KubeCon + CloudNativeCon + Open Source Summit + AI_dev China 2024

Struggling with extensive edge cluster management? Kubernetes adoption brings new challenges, especially in sectors like telecom, retail, and manufacturing. The surge in clusters highlights Kubernetes' limitations, worsened by unreliable networks between data centers and edge clusters. Without scalable control, organizations resort to sending engineers to maintain thousands or even millions of edge clusters, slowing progress. But, we have a solution: connecting Kubernetes and edge clusters via event-based transport, utilizing standard open-source protocols like Kafka, MQTT, and NATS. This enhances Kubernetes-style events, making them resilient to network delays or disconnects. With these capabilities, we can effortlessly construct a central control plane scalable to millions of edge clusters. Join us for an intuitive control plane, handling a million edge clusters across regions. Learn an approach that can be adapted to your edge management infrastructure today.

在KubeCon的会议描述中，若您正在为庞大的边缘集群管理而苦恼？Kubernetes的采用带来了新的挑战，尤其是在电信、零售和制造等行业。集群数量的激增凸显了Kubernetes的局限性，加剧了数据中心和边缘集群之间不稳定网络的问题。在缺乏可扩展控制的情况下，组织不得不派遣工程师去维护成千上万甚至数百万个边缘集群，从而拖慢了进展。但是，我们有解决方案：通过基于事件的传输将Kubernetes和边缘集群连接起来，利用标准的开源协议如Kafka、MQTT和NATS。这样可以增强Kubernetes风格的事件，使其能够抵御网络延迟或断开连接。有了这些功能，我们可以轻松构建一个可扩展到数百万个边缘集群的中央控制平台。加入我们，体验一个直观的控制平台，可以跨区域管理数百万个边缘集群。学习一种可以立即应用于您的边缘管理基础设施的方法。

The Distributed cloud offers better resilience by providing redundancy, scalability and flexibility, especially for cloud native applications. However the complexity of multi-cluster workload and traffic management in hybrid or multi-cloud environment brings huge challenges in practice, such as the number of overall multi-cluster workload instances serve for customer request decreased when some unhealthy ones isolated in case of failures. In this speech, Chaomeng introduces a production practice of Karmada and Istio work together to promote resilience of multi-cluster application. How Karmada and Istio policies configured in a centralized control plane controls both replica and traffic distribution across cluster automatically. In case of failures, how Istio’s failover acts to remove unhealthy endpoints from global load balancing pool, and how Karmada rebuild the according number of instance in other healthy clusters, ensure multi-cluster instances always meet the capacity design.

分布式云通过提供冗余、可伸缩性和灵活性，特别是对于云原生应用程序，提供了更好的弹性。然而，在混合或多云环境中的多集群工作负载和流量管理的复杂性在实践中带来了巨大挑战，例如当一些不健康的实例在故障情况下被隔离时，为客户请求提供服务的整体多集群工作负载实例数量减少。 在这次演讲中，Chaomeng介绍了Karmada和Istio共同推动多集群应用程序弹性的生产实践。Karmada和Istio策略如何在集中控制平面中配置，自动控制跨集群的副本和流量分发。在发生故障时，Istio的故障转移如何从全局负载均衡池中移除不健康的端点，以及Karmada如何在其他健康集群中重新构建相应数量的实例，确保多集群实例始终满足容量设计。

In the evolving cloud-native ecosystem, Kubernetes is vital for microservices. As enterprises adopt multi-cluster Kubernetes setups, securely managing cross-cluster communications becomes challenging due to the limitations of traditional gateways and Ingress solutions. This session explores how ZTM (Zero Trusted Mesh) acts as a bridge across K8s clusters, bypassing traditional gateways and network constraints, thus ensuring zero exposure and boosting security. ZTM uses an HTTP/2-based tunneling mechanism with end-to-end encryption, minimizing public exposure and securing data during transmission. Its design enables quick deployment of cross-cluster communications without altering existing networks or applications, easing management. Furthermore, ZTM integrates with service mesh technologies to provide a secure framework for microservices, supporting service discovery, load balancing, and advanced routing policies, allowing flexible and secure cross-cluster service management.

