 Hello everyone, my name is Dong Hui-Chun, I'm an open-all-art ATO segment manager. Today I want to share with you the ATO, which is an AI-based automatic parameter tuning system. I will introduce ATO from following four aspects. First, I want to introduce what is the performance tuning. This is a simple example for matriculation of 4,800 by 4,800. If we write it in Python language, it takes more than 16,000 seconds to run. However, if we use C language to write it, it only takes about 600 seconds to run. Then, if we optimize by multi-suit parallel computing, then we can only take about 37 seconds. Then, if we use other optimization algorithms, such as vector instructions, it only needs to take 1.99 seconds. This simple example gave me a, we can say, a large-scale room to improve our performance. Then I will give an instruction about ATO. As we can see, operating systems have a large number of parameters and complicated correlations between lanes. However, those tunable parameters control all aspects of the operating system. For example, in Spark, there are so many tunable values. If we use the default values, they can't get the best performance. Then, we want to tune these parameters. For example, there are several advantages. For example, the execution time of Spark can drop 10 times. And the system resource utilization could up to 10 times. And we can also reduce some errors, such as OEM and timeout and so on. However, tunable parameters have several challenges. The first one is that there are many parameters in a single system. For example, in Spark, there are more than 200 parameters. Then the second one is that there are a huge number of systems. For example, there are so many applications, such as the vertical applications, analytics and visualization systems. Different systems need different kinds of parameters. Then the second one is that there are diverse workloads on the system complexity. For example, even when we use Spark, there are all kinds of workloads. For example, there are including ML labs, streaming, circle, and graph processing, and so on. Different workloads also need a different kind of parameters. However, if we are using Maya Tuning to tune these parameters, there are several disadvantages. For example, it requires long tuning time and it requires individual appearance and has high level costs. However, if we use AI to automate the tuning, there are several advantages. For example, it only needs short tuning time and there is no need for individual appearance. And it only needs machine costs. Therefore, the object of A-Tuning is that giving an workload, we wanted to use AI to find the optimal parameters for giving workload and achieve the best performance. Now, let's see related works. As we can see, tuning is a constant topic. In the 1980s, last, Maya Tuning had been used. In the 2000s, statistical and hierarchical methods are widely used. Recently, in the 2010s, traditional machine learning methods are also widely used. Recently, deep learning and reinforced learning methods are also widely used. The following table gave the performance of all the load methods under several dimensions, such as the quality efficiency and to deal with the three challenges. As we can see, there is no single kind of method performed best under all the dimensions. Now, we wanted to use AI to perform the automatic tuning. Now, several advantages. The first one is that, first, data coverage. We can leverage a variety of technologies to optimize several layers. The second advantage is intelligent operation. We can apply purely opportunities in efficient and intelligent manner. The third one is target orientation. We can turn certain based on objects and constraints. The third one is full automation. We can conduct the entire tuning plus schedule automatically. Now, we designed an A8 tune, which we use AI to improve the optimal performance of the system. First, we need to collect all kinds of data, such as system metrics, for example, CPUization, and other data, such as framework specific and application-specific metrics, and target metrics. Then, all the metrics are sent to the A8 tune. A8 tune can make intelligent decision-making and learn how to put an optimal load, such as system load, framework-specific load, and application-specific load. These are the major logs that can make the performance of the system better. Now, we will give an architecture of A8 tune. A8 tune analyze the resources, such as computing, storage, and network of applications, or clouds, support parameter tuning for mainstream applications in the industry, and improve tuning efficiency. The architecture of A8 tune includes three parts. The first part is intelligent decision-making, which includes online static tuning and offline dynamic tuning. The second part is system characterization, which includes data platform, feature engineering, training, and inference. The last one is system interaction, which includes system full-stack monitoring and configuration service. Now, I will give two parts of online static tuning and offline dynamic tuning. Now, I will give a detailed introduction about online static tuning. The scenario of online static tuning is common uses and applications that are needed to be online at all time. The idea is that A8 tune detects the current application workload, matching it to a lower workload based on the classification model, and then outputs empirical parameters. The online static tuning has several key technologies. The first one is important feature analysis. A8 tune can automatically select important features to characterize applications accurately, and it can have two layer classification, which can accurately identify the current workload. The third one is workload change detection. It can automatically identify the application workload changes and implement adaptive optimization. The second one is offline dynamic tuning. Off-line dynamic tuning is for advanced users who have high performance requirements. The idea is that offline dynamic tuning includes three parts. It includes target device, carrier, and upload. The idea is that the carrier sets parameters for the target device, obtains the feedback performance indicators, and it continuously obtains the optimal parameters. Therefore, the offline dynamic tuning also includes three key technologies. The first one is important parameter selection. It can automatically select important parameters to reduce such space and improve training efficiency. The second one is optimization algorithm construction. It can allow users to select the optimal algorithm based on application scenarios, parameters, types, and performance requirements. The third one is logic-based construction. We can add the current automated characteristics and the optimal parameters to the logic base to improve subsequent training efficiency. Now, I will give the ATON implementation framework. The framework includes three parts. ATON server, ATON client, and ATON engine. The ATON server includes data collection tool and system configuration engineering. The ATON server must be installed on target device. The ATON client is used to interact with user and output the results. The ATON engine includes all algorithms of ATON, such as classification models, k-parameter selection models, model training, and automatic parameter tuning. The three parts can be installed on different machines and they can communicate through the GRPC. Now, we will give several training results. For example, in Spark, there are several curable parameters. If we use the default value, they can get the best performance. Now, we want to use ATON to select the best values for the given workload. For example, after ATON training, the performance is improved by 30% over the default system configuration and 5% over the configuration optimized by professional engineers. The training efficiency is five times than that of manual training. Now, there are also several other training results. For example, we optimized the ETCDE system with ATON in creating performance by more than 10% the results were displayed in the OpenOLA application protein competition. And we also optimized the MySQL. MySQL is optimized in six different scenarios. OpenOLA and MATER operates with mature machines with four cores and 60 got-byte memory as well as 32 cores and 64 got-byte memory. In OLTP in static scenario, the throughput is improved by five times. In the future, ATON will break performance bottlenecks. There are two kinds of improvements. For example, we wanted to from offline to online. There are several trends. For example, continuous performance training capabilities for online application to deliver performance as a service. For example, there are also several systems. For example, ATON provides online parameter training for cloud databases. Under the graduate focus on resource queue training for online applications. However, there are also switch changes. For example, the first change is called start. How do we deliver optimal performance in the absence of history data when a new application goes on? The second change is adaptability. How can the cost of online training be reduced when a model is trained against online applications? That changes dynamically. The third one is security. How do we keep the performance of the immediate queueing results above the preset threshold to ensure high-system availability during queueing? The second one is from use mode to queue mode. There are also several trends. For example, utilizing AI technologies to shift from conventional certain configuration optimization to certain design optimization. There are also several papers. For example, LingOS use AI to reconstruct the color block layer and predict the IO latency boosting SDI performance. KML is another paper which builds an AI model in the color space to implement load-aware data-preferring policies. However, there are also switch changes. The first change is computing overhead. How can model complexity and performance be balanced with the limited computing resources available in the color space? The second challenge is timely list. How do we infer and acute the highly dynamical optimization processes? In my second, the second one is university. How do we construct a universal framework for different optimization types that involve data collection and optimization algorithms for various color modules? Here is the ATR repository. Everyone can get a code of ATR. Please feel free to contact me if you have any questions. This is my email. Thank you. Any questions? Any more questions? Okay, thank you. That's