TL; DR: Manje usungavula i-Kubernetes kusuka ku-Google.
I-Google namuhla (08.09.2020/XNUMX/XNUMX, cishe. umhumushi) emcimbini imemezele ukunwetshwa komugqa womkhiqizo wayo ngokwethula isevisi entsha.
Amanodi e-GKE ayimfihlo engeza ubumfihlo obuningi emisebenzini esebenza ku-Kubernetes. NgoJulayi, umkhiqizo wokuqala obizwa ngokuthi , futhi namuhla le mishini ebonakalayo isivele itholakala esidlangalaleni kuwo wonke umuntu.
I-Confidential Computing iyintsha ebandakanya ukugcina idatha ngendlela ebethelwe phakathi nokucubungula kwayo. Lesi isixhumanisi sokugcina ochungechungeni lokubethela idatha, njengoba abahlinzeki besevisi yefu sebevele bebethela idatha ngaphakathi nangaphandle. Kuze kube muva nje, bekudingeka ukususa ukubhala idatha ngesikhathi sokucubungula, futhi ochwepheshe abaningi babona lokhu njengembobo ecacile emkhakheni wokubethelwa kwedatha.
I-Confidential Computing Initiative ye-Google isekelwe ekusebenzisaneni ne-Confidential Computing Consortium, iqembu lemboni ukuze kuthuthukiswe umqondo we-Trusted Execution Environments (TEEs). I-TEE iyingxenye evikelekile yephrosesa lapho idatha elandiwe kanye nekhodi ibethelwa, okusho ukuthi ezinye izingxenye zephrosesa efanayo azikwazi ukufinyelela lolu lwazi.
Ama-VM ayimfihlo e-Google asebenza emishinini ebonakalayo ye-N2D esebenza kumaphrosesa esizukulwane sesibili se-AMD we-EPYC, asebenzisa ubuchwepheshe be-Secure Encrypted Virtualization ukuze bahlukanise imishini ebonakalayo ku-hypervisor esebenza kuyo. Kunesiqinisekiso sokuthi idatha ihlala ibethelwe kungakhathaliseki ukuthi isetshenziswa kanjani: imithwalo yomsebenzi, izibalo, izicelo zokuqeqesha amamodeli obuhlakani bokwenziwa. Le mishini ebonakalayo iklanyelwe ukuhlangabezana nezidingo zanoma iyiphi inkampani esebenza nedatha ebucayi ezindaweni ezilawulwayo njengemboni yamabhange.
Mhlawumbe okucindezela kakhulu ukumenyezelwa kokuhlolwa kwe-beta okuzayo kwe-Confidential GKE node, i-Google ethi izokwethulwa ekukhululweni okuzayo kwe-1.18. (GKE). I-GKE iyindawo ephethwe, elungele ukukhiqiza yokusebenzisa iziqukathi ezibamba izingxenye zezinhlelo zokusebenza zesimanje ezingasebenza ezindaweni eziningi zamakhompiyutha. I-Kubernetes iyithuluzi le-orchestration lomthombo ovulekile elisetshenziselwa ukuphatha lezi ziqukathi.
Ukwengezwa kwamanodi e-GKE ayimfihlo kunikeza ubumfihlo obuningi lapho usebenzisa amaqoqo e-GKE. Uma sengeza umkhiqizo omusha kulayini we-Confidential Computing, besifuna ukunikeza ileveli entsha ye
ubumfihlo kanye nokuphatheka kwemithwalo yemisebenzi efakwe emabhokisini. Yakhelwe phezu kobuchwepheshe obufanayo nama-VM ayimfihlo, amanodi e-Google ayimfihlo e-GKE akuvumela ukuthi ubethele idatha esenkumbulweni ngokhiye wokubethela oyingqayizivele wenodi ngayinye okhiqizwe futhi ophethwe i-AMD EPYC processor. Lawa ma-node azosebenzisa ukubethela kwememori okusekelwe ku-hardware okusekelwe esicini se-SEV se-AMD, okusho ukuthi umthwalo wakho wokusebenza osebenza kulawo ma-node uzobethelwa ngenkathi usebenza.
U-Sunil Potti no-Eyal Manor, Onjiniyela Bamafu, i-Google
Kubasingathi be-GKE abayimfihlo, amakhasimende angamisa amaqoqo e-GKE ukuze aqhube amachibi osokhaya kuma-VM ayimfihlo. Kalula nje, noma yimiphi imisebenzi esebenza ezindaweni ezinjalo izobethelwa ngesikhathi sokucubungula idatha.
Amabhizinisi amaningi adinga ubumfihlo obuningi nakakhulu uma esebenzisa izinsiza zomphakathi zamafu kunomthwalo osebenza ngaphakathi endlini ukuvikela kubahlaseli. I-Google Cloud inweba umugqa wayo we-Confidential Computing ukuze ikhulise le bha ngokunikeza abasebenzisi ikhono lokuhlinzeka ngobumfihlo bamaqoqo e-GKE. Futhi uma kubhekwa ukuduma kwe-Kubernetes, lesi isinyathelo esibalulekile esiya phambili embonini, okunikeza izinkampani izinketho eziningi zokusingatha ngokuphephile izinhlelo zokusebenza zesizukulwane esilandelayo kumafu omphakathi.
Holger Mueller, Umhlaziyi weConstellation Research.
NB NgoSepthemba 28-30, inkampani yethu yethula uhlelo olusha olusha kulabo abangakayazi i-Kubernetes, kodwa abafuna ukuyazi futhi baqale ukusebenza. Futhi ngemva kwalo mcimbi, ngo-Okthoba 14-16, sethula okubuyekeziwe kubasebenzisi abanolwazi lwe-Kubernetes abadinga ukwazi zonke izisombululo zakamuva ezisebenzayo ekusebenzeni nezinguqulo zakamuva ze-Kubernetes kanye "nerake" engenzeka. Vuliwe sizohlaziya ngethiyori futhi senze ubuqili bokufaka nokulungisa iqoqo elilungele ukukhiqiza ("indlela-engekho-elula"), izindlela zokuqinisekisa ukuvikeleka nokubekezelela iphutha lohlelo lokusebenza.
Phakathi kwezinye izinto, i-Google ithe ama-VM ayo ayimfihlo azothola izici ezintsha njengoba ziya esidlangalaleni kusukela kulolu suku kuye phambili. Isibonelo, kuye kwavela imibiko yocwaningo equkethe amalogi anemininingwane yokuhlolwa kobuqotho kwe-firmware ye-AMD Secure Processor esetshenziselwa ukukhiqiza okhiye besenzakalo ngasinye se-Confidential VMs.
Kukhona nezilawuli ezengeziwe zokusetha amalungelo athile okufinyelela, futhi i-Google yengeze amandla okukhubaza noma yimuphi umshini we-virtual ongewona oyimfihlo kuphrojekthi ethile. I-Google iphinde ibhanqe ama-VM ayimfihlo nezinye izindlela zobumfihlo ngezinjongo zokuphepha.
Ungasebenzisa inhlanganisela yama-VPC abelwene anemithetho yohlelo lokuvikela kanye nemikhawulo yenqubomgomo yenhlangano ukuze uqinisekise ukuthi ama-VM ayimfihlo angakwazi ukuxhumana namanye ama-VM ayimfihlo, ngisho noma asebenza kumaphrojekthi ahlukene. Ngaphezu kwalokho, ungasebenzisa Izilawuli Zesevisi ye-VPC ukuze usethe indawo yensiza ye-GCP yama-VM akho ayimfihlo.
U-Sunil Potti no-Eyal Manor
Source: www.habr.com