在不断发展的云原生生态系统中，Kubernetes 对于微服务至关重要。随着企业采用多集群 Kubernetes 设置，由于传统网关和入口解决方案的限制，安全地管理跨集群通信变得具有挑战性。 本场演讲探讨了 ZTM（Zero Trusted Mesh）如何作为跨 K8s 集群的桥梁，绕过传统网关和网络限制，从而确保零暴露并提升安全性。 ZTM 使用基于 HTTP/2 的隧道机制进行端到端加密，最大程度减少公开暴露并在传输过程中保护数据安全。其设计能够快速部署跨集群通信，而无需改变现有网络或应用程序，简化管理。 此外，ZTM 还与服务网格技术集成，为微服务提供安全框架，支持服务发现、负载均衡和高级路由策略，实现灵活且安全的跨集群服务管理。

Join our esteemed panel of experts as they delve into the latest advancements and integrations in the world of Istio and API gateways. This discussion, led by Jimmy Song from Tetrate and founder of the China Cloud Native Community, will feature insights from core contributors and thought leaders including Jianpeng He (Tetrate), Jintao Zhang (Kong), Xunzhuo Liu (Tencent) and Zhang Jiaqi (Alibaba Cloud). The panel will explore Istio's recent developments such as Ambient Mesh, sidecar-less architectures, and the application of eBPF, along with the evolving role of Envoy Gateway. Participants will gain an in-depth understanding of how API gateways are blending with service meshes to create more dynamic, efficient, and secure cloud-native environments.

加入我们尊贵的专家小组，他们将深入探讨 Istio 和 API 网关领域的最新进展和集成。这次讨论由 Tetrate 的 Jimmy Song 主持，他是中国云原生社区的创始人，将邀请核心贡献者和思想领袖，包括 Jianpeng He（Tetrate）、Jintao Zhang（Kong）、Xunzhuo Liu（腾讯）和张佳琦（阿里云）分享见解。小组将探讨 Istio 的最新发展，如环境网格、无边车架构以及 eBPF 的应用，以及 Envoy 网关的不断演变角色。参与者将深入了解 API 网关如何与服务网格融合，创造更具动态、高效和安全的云原生环境。

Connection and service discovery are usually key challenges for multi-cluster management, existing solutions such as Submariner introduce pre-conditions for public IP and specific CNI. This is problematic for projects like the "East-to-West Computing Resource Transfer Project" where clusters lack public IPs and have diverse CNIs due to different ownership. This session introduces a solution to establish an independent and unified parallel network for east-west traffic cross clusters based on Node Resource Interface (NRI) to avoid intrusive modifications for clusters and limitations on CNI. A hybrid approach is provided for inter-cluster traffic: clusters can communicate through a hub cluster with public IP or connect directly if public IP is equipped. Moreover, cross-cluster service discovery follows the MCS standard to ensure seamless service access. All functionalities remain agnostic to Kubernetes and applications. A live demo will be shown in this session.

连接和服务发现通常是多集群管理的关键挑战，现有解决方案如Submariner引入了公共IP和特定CNI的先决条件。这对于像“东西计算资源转移项目”这样的项目是有问题的，因为集群缺乏公共IP并且由于不同所有权而具有不同的CNI。 本场演讲介绍了一种解决方案，基于节点资源接口（NRI）建立一个独立和统一的跨集群东西流量网络，以避免对集群进行侵入性修改和对CNI的限制。提供了一种混合方法用于集群间流量：集群可以通过具有公共IP的中心集群进行通信，或者如果具有公共IP则可以直接连接。此外，跨集群服务发现遵循MCS标准，以确保无缝的服务访问。所有功能都与Kubernetes和应用程序无关。 本场演讲将展示现场演示。

As LLMs continue to grow in size, their deployment and delivery in cloud-edge environments are faced with substantial challenges, especially within edge computing settings that encompass multiple sites with thousands of edge nodes. In this presentation, we will explore how to efficiently distribute LLM applications across dispersed edge nodes using OpenYurt. We will also delve into how Dragonfly’s P2P image distribution technology can address the issue of public network bandwidth consumption encountered during cross-site transmission, reducing public network traffic consumption by up to 90% compared to conventional LLM distribution, and achieving rapid and efficient sharing of LLMs in physically isolated environments. During this presentation, container service experts from Alibaba Cloud and Ant Group will share this solution and introduce the practical application of combining OpenYurt with Dragonfly in edge computing scenarios for LLMs.