okay. Next up is Qing Xiaolin who is more than a decade of experience in cloud infrastructure and won six years of experience in content and technology. He is principal engineer at the OpenUI project. He will tell us about the redesign of the process one called SysMaster. And it's all in Rust, so it's super relevant. So, so, so, so... Welcome everyone. Today I will introduce you another one, a process one. Yes, we are writing a new process one for OpenUI. And it is written with Rust. Its name is SysMaster and we open sourced OpenUla. OpenUla is the new OS platform. We already open sourced it at Getty and GitHub, okay? It's currently incubating at OpenUla Atom, okay? Right. So today I will go with these three parts. First, why? Why we want to write a new process one? And second, what it should be, what it should like? How? How do you decide and its architecture? Before that, what is the process one? Process one? Actually, in our Linux OS there is the process called process tree, okay? It's like the tree. So the first process one is the root of a tree. So it's the first user space process in Linux. And all the other process are its ancestor. It has two main roles. First one is brings out the whole system. Second one leads the other zombie processes. In process tree, its stability is very important. That means it affects the whole reliability of the Linux OS. And before that, we already have many process one in the whole operating system world, okay? Currently, we have caught up. There are more than 20 process one. In the early difference OS distribution, we have such as C20, up star, C3 unit, and launch Cd. Normally, in the other half of the system, we use C20, U12, Debian, we use up star, okay? And we found that there is some difference and we also talked about that in different US, we have different process one. Which means that this is because the demands of what this OS, what this OS we want, that demands on the process one, what it looks like. So before that, we talked about open Euror. And open Euror, we are trying to build one OS for Warsaw Thai scenarios. In close cloud service edge embedded devices. We have to analysis all these scenarios. The first one, in traditional service. According to our statistics of our maintenance and SIE team, we found that we have a panel here. For the last five years, we have many bugs in process one. Okay? It accounts for 16%. And this bug stays long for the past years. It's still high all year. And the third one near nearly one third of bugs are memory related bugs. Okay? So really helpful to the maintenance team. Okay? As we said before, it's reliability is very important to the OS. Once it has any bugs to need to recover or need to restart process one. It causes the whole OS to restart. It is very critical. We need this process one as reliability and has the ability to self-recover. That's the traditional service. And second, in cognitive, in our current world, especially many of our machine applications are managed by Kubernetes or over stack, which means in the perspective of our SIE they have to handle many different management platforms. But Kubernetes and over stack, they cannot manage those system service in the OS. Which means we're trying to provide another agent in the OS in Europe to connect to the Kubernetes and over stack for easy maintenance. And the second one, currently in the container world, many of us we are building the container OS like Firecracker or such as. In this container world, most of APPs are containerized. So we don't need a huge process one anymore. We hold this in this container OS. The process one is as small as possible. So we want this process one is part of Kubernetes or over stack ecosystem and reliable. Small and reliable. Embedded system. Embedded devices. The traditional process one is huge to use in embedded system. And the normal process one embedded system, they don't have a service management to manage the those systems service. So we want this process one is lightweight, small and have the ability of service management. That's all our scenarios. So we want this, this master is ultra lightweight, high reliable. And one process one can cover for also tight scenarios of open ULA. And then it has the form monitoring and self-recovering mechanism for its reliability. That's our vision. Before that before we were trying to write our first call, we divided that which programming language we using. C, C++ go long or last. And last we choose last. I think the first thing is it's really growing fast. And it is also emerging in our fundamental software. It is also accepted by Linus Kono last year. Okay. And that's the first thing. It's very famous and popular. And the second thing last it is features for security and high performance. That is what our sysmaster wants. So we trust. So we choose last for our programming. Next is our design. We talked about it before in sysmaster. We hold it in ultra lightweight small reliable. So we decided as one plus one and plus N. The first one is in it. It is the real process one. It is as simplified with only K lock. And the second one is call. It only provides the call functions of service management and self recovery. It's a support. It's an update and hot restart. And don't affect the learning of OS. And the other key system functions will be propped by the other models. And they can easily combine with those one and one. This is like Lego or in Chinese now. It's to Chinese one. And this is our design. And the first one it's in it. It is the real process one. It needs to leaves the process brings out the whole system and also monitoring is sysmaster call. It is also currently it is only less than 1,000 night of call. When it is learning, the whole call is only 400 less. It is suitable for the embedded devices and it is really maybe really reliable. Currently it is down. And second, the call. Sysmaster call. It provides the important self recovery services. And also the service management for those system service. It is added a reliable framework. It currently supports the whole restart and life restart update to improve those reliability. And we decided in two cases. The first one when once it is learning to handle the daily routine when it crashes and then it self recoveries. And the second scenario is it is trying to call or to bring up the other appies at that time. It's still crashes and then it tries to self recoveries. And all this during this period the whole OS and services are learning properly. Therefore a small demo here. We can show you later. Next. It's tensions. As we said before it has a design as 1 plus 1 and plus it introduced it the init the call and the other all key functions will combine with this extents. And those important system functions it is consist as local. Currently we have finished the deaf master. This master this device master will provide this function as device manager and currently it is working. In the near future we will bring up the bus master and university for other kind of system functions. A small demo is my colleague and he is trying to show as many as possible. He is using the process one the sys master running now is I'm going back at first it is learning it within a container a system D container. Within the container there is a system D trying to bring out the many, many, many system service in the container. This is the first window and trying to start up the system D service here. And start up it it is running it is system D and try to bring up the service and then we will see that they are receiving requests. Then you try to send a signal a number a signal 6 to this function then it stops. And this is so with system D that this service is killed by signal 6 signal 4 and then we can so next we will try with sys master then you can see that sys master will try to show recovery. Okay yep learning with sys master now try to bring out the test service again okay try to kill it again. There is something wrong but it is still running yep it is working fine in the system company okay that is my soul for the day okay thank you So any questions? So this is an alternative service you know thing right alternative to system D is it? Yeah yeah it does so So Any more questions? Okay then thank you very much yes yes yes yes Okay Welcome back everybody Our next talk is from Katie Lee who we are talking about who is the manager of the community operations of T-thread she has more than 6 years experience of T-thread and she will talk about in IOTA free system development for the light smart age enjoy And a huge thank you to the to bring us here as an open source project we very much appreciate the support here I'm Kathy I'm working for open source art house Artifra art house organization and I'm helping with the global community operations My talk today is about talking about the internet of things operating system development under light smart age Much of you may already know that we are calling the light smart art house driving smart devices as the light smart art house light smart driving art house art house here we are talking about the art house it's about the real time operating system and art house because of its features like hard real time low power fast startup low cost it's more likely to be used in the smart home smart world industrial control and smart cities for both the MPU power devices and MCU power devices nowadays we are defining what should be like a perfect art house to be choose for a project we feel that the art house at this moment it should be presenting as a platform to support a wide range of components such as DOI audio square framework network protocol PASIX API AI framework and make it Apple grace to help developers to quickly get started with the IoT and embedded system at the age of the lightweight and smart we feel like that the art house is more demanding than ever before both from the ecological side and technical side and it requires more features it requires more features and both from the like the PASIX API the chip support the software work ecosystem the learning resources the CPU IP the two trains from the eco side and from the tech side it's more about the components software packages IDs the MMO support the security the high reliability and a lot of more features so well today I bring the Artifair art house project Artifair is an open source real-time operating system that was born in 2006 it was generally basis it was generally generated as a kernel and we start this project from 2006 so there are some milestones I'd like to highlight about the Artifair project by 2007 we