidia Container Toolkit?

Architecture Overview The NVIDIA container stack is architected so that it can be targeted to support any container runtime in the ecosystem. The components of the stack include: The NVIDIA Container Runtime (nvidia-container-runtime) The NVIDIA Container Runtime Hook (nvidia-container-toolkit / nvidia-container-runtime-hook) The NVIDIA Container Library and CLI (libnvidia-container1, nvidia-container-cli) The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit. How these components are used depends on the container runtime being used.

Posted by Hao Liang's Blog on Tuesday, December 12, 2023