随着LLM的规模不断增长，它们在云边缘环境中的部署和交付面临着重大挑战，特别是在涵盖数千个边缘节点的边缘计算环境中。在本次演讲中，我们将探讨如何使用OpenYurt在分散的边缘节点上高效分发LLM应用程序。我们还将深入探讨Dragonfly的P2P图像分发技术如何解决跨站点传输中遇到的公共网络带宽消耗问题，与传统的LLM分发相比，将公共网络流量消耗降低高达90％，实现在物理隔离环境中LLM的快速高效共享。 在本次演示中，来自阿里巴巴云和蚂蚁集团的容器服务专家将分享这一解决方案，并介绍在LLM的边缘计算场景中将OpenYurt与Dragonfly结合应用的实际应用。

Istio Ambient separates the L4/L7 functions found in the traditional sidecar model and introduces the ztunnel component, which implement the L4 network load balancing and secure zero-trust. However, as ztunnel is deployed at the node level with DaemonSet, any malfunction or anomaly in ztunnel may impact the traffic of all mesh-related pods under that node. Furthermore, performance tests of Ambient Mesh have not delivered the anticipated outcomes; ztunnel often becomes a performance bottleneck. These factors make it challenging to apply Ambient Mesh in production environments. it appears that we require a more optimized and practical implementation solution. This session will share: 1. An introduction to the architecture of Istio Ambient Mesh, along with current known issues with the existing implement. 2. using eBPF to implement zero-trust and L4 network traffic capabilities, enhancing the stability of the Mesh network, and significantly improving overall performance.

Istio Ambient将传统的边车模型中发现的L4/L7功能分离，并引入了ztunnel组件，实现了L4网络负载均衡和安全的零信任。然而，由于ztunnel部署在节点级别的DaemonSet上，ztunnel中的任何故障或异常可能会影响该节点下所有与网格相关的Pod的流量。此外，Ambient Mesh的性能测试并未达到预期的结果；ztunnel经常成为性能瓶颈。这些因素使得在生产环境中应用Ambient Mesh变得具有挑战性。看起来我们需要一个更优化和实用的实现解决方案。 本次会话将分享： 1. Istio Ambient Mesh架构的介绍，以及现有实现中已知的问题。 2. 使用eBPF实现零信任和L4网络流量功能，增强Mesh网络的稳定性，并显著提高整体性能。

In multi-cloud and hybrid cloud architectures, enterprises face challenges like inter-cloud communication, traffic management, application orchestration, data security, and compliance. Service mesh technology offers a unified approach for managing service interactions, enhancing security, and ensuring data compliance. Istio, a leading service mesh project, is particularly effective in multi-cloud and hybrid cloud environments. It provides seamless network connectivity across various architectures, ensuring reliable and secure communication. Additionally, integrating Istio with Karmada enables efficient application scheduling across these complex environments. Karmada allows for smooth orchestration of workloads across different cloud platforms, enhancing the flexibility and scalability of cloud-native applications. I aim to share practical insights and experiences, especially from China, to inspire and provide strategic perspectives in navigating these technological landscapes.

在多云和混合云架构中，企业面临诸如云间通信、流量管理、应用编排、数据安全和合规性等挑战。服务网格技术提供了统一的管理服务交互方式，增强安全性，并确保数据合规性。 作为领先的服务网格项目，Istio在多云和混合云环境中特别有效。它提供了跨不同架构的无缝网络连接，确保可靠和安全的通信。此外，将Istio与Karmada集成，可以实现在这些复杂环境中高效的应用调度。Karmada允许在不同云平台上平稳地编排工作负载，增强云原生应用的灵活性和可扩展性。 我旨在分享实用的见解和经验，特别是来自中国，以激发并提供在这些技术领域中导航的战略视角。