released the Artifair IOTOS it's Internet of Things operating system and by 2020 we have the Artifair smart micro kernel operating system it's an open source for community developers so technical side there are three versions of Artifair available one for the Artifair Nano Artifair standard it's for the IOT operating system and another for the Artifair smart the micro kernel operating system well we will start from the Artifair Nano the Artifair Nano maintains a simple kernel with less than 5000 lines of code and the resources consumption can be as slow as 3KB flash and 1.5KB RAM it has high reliability that has been applied to the field of electricity industry the consumer electronics and a lot of more so to get you better understand the Artifair Nano it's just a simple kernel yeah to compare with IOTOS so for the Artifair standard version because when faced with the complicated application requirements kernel is never enough so we create a platform the Artifair kernel the components and a lot of more models has been integrated into the Artifair platform so and based on the Artifair platform we introduce the Artifair software packages till now we have more than 600 software packages are contributed from the community and some of them from our teams and those packages cover in the IOT security, AEI, language data and a lot of more so the Artifair Nano is a kernel but the Artifair standard is a kernel and has a lot of components and the software packages well along with the development of chips AEI computing H computing into the direction of the terminal devices the demand for running the the demand for running micro the demand for running lightweight real-time operating system on the chipways MMU we call it memory management for ARM Cortex-A and RIS 560 is gradually increasing so we put forward our new offer the Artifair smarts it is based on the Artifair kernel but it isolates the user space and the kernel space it is more like high security as it isolates the kernel into the user space and the kernel space well there is some highlight about the Artifair components we got finish, we got log, test session view and a lot more the RIS 5 ARM and muscle training chips are all supported in the Artifair platform and the community and we put a lot of efforts to make this happen Artifair supports the GNU GCC IDR, MDK KO and a lot of more IDEs also we home-built ourselves Artifair Studio Artifair Studio is a one-in-one free-to-use ID that we created for the community developers to have them quickly with the project developments the Artifair Studio IDE supports the simulation function so even if you don't have a hardware platform on hand you can still use the Artifair Studio ID to get started with the work yeah, and the Artifair software ecosystem plays a crucial role in the Artifair platform and till now we got 600 software packages covered in applications such as IoT communication security, multimedia and so on Artifair has been favored as the most powerful outdoors in China with the largest installation till now we got power 2 billion devices and we build a community with 150,000 developers participated here are some highlights about the Artifair community events as we believe the power of the open source is the power of its community yeah, we also have our university program Artifair open the Artifair courses in over 100 universities in China and outside of China and we build joint labs in over 55 universities and we also hold more than two online and offline teacher trainings per year also we are sponsoring some contest and sponsoring the program in university so we welcome universities and organizations to join us also today I bring an AI kit that we create for the university students do I still get time to show, okay sure the demo will be shot outside of this event so if you have any interest just check out with us some even highlights okay that's pretty much some highlights about the Artifair project if you have interested about this open source project welcome to connect with us on the social media platform and by the way I like to machine that we are going to hold the 2023 Artifair Global Tech conference on June 1st to June 3rd it's online and free open to all the developers welcome to join us thanks any questions for Artifair project so maybe we can check out thank you next up is Jens Petersen who is an engineering manager at Red Hat works on veteran departments federal, internationalization workstations and Haskell talk about containers and toolbox Jens Petersen thanks for coming to this talk about toolbox containers as introduced I'm Jens Petersen I work at Red Hat for quite a long time on our development it's great to be back in person here and yeah so just to motivate a little bit about I've been using these toolbox containers for quite a while I just find it really nice to have my sort of development environment is completely separate from the system environment so I can choose to upgrade when I want or I can use an older system sometimes if I need something there yeah so today I'll mainly be talking about two projects which I've contributed to but I'm not the main developer I just want to say up front I'm taking credit to this one is toolbox and another is distro box they're somewhat similar but they also have some slight differences as we'll see so what's a toolbox container basically it's just a called pat container which means it's not something that you're taking care of that's maybe a little to you something you might be using for a longer period of time and yeah so it'll be using podman or docker and the special thing about it is that it has access to your home directory and desktop environment and system resources and so on but obviously the container is different from the system environment usually or well it doesn't have to be you might want to have installed packages which you don't want in the system because you don't want to mess around mess up your system but you just want you still need those tools or applications so I'm going to approach this for fundamental questions why how what and who let's start with why a bit more yeah so I think I've covered some of this but there's two main use cases originally the toolbox project came up in the context of OS3 operating systems where you cannot have a mutable operating system but then it's a bit awkward to have development tools and so on in that kind of environment so then you have a toolbox container where you can install your compilers and IDEs and so on but yeah also another advantage of toolbox is compared to using a VM or something is that it's a lot less resource intensive so you can save memory and disk space and so on or as a VM what might need 10, 20 years to run in a toolbox container will just share memory with the system and also disk space and so on so yeah it's quite good in that sense so I'm not really going to go into a lot of detail because it's a very short talk but yeah so basically I just especially under Pubman there are rootless privileged user containers and then they're using like name spaces and bind mounts to bring like sockets and system directories and so on into your toolbox and so usually it's a sort of two step process first you create the toolbox and then you enter it or you can also run directly from your host shell but so yeah so today I want to demo toolbox and also destroy box which are the two main projects which are kind of sort of interactive graphical environments so first yeah there's toolbox which is now kind of in this containers org on github so it was originally started by Debashi Ray in 2018 originally it was just a shell script but then it was rewritten later in GoLang the idea was that GoLang would bring it closer to Pubman and most of the container tools and so on are written in GoLang so I think in practice it's more just calling out to Pubman these days but so yeah it's packaged in Fedora from the beginning and also it's available in RHEL and ARCH and also it's available in Debian and Ubuntu now yeah I guess one of the differences between toolbox and destroybox is that toolbox requires custom container images so it kind of assumes that certain tools and well some minor files are in place unlike destroybox which can use standard destroy containers to build these toolboxes and yeah so in Fedora we have this Fedora toolbox image and which I also help to maintain a little and also in RHEL we also have a toolbox yeah this is the UBI but there's also an official RHEL toolbox container but then in last year the community got tired of waiting and so yeah various people helped to create this new repository for other operating systems so now there are a lot more toolbox containers available for lots of different destroys listed here in this development yeah so maybe I can show a bit let's show over here so this this is actually a VM running on my laptop and yeah and let's see so here's a list of you can see that there's various toolbox images here for centers open to Fedora RHEL and I've got a few so let's try to enter one and you see this little box here at the side here it says to show you the toolbox container and so yeah I'll actually for example my health system I don't have Emacs but I installed Emacs over here so I actually have this soft code here too but anyway perhaps I'll move on it's in Ubuntu toolbox so yeah so it's running Ubuntu inside this Fedora system so I have access to all my home directory here and as you can see I could install some graphical application and run it on to toolbox sorry so this is a community project started in 2021 and it's all I think it was originally a port of the toolbox shell script so it takes a bit of different approach like I said it doesn't need custom custom images it supports a quite a wide range of distros probably more than and toolbox does as you can see this so it's this is the distros that it runs on I think and also you can also see where it's packaged here I think open source is also using it so it also supports toolbox containers so you can use like this repository I mentioned earlier of the toolbox containers lots of different distros that are supported that's quite nice yeah and it has some other nice features for example you can set a different home directory so if you're worried about interfering with your home directory files or something then you can create a distro toolbox which uses different home directory it also has some other good things it has for example dry run option which will show you like the commands that are like the podman commands that are being run it also supports a kind of ephemeral or short lived toolboxes so you can just start up an ephemeral toolbox test something and then go out again and it will just disappear and so yeah I think toolbox is good for developers and also testers I often use it, I often want to compare something in one version of the operating system with another version or if I'm debugging something I want to check if something's fixed in a newer library things like that also it can be used particularly on say OS trees for sort of system troubleshooting as well where maybe some tools that you want are not available in the system but you can then put them in a toolbox so that's where the talk the projects and my contact details I'm happy to take any questions you may have Thanks for the presentation I saw that you open GUI version of Emax right? UI version of Emax so my question is can we run any GUI without complex configurations like in Docker can we open browser or anything easily in toolbox anything okay so no no complex configurations required for that okay thank you Any more questions? So by the help of this destroyer boss there will be the new of OS there is only one kernel and the process run then any other destroyers will go boss okay I think it's interesting and I have another question and because we talk about the container OS like OS OS is read only so where we debug we will install a debug container yeah what kind of tools we will install in this debug two-boss it's suitable for for the maintenance on live like network or just it's suitable for the SIE team like this way just put all the debugging tools in this container it's okay I think so here's some advices from you the kernel so the toolbox depends on the system kernel so there can be issues with certain one issue is like with drivers and so on like GPUs and things like that so ideally it should have the same ideally the distribution and the kernel should kind of be for the same kernel there's no system D running in the containers so that is a problem some services may not work in toolbox so that's a limitation as for the troubleshooting to be honest I haven't done it myself but yeah for example even the core OS is moving to toolbox they previously had their own kind of simple toolbox but yeah I don't know it could be in debuggers or network troubleshooting tools or something it's a great question so these toolboxes are still running actually even in the background another thing I'm not sure is that you can you can also run applications from the host the toolbox is using this run command the only thing I forgot is the distro box also allows you to export desktop files to the host so you can see I think I had one example this GTK demo is not very exciting but it's actually running in a I just want to ask one question so how my understanding is that container you need a process key printing like something that so that the container stays alive looks like on your case it's staying alive because you know you can do it so how that is being handled and is it being recommended how can we spawn up multiple processes is it recommended to do like you know you can spawn up multiple processes like how we can handle yeah good question the system is running on the host system there's also something called con which is kind of a container in a monitor which sort of works together with Pubman so it checks that the container is sort of continues to run you can run multiple processes in one container it feels like just a normal shell or other desktop environment so you can have multiple processes running there yeah you can I usually toolbox running in the foreground in my shell there's also integration in scone terminal so that if you create a new tab it automatically starts up in the same toolbox that you're already running so thank you very much thanks for your attention next is Path Goswami who is a customer enabler engineer at Cloudera who tells us about IP hope you're having a good summit so far good evening to you all and a very warm welcome to all the attendees joining this event virtually I'm Path Goswami and today I'll be trying to highlight some of the open source CNI plugins and their approaches towards IP address management and container networking now before I start my talk I wanted to highlight that networking is one of that aspect in the container or maybe even cloud computing that is often overlooked maybe because of various maybe it can be a bit complex topic to some of some of the folks or they might be scared towards the networking apart for various reasons so this is one attempt to make it a bit simplified and I'm going to give a very high level overview about the topics and concepts that we are going to touch so the approach that I'm going to follow today is so the we are going to talk about adapting open source CNI plugins for IPAM we are going to start with understanding in brief what CNI is we'll touch the topic about plugins what exactly plugins are we'll try to understand what IPAM is and then we'll focus on the need to adapt the open source CNI plugins alright so the textbook definition given by cloud native computing foundation about CNI is that it's a specification that defines how to configure networking for Linux containers now it does that by providing a set of APIs for networking solutions to integrate with different container run times now if you take a look at the pick over here there is container run time of your choice and then the CNI sits on top of it and within CNI it ships lots of components called as plugins now what exactly these plugins are so before we take a look at plugin let us try to understand a bit more about what exactly CNI does and how it does whatever it does so for example if I need to establish a network within a container I need to have its own network namespace so I create a network namespace now once I have that I need to create a bridge between the host network namespace and the container network namespace once I have the bridge I create a couple of virtual Ethernet pairs why virtual because we are dealing with containers and not like virtual machines or physical hardware so any Ethernet any networking component that we will be dealing with is going to be virtual so we create virtual Ethernet pairs and then we attach one end of it to the networking namespace and attach one end of it to the bridge and once we have that we finally assign the IP address to uniquely identify that pod and we bring up the interfaces and this is how the interface comes up and the pod goes live so this is a sample kind of algorithm sample code sample program to achieve certain steps to achieve desired result now this exact same requirement is there for almost any other container orchestration RKT Docker Mezos Kubernetes so why not we kind of create a standardized version of it and then try to ship it with any other any other orchestration so the very thing of creating a standardized version of it creating kind of a library of it is called as plugin so before we move on to plugin let's try to understand that if we want to create our own CNI what it must do or what are the absolutely most necessary roles that this CNI should perform so I don't want to bombard you with a whole lot of theory so I'll just highlight couple of points from this must have roles so it must be able to create a network space as we just discussed then it must be able to identify the network of the container and it should be able to deal with the bridge if we are adding container or deleting container then it should deal with one of the output format it must support command line arguments so that we are able to fire the commands and interact with it through our CNI it must be able to manage the IP addresses which is the exact topic of this talk and it must return the results in one of the desired output format JSON, text, tabular whatever it is so if any CNI is able to do some of these roles or majorly all of these roles I think that would be a pretty good thing next so what we have seen so far is the textbook definition provided by CNCF of what CNI is basically a plugin is a collection of program or a code so here you see a few examples of plugins such as loopback bridge, ptp, mac vilan, ip vilan and then there are many third party plugins as well so so examples of third party plugins that is being adopted or that has been accepted by Kubernetes Calico is there Flannel is there Celium is there so just to give you a brief introduction about all this third party plugins so Calico is a popular CNI tool that deals around network security based on cloud native architecture and it is mostly used in the enterprise version enterprise level environments Flannel is something that is simple and lightweight and very easy to install but it is mostly preferred for small scale clusters and not something that is larger in size then we have VivNet it is into providing network automation and observability features and then we have Celium that is basically based on the identity based access solutions so these are all open source CNI plugins and since they are not maintained or developed by CNCF itself they are third party now let's try to understand what exactly IPAM is now here I am not touching IPAM from the Kubernetes or from the continuous point of view I am just talking about the simple plain IP address management basically it means that if you are doing something which falls under assigning monitoring, tracking or managing IPs you are kind of dealing with IP address management so it's not that you have a device either virtual or physical device you assign an IP address and you just go about it no it's not that because at your level at an individual level you are dealing with just one device but at an enterprise level you are dealing with huge clusters which might have thousands of nodes and it's a combination of nodes virtual node, physical node etc so you need to have a proper procedure set a methodical system which will define how your assigning of IP address will work how the tracking of IP address is working whether the device is if it is not in function whether the IP address is being revoked or not it should not be reused so all this mechanism needs to be there properly being set and defined so that is basically what IP address management is and it is basically an integrated suite of tools and it also like encompasses the concepts of DHCP and DNS next now with respect to Kubernetes what exactly IPM is so Kubernetes also relies on IPM since Kubernetes mostly works at the cluster level it needs to manage or deal with thousands and millions of containers, pods and it requires those many IP addresses as well so there is no way for Kubernetes to skip IP address management so it needs it requires IP address management and it definitely relies on it now Kubernetes has its own inbuilt tool to manage IP address that is Kube proxy but definitely that comes with certain limitations now before that in Kubernetes each pod will require its own IP address to talk to each other I mean to talk to other pods to talk to services so if IP is required for so and so reasons then IP the addresses need to be managed Kube proxy is something that is actually handling the IP address management but the limitation is it can't scale so it works it works fine it works efficiently to a certain extent but once you cross the cross it's threshold I'm not sure about what the threshold is but if you cross it and move to a very large complex cluster or maybe a very complex topology of network then Kube proxy seems to not work efficiently so that is the main limitation of the current by default IPAM plug in that Kubernetes has next so then there are some challenges presented by IP exhaustion so basically what IP exhaustion is back in 1980s when we came up with this concept of IPv4 it was divided into 4 blocks of 8 bits each 32 bit so back then everybody thought that this many millions of IP addresses or billions of IP addresses would be enough but then within 10 to 15 years by late 1990s it was very clear that those many IP addresses would not be sufficient because it is not about an IP being used by single user it is about an IP being used by a single device and it was very clear soon enough that a single person can would need or would require multiple devices so in our day to day life at an individual level we carry phone we connect our laptops to VPN we have a number of devices so each and every device at any point would have at least 2 to 3 IP addresses if you just check about the Ethernet that you have you would see the number of IP addresses being consumed at the individual level now just extrapolated to a scenario where you are running enterprise level clusters and you would understand that the need of IP address is actually a very complex issue and it is something that needs to be managed very efficiently so this causes IP exhaustion and there are some problems or some challenges that is presented by IP exhaustion the first is network congestion now since the IPs are getting exhausted the pods in the Kubernetes cluster would compete to have the same IP address or compete to have the IP address from the same pool and that might result in network congestion that might result in some time or maybe service interruptions now that can be a result in factor in network congestion then there is security risk if IPs that we are adding or the IP addresses are exhausted it can be tempting for the network administrator to reuse the IP address by reuse what I mean is if there was an IP address that was assigned to a pod the pod gets killed or whatever the IP gets released to the pool now before the IP was properly released the admin ends up using it or assigning it to a new pod so that might lead to having the live access to the previous pods sensitive information so that poses like a sensitive security risk next is difficulty in scaling since my pool itself has 500 IPs and my cluster demands 500 pods or 1000 pods that definitely would not allow me to do so if IPs are getting exhausted my cluster would not scale the way I would want it to be and then increase complexity in case of IP exhaustion if my pool itself is having less or limited number of IPs the network and admins would be tempted to go for complex solutions such as natting or maybe like go for overland networks such kind of complex solutions so there are much more challenges by IP exhaustion so let's see what can be done about it ok so this brings us to the main topic that because Kubernetes uses by default Qproxy and Qproxy comes with its own limitation hence there is a need for the Kubernetes itself to adopt open source based CNI plugins now there are various third party CNI plugins in the market in the market space that approaches FAM differently so so let's understand what exactly the limitations of built-in plugins as of there is so there are couple of plugins hostlocal and DHCP so hostlocal plugin assigns IP address from a defined pool this approach is good for smaller cluster but once we go at a bigger level it will surely cause problem then DHCP IPAM assigns IPs to pod using DHCP IPAM plugin it can be good enough for a large cluster but it needs an overhead like a DHCP server so again we don't want such overhead now one of the IPAM or one of the third party CNI plugin that I have been working on and used is Calico IPAM it is a completely open source plugin and it has certain key features that because of which it is being widely used as one of the most sort of network plugin it uses distributed IPAM architecture meaning for every node there would be a separate and specific IP pool not at the cluster level but at the node level so this ensures that the IPs can be assigned or allocated to the pods residing on that node very efficiently and quickly and it doesn't need a centralized server like the DHCP IPAM since the IPs are allocated at the node level and not the cluster level it doesn't require a centralized server and if the local pool itself gets exhausted it can request for more IPs from a central pool managed by Calico IPAM control itself next Calico IPAM supports network using BGP, Border Gateway protocol this allows network admins to segment their network into different subnets now this segmentation can come from the request by the application itself or from the maybe there are some security concerns that needs the segmentation so this allows the network admin to enforce some traffic related policies then it also support, it has support for network security network security such as policy informant and encryption of traffic between pods so this features ensure that the cluster is compliant with industry standard along with handling the management of IP addresses yeah so that was all about the topic and if you want to check out more about this Calico open source or how Calico approaches IPAM or if you wish to contribute more to this project just check out this GitHub repo and there is also a program being run by Calico called as Calico BigCats where you get to meet the maintainers, the developers on a monthly basis and you can just try to understand more about the project and be involved at a very deeper level so this is the recap we saw about what CNI is what IPAM is what plugins exactly are then what are the current challenges faced or presented by IP exhaustion how Kubernetes is dealing with IP management and what are its limitations third party open source plugins such as Calico present so yeah so that was all about it and I am Parth Goswami I work as a customer enablement engineer at Cloudera and also I am a Calico community ambassador and that is my community platform where I regularly write blogs and share my open source stuff so yeah thank you that's it any questions do you think there will be a site where containers can be scaled to zero on the networking stack and sort of be activated on connection I am not sure about that from what I know the IPs are being allocated at the pod level so pod would definitely have the IP address but whether it would continue working in spite of containers or not I need to check about it any questions then thank you again so next step is Sachin Shobu he is a solution architect for DSA and then export on multi-cloud environment and he will tell us how AWS security works internally now working on cloud working on AWS good, remaining at my audience I have a good number of people to tell about part of this portion maybe we will only take how you login into AWS how you access AWS service, we will not talk about authentication authorization for the applications and all that thing it will be only to AWS when you create AWS account you have a privilege to create an organization out there organizations can be assumed as any organizations where you have multiple department so you can make an account as organization so that will shift into management and the remaining you can add for each you can define it depending on the organizations how exactly they take AWS into their day to day activity they can for each department they can have a separate account or for specific product they can do internal bifurgations where they will have accounts and all the associate service will be linked into it our resources and service out there okay to better manage use OU which is the options out there where you can define in OU that this specific account will be used for for example XYZ project or for the department and you can do that inside the OU you can have multiple account best example for accounts are environment, dev, uat or prod which you can do out there when you create an account okay there will be two things which you have to do first thing the account which you created it will be a root account when you create a root account okay the standard advisory is don't use individual's account for example for XYZ reason he leave the organizations you will have trouble managing that specific AWS account so the best advisory is you create a generic group and a generic mail ID and create that account with that for example if it's a project and it's for the dev environment then project name and that mail ID so create accounts based on that so when you create account there are two things you can when you create you have to always create a name ID which is given by AWS but you are given a provision to give a proper name space for that so you can change the name as per your convince out there second when you create account or root account once the root account is created you can create users you can create roles you can create policies as well as if for example your organization which you already have you already have a user out there so in this case you can integrate that specific users inside AWS we call it predated users you can have a requirement where your activity will be done by certain application for example a lambda that will be representing or working out there that is one thing any service which go and authenticate when you go to any applications you give your user name and password that become a user in AWS term we call that as a principle a principle will be the person who will be approaching out there okay in IM you can have principle as a user for example any employee of your organization or any individual like myself if I create an account I will be the first user second will be a role you can define a role and assign that role and work on top of that third the predated just like if you have a Google account you can integrate with Google out there if you have a Facebook you can integrate with that most of the organization use active directory which is the common for most of the organizations to work out there fourth is applications or lambda functions where you can use them to authenticate and work on resources or the current buzzword automations out there why you want to access that account to use AWS resources so there are multiple resources in AWS which you can use out there which can be easy to instance which you can use it can be S3 bucket this can be database RDS can be S3 that can be multiple all the services and applications provided by AWS you can consume out there when you are consuming out there you want to authorize out there authorization out there what you want to do is what permissions should that specific resources should have how exactly or what privileges you should give and utilize out there that you do with the help of policies so when we define policies in AWS there are multiple way of defining policies but we will be covering majorly four one is identity based policies which will be the use of the principle which we have created this principle it can be user role of added or applications we can define give the policies out there second will be these are limited resource based policies are restricted for certain resources just like S3 bucket which is also allowed to be access from internet you can deploy a static website with the help of S3 bucket so search specific cases we can use S3 resource based policies in case of DynamiteDB you can also use resource based policies out there third is permission boundary in case of permission boundary what you exactly do is for example I have been given a role to be to manage my department I should not have privilege to go into other account or other department and start accessing out there so by default there is permission boundary if you are given a permission you can maximum give the permission to your department if you give permission more than your department AWS will block it the fourth is service control policies service control policies is more about restricting we normally call as SCP in SCP we define this in AWS organizations where we define this specific account for example it is a dev so when developers are working on it you want to scope them that they can only use low end resources they should not start consuming high end resources there are probability you might be knowing or not one of the developer have so there is when you are accessing you can access with username password or you can use the access key and secret one of the developer have check in the ID and the secret on GitHub which have been used by the user to hack and do the bitcoin mining and will have went into very high so that's where one of the reasons you should scope on there is other way of managing it you can have billing where you can have monitoring on top of that to restrict out there as part of security it doesn't come out there so there are as we are managing AWS we are managing AWS one when we go to AWS website and login and work we call that as AWS management console second via CLI or via API that is called as via code when you are programmatically accessing out there so when you are accessing from AWS management console it's called action when you are using CLI using SDKs we call that as operations once we create account as we see in the organizations that we can create account for multiple accounts from one account we want to try to access another account we have to build a trust relationship between them if the trust is not build out there you cannot make connection to that account and work on top of that if anybody have work on AD or any any authentication out there so from this one so from one AD if you are trying to access other AD you have to build at least one way trust if you build one way trust you can have the access of the other AD and get the information same out here if you are from one account trying to access other account and want to perform actions on top of that you have to have a trust relationship out there so if you see the red dots that's highlight out there so what we have discussed now come to a real case okay where there will be when we create AWS account we will first have principles principle will make a request to access certain services when the request happen we will go to the authorizations which will check what policies does this current user have because either the policy will be or identity based policy or resource based policy it will also validate whether there is CSCP applicable on that specific resources do we have to restrict that do permission boundary applicable to that specific resource yes or no that comes authorizations next part is what action you are going to perform right are you just going into that you are going to going to create a EC2 instance are you going to create a custom RDS do you have the privileges so when you come to action when you are requesting that I want to create a EC2 instance it will check whether you have the policies to perform that actions or not okay so you are making an actions to specific resources check whether the authorizations is there for the user second is when you are working in organizations you will have multiple accounts out there each account will be linked to the other account very fast here comes question answers you can drop in I think voila 15 minutes I am fast yep questions okay no questions thank you okay so welcome back next up is Priyam Sahab who is a software developer who works on Ansible he will tell us about the language software protocol and all the nice things thanks a lot so yeah I am Priyam Sahab and I am a software engineer working at the Ansible DevTools team from Red Hat India so for the next 10 to 12 minutes I will be talking about what actually a language server is and how does it actually work we will take a look at the fact that why do we need a language server today and now and after that probably we will just I will just show some steps so that we can learn how to build our own language server finally I will conclude and just before concluding I will just give you a code walkthrough and a small demo of a small language server again so yeah what is language server and how does it work so a small question have you ever imagined working on a code editor that does not understand the programming language you are working on probably not because today as the complexity is increasing we cannot imagine working in a code editor that does not provide auto completion for us maybe linting for us syntax highlighting hovering go to definitions etc and all these features that I explained are known as language services for a programming language now traditionally what used to happen was someone had to develop an extension for a programming language per code editor to support that particular programming language in that particular editor and you can imagine how time consuming it is and to support different editors one had to repeat the same underlying logic again and again but with the different API every tool provides different APIs and this is where language server comes into picture back in 2015 Microsoft along with red hat came up with the idea for the language server protocol what actually is a language server language server is basically a tool that provides all these language features in a decentralized manner there is this tool those are the extensions which can directly communicate with the language server this is a clear example that shows that this is the first example that explains how this thing works without a language server basically if I want to support Python for VS code, Atom and Wim I will have to develop all the three extensions for these three editors but now what happens is with the language server if I want to support Python I would just need to create one language server and all these three tools would have tools or libraries that would communicate with the language server and there you go you get all the language features now moving ahead just a small introduction about how this particular thing works so we have a development tool that is the IDEs and the extensions and the other hand we have the language server the language server basically now when the user opens a document a notification for did open a send to the language server and when the user starts typing something or starts editing the text document it sends a notification called did change and now let's say we want to provide diagnostics when user starts writing so now the server sees that the diagnostic provider has been registered in the did change life cycle so it analyzes, creates the diagnostic reports and sends back to the extension the same goes with the go-to definitions the auto completions and the hoverings now things would be much more clear when I show you the code so I just proceed yeah now before moving further just wanted to clarify some differences there are three terms language server the language client and the language server protocol basically what is the language server as I explained this is the tool where you define all the language capabilities and write the logic and basically like the logic for the providers was the language client this is the code editor that communicates with the language server and leverages the services the language server protocol that's the set of rules that governs the communication between the server and the client which is basically based on the json rpc request and response mechanism so yeah now comes the important question why do we actually need to learn language today so obviously the very first two points are clearly if you have your own custom programming language or a scripting language you would definitely want to create a language server for that so that other people can use it with ease the second is again if you are working on a code editor and you want to support some important programming languages just go get an extension build an extension that could communicate with the existing language servers but for the last two days I was there in force asia and I have just recently noticed a lot of you guys have developed projects and almost all of them require some sort of a configuration file for that project to work and this is where I find the importance of language server comes into picture for example you're working on a project and you need a set of configuration files that the user needs to type in so that he or she can actually work on that project you can actually write language features particularly for that particular config file so that the user will be able to easily adapt to the configuration settings and can work accordingly and for this part I will be demoing this particular example with the Ansible config files let's quickly go ahead and see how you can build your language server basically first of all choose an SDK you don't need to rely on the internal workings how you send a notification how you receive a notification you don't need to know that just go pick an SDK and there's a huge set of SDKs that are available you can just go and based on your programming language you can choose one next choose the tool for example if I want to develop an extension I would go ahead and use the VS code tool and I would like to start the development of the extension next structure the project you know while starting the language server it's very small but as you grow the code complexity increases so it's better it's a very good idea to structure the project and then finally define the language capabilities in the server and in the client side it's just a matter of initializing the server this is how I like to structure the project I have a client I have a server and the extension.ts is the place where I initiate the language server and now comes the server part we have a server.ts file this is where I actually push in the provider logic at a particular event cycle and then I have providers like completion provider and the validation provider list can go on the definition provider however providers etc and then some utility files if you have some ok now we move to the code and I can show you some good stuff here so let me switch to the VS code and here so initially I was talking about the event cycle so this is how the event cycle works so we have something called connection.on completion you just register your logic for the completion provider in this particular in this particular piece of code for me it is do completion and then there is again an event cycle called as on completion resolve where I would like to return do completion resolve particularly do completion and do completion resolve are my custom functions that I have created and the logic that I have written over there now there is something known as on did change let me find that out, yeah on did change and as I said you I would like to validate a particular document when something changes in the document so I just call validate text document on this particular part and this is how the code is and that should work and just a small demo so we have an Ansible config file over here and this is how it looks without the language server it's very hard to identify if there are some mistakes or not and if you want to type something we actually don't get a feedback and I don't know what to go inside this particular section but now we will see this with the language server now the language server is activated for this file and I already can see some results over here the first query line says that yeah this is an unknown option so I need to verify that and I know it's debug there you go this is correct and this says there is an unknown tag known as unknown option known as tag I need to correct it but I know it is tags I will do this this way and now to demo some auto-completion and I start typing it tells me there is no suggestion that means I have no other options available here but inside default if I come and start typing I get all the available options inside default and now what's even interesting is it is context aware after a gap line if I ask for auto-completion it knows that this is a section and there you go the completion works this way and now when I am in Jinja I know there is one option particularly in that particular section I get the auto-completion here as well so this is how the auto-completion works and yeah probably I will end and before concluding I would just like to add one more small thing over here yeah so how successful is a language server basically I can tell you the success of this because I am the author of the Ansible language server and the VS Code extension and within the past 1.5 years there have been around 330 plus K downloads in the marketplace and 46,000 downloads in the open VS Code repository talking about the language server particularly this already Ansible extension made for the Emacs and the NeoVim editors using our language server so this is the power of open source and I hope in my presentation I was able to convey the importance as well as it could act as a starting guide for someone who would like to develop a language server so thank you any questions? very nice session one question though how are multiple versions handled next is an example you know I have version 1 the way and say in version 2 there is some feature which is removed now again that change will need to reflect in the language server even for my usual development as an example some syntax was valid for version 1 but is no longer valid for version 2 so how are the versions controlled? so there is nothing fancy that is going on over here for example if I can understand correctly while using this particular thing I have something called as always that let me find that out Ansible config options let's say in the new version I don't have this particular option for me agnostic become prompt is just a matter of fact that I would need to remove that particular thing from here and that's how you don't need to change anything but if you develop a code in such a way where you have one single source of truth for all the facts that the language server can particularly use you just need to modify that particular file and the rest of things would be taken care of I hope this answers your question thank you meeting your hero okay thank you the last talk of the day comes from the column solution engineer there is a question what is the difference from English my test you might have seen me two days ago in kubernetes meetups the same thing but we are not please stay okay because after this I will ask you guys a few questions I will give you some swag I got approval from the organizers we will give you something so just stay and learn something a bit how kubernetes gateway api and ingress can help you in your platform delivery alright a little bit on myself I won't spend too much time Robin a sales engineer based in Singapore in Kong previously everyone like you started working at software engineering then you do everything especially so happy to be here and invited for the talk and the key thing that I want to give everyone is actually how this gateway api can help you in terms of your kubernetes deployment so some agenda I will just give some recap some technical overview some demo if the network don't dies actually it's my phone so I better take it off because the wifi here is not very nice okay and the last talk Q&A quizzes around three questions you can answer my question my colleague sitting there will give you a pin after that you will be meeting with a swag you want to share to the community here alright so we have kubernetes ingress controller so what is it I think there are so many talks for the past few days of you deploy something EK8KS you might have used it or your platform engineer has already provided for you so what is ingress controller in the kubernetes clusters well ingress the best way that I can say is your front door where you need to go to the booth and register so ingress controller is kind of the front door to check in all the incoming requests to your clusters before they consume the service and then do the necessary routing so it's something like a load balance but to leave and term it's just a front door to say okay Robin you should go lecture hall 2.1 you shouldn't go 2.2 that's not your speaking slot okay so that's how it actually works in the kubernetes world not much differences in the world we typically deploy all this ingress controller to to direct all this traffic when they've come into our cluster okay very simple so kong itself we have our kong ingress controller so I think if you deploy you have been using some other ingress controller like nginx and some others so we have our own implementation basically the same thing we add on with some of our kong features like some of the gateway api gateway features that I don't want to talk too much about I want to keep it a bit more on generic open source today so that's where our ingress controller works where you come in then do the redirections etc and also enhance with some of our plugins api authentications all of this so this one won't go in much in the detail so why we want to change the ingress we are creating less objects easily creating service why this gateway api was introduced if you went to the cubecon like 1-2 years back why was it introduced as an experimenter right now so in county ingress support all this path matching host matching easy right tls routing loop balancer implementation create a ekr then get a alb up simple but then again we realize that we need a bit more advanced usage of our gateway api advanced use cases that the ingress doesn't support gateway api coming to the picture you can do here header based matching header manipulation traffic splitting example 50-50% new service come out how can you ensure that only 50% of your incoming traffic go to the newer service how can you do that using that kind of routing the ingress actually don't do that so that's why gateway api come to the picture to do that kind of complex a bit more advanced use cases there's some other extension grpctls so what I said you try to read a bit because I'll ask you question later so other routing protocol like grpc and also custom resource definition for other backends proprietary protocol that's a possibility that actually this gateway api want to achieve so quick example I think it's better to illustrate with some no captains some pictures and some work for me we have usually Alice box Cairo very very typical security 101 right so I mean a lot of you are actually doing all these three things you create a you create a cluster all the Kubernetes admin and application developer so I think you the start especially do everything so so just to give you a 3% what's your role in the gateway api implementation okay so gateway api implementation there's a gateway class right so infrastructure provider like Alice for example there actually the one that you create the define the gateway class from the from the provider right so for example acme.io it could be all Kubernetes about this AWS implementation application load banser network load banser Azure application gateway gcp etc so f5 etc so this is based on vendor specific okay so I'm the one that actually create this for my cluster admin okay I can be someone like that okay then we move on to gateway this where the platform cluster operator come into place right the CKE Kubernetes administrator and then this where you will define the kind of gateway you want in your cluster so you have external gateway for external LB and then expose to maybe only port 80 or port 443 depending on your needs okay to receive that kind of so when you create this right if you put in maybe a cloud provider like Google cloud or AWS you spin up a load balancer coming and then discerning to port 80 so that means like my traffic can only come into port 80 only can come to that door so that how it works so this give that kind of cluster operator that flexibility to create external LB why is it important sometimes your cluster need to serve internal external traffic or some kind of specific traffic that certain load balancers need to that can address so this give more segregations and responsibility on the kind of setting that you want and then the route is a I think something that resonate with a lot more of you if you are working deaf right like when you create a service your microservice will deploy your CICD you want to create your HelmFar and then create Kubernetes that's where you come to a place right how do you want to expose your services like matching, create a parcel that external people can use so all this is where you come to a place okay it's not very important from how you do the ingress object but you can see that there's HTTP route and just I mentioned another route grp0 blah blah blah so give you a lot more flexibility okay so I think the question is how how it helps right I think as I think API it's like the ingress already covered a simple use cases right but I think from what the school of thought is actually give API try with things like data operation when you want to do upgrades and management of the cluster right so how it helps so consistency like the infra provider like like at least they can keep their gateway class of manifest consistent maybe only the vendor they change maybe from AKS to AWS to Azure for all but while there's also allowed them to have a fix of parameter reference here okay so parameter reference can be things like I just go a bit networking your subnet mask your internet IP or that you can define it consistently according to different gateway classes okay so this gives them a bit more control on how they can reuse this kind of gateway classes templates okay then if I'm a I want to upgrade to my new loop answer maybe because the like for example AWS classic loop answer I want to change to network loop answer right because typically just change the gateway the gateway class implementation that I actually fix here already right so I actually fix here then I can just change the gateway class name to there so all my days I see the Pops80 listening Pops80 Pops443 I don't need to change I just need to change the naming of the gateway that I previously updated okay so you can see that that flexibility you can do and then you don't recreate your what Nginx or Kong or what we install the benefits everything you don't have to do that anymore right then the last thing I think is very beneficial for developers especially one do the carburent green appointment very simple thing you have your new service version 2 you want to only lack 10% of your of your internal employees to access right you can just put a weightage for like one okay 10% so every 10% of that in the traffic will go to the new service so they can test and then when it's already right then you slowly toggle to the week to maybe 100 or something to the new admin store cannery for the new service so can do that easily using this gateway API okay it's not the pie tree by Kong right this is what actually gateway API can actually achieve when whichever ingress controller implementation or do if they support this okay it's an open standard I just want to emphasize that okay so some concept before I go for demo right I don't talk a lot okay so I think this is this is pretty straightforward a gateway class database I think this I mentioned already so I don't want to we go cheat it okay this one I also mentioned already so yeah just just read the rocks okay in case I ask you question okay okay I'll do a quick demo on this basically I'll install a gateway I'll do a splitting into two service and then that's it okay let me do a quick demo on that I think I don't stand better alright so see my VS code right I got a mouse here it's working okay so see my VS code actually I do I will share this the slide so this is my sample demo report right so let me just show you a quick one so what I did is install gateway okay this is quite standard just install gateway and then the gateway class and then I have two departments two service one HTTP and watch HTTP okay I already installed already and then next I will actually create a HTTP route and what I do is I will do a toggle of 50-50 so you see 50% echo and 50% HTTP okay so I could do a quick demo on that so there's two service here and now I'm applying the route okay the route is applied already now let me try to consume the service okay I'm very lazy so I will copy and paste my command yeah I think developer are all like that oh okay question one I want to ask question already I want to ask question already ah why my request is not found you are sharp enough why my request not found want one to try yes please see he is listening Tegui can you help me yes you are right I didn't put a header okay this is very ingress related okay great job you are listening okay that means enough so you see that my header and look I'm expecting person so that I can get ah so you see the first one echo okay another one HTTP see the toggle it's the same route same hose okay so it's I'm not 50-50 so you can see the magic of this using a basic HTTP route toggling it's just this 50-50 so developer easy for you right you don't think of writing logic your code will be direct is all this open standard you can do that easily okay so this is a very quick demo okay so um yeah this is what I just show so I won't say too much and additional works I thought remember this TCP, gRPC, UDP ah so remember and this is how you can actually enable the gateway API using cong okay I'm not sure about other implementation but I'll share to the organizer so I think you can download so all this information are there so basically this gateway API in cong is still in experimental you need to enable the feature gate so you have to enable and to use it and see if you got any feedback and send to the Kubernetes user group not to me which cong is sitting inside as part of the committee to actually do that okay please ready first one ah can I do specific splitting in gateway API yes our our friend from API 6 yes you know it you cannot answer the next question they give chance to other people okay I think your implementation so you can do I think you're still in beta I didn't really see okay so MIM 1 Kubernetes ingress controller implementation that support gateway API which I've been talking for the past 15 to 20 minutes organizer can I mean who where you come from well open up your raise your hand gentlemen give him cong is one of the many ingress controller implementation I think API 6 do that and also engine so this is just a way to support on that okay version is it possible to support GRPC route raise your hand yes correct typically the kubernetes ingress is a HTTP route and also maybe some flavor TCP password but even J1 support more modern protocol routing GRPC etc so that you can support your new use cases so and this is a quick promo code for education you can take a picture so if you happen to be using cong you want to upscale please use this promo code to get some 100% off to to to offset your certification up because this is actually you have a pro actor and you do the test like a CKA AWS right so it's the proper certification and then we still have our education that can go up and start for free maybe I sent in a tiger or something education at cong or something that you can self base learning you can do that free of charge also for the 101 courses thank you for your time for staying and how you learn something and thank you for inviting me to talk happy to hear that any questions I'm done asking so any questions for me no questions sorry ask questions also got swag but don't ask me personal questions they want no swag sorry where I come from Singapore yeah that's very yeah any questions on okay how can English control help I mean not just cong right it can be Kubernetes which I know a bit AWS any questions yeah I don't think so so which means address a separate thing so this match is address micro services so imagine and you know everything do a cong up down up down there will be a spaghetti architecture no I don't think so it might address that you have small micro service but if you talk about a lot of micro service I'm more than 100 and you want managed account inter-connected then a gateway is definitely not even gateway API or any API gateway is not the right solution that's my tip you can do that it would be a mall there's a lot of compact sorting you need to actually add hurdle but then again service manage capability to overlap with some of the gateway API like this kind of GRPC it's using Envoy right Ultraman third TLS so it really depends on you but no I don't think so and just to highlight that actually gateway API is not replacing your current way of English API okay no plan to replace that both nothing here you see so they say cannot replace they see the god is saying that so no you still use your ingress you won't die okay your HEP ingress you're using well continue to use it okay no need to rush to use gateway API just give you a bit more favor on that alright so whoever got a pin please go to my colleague and redeem a small p-shirt from cong complimentary from cong take one only not everything so just take a t-shirt for photo with pin you will see us again happy to join any main app open source main app or source asian next year or something we can have a lot more talk on that thank you very much guys and girls thank you