應雲而生,幽靈的威脅 - 雲原生應用交付與運維的思考

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"過去的 2020 是充滿不確定性的一年,但也是充滿機遇的一年。突發的新冠疫情爲全社會的數字化轉型按下加速鍵。雲計算已經不再是一種技術,而是成爲支撐數字經濟發展和業務創新的關鍵基礎設施。在利用雲計算重塑企業 IT 的過程中,生於雲、長於雲、最大化實現雲價值的雲原生技術得到了越來越多企業的認同,成爲企業 IT 降本提效的重要手段。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,雲原生變革也不只是基礎設施和應用架構等技術層面,同時也在推進企業 IT 組織、流程和文化的變革。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在CNCF 2020年度調研報告中,已經有 83% 的組織也在生產環境中使用 Kubernetes,然而面臨的前三大挑戰是複雜性,文化改變與安全。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/39\/395c4588768b1214cb29100dd9550123.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲了更好地加速業務創新和解決互聯網規模的挑戰,雲原生應用架構與開發方式應運而生,與傳統單體應用架構相比,分佈式微服務架構具備更好的、更快的迭代速度、更低的開發複雜性,更好的可擴展性和彈性。然而,正如星戰宇宙中,原力既有光明也有黑暗的一面。"},{"type":"text","marks":[{"type":"strong"}],"text":"微服務應用在部署、運維和管理的複雜性卻大大增加,DevOps 文化和背後支撐的自動化工具與平臺能力成爲關鍵。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/aa\/aaa74bf1e2a485f9dbe404a058c81889.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在容器技術出現之前,DevOps 理論已經發展多年。但是,如果”開發“與”運維“團隊不能用相同的語言進行交流,用一致的技術進行協作,那就永遠無法打破組織和文化的藩籬。Docker 容器技術的出現,實現了軟件交付流程的標準化,一次構建,隨處部署。結合雲計算可編程基礎設施和 Kubernetes 聲明式的 API,可以通過流水線去實現自動化的持續集成與持續交付應用和基礎設施,大大加速了開發和運維角色的融合。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"雲原生也是對團隊業務價值和功能的重構。"},{"type":"text","text":"傳統運維團隊的一些職責轉移到開發團隊,如應用配置和發佈,降低了每次發佈的人力成本,而運維職責將更加關注系統的穩定性和IT治理。Google 倡導的 SRE Site Reliability Engineering (站點可靠性工程),是通過軟件和自動化手段,來解決系統的運維複雜性和穩定性問題。此外,安全與成本優化也成爲雲上運維關注重點。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"安全是企業上雲的核心關切之一。"},{"type":"text","text":"雲原生的敏捷性和動態性給企業安全帶來新的挑戰。由於雲上安全是責任共擔模型,需要企業理解與雲服務商之間的責任邊界,更要思考如何通過工具化、自動化的流程固化安全最佳實踐。此外,傳統安全架構通過防火牆保護邊界,而內部的任何用戶或服務受到完全的信任。2020 突發的新冠疫情,大量的企業需要員工和客戶遠程辦公與協同,企業應用需要在 IDC 和雲上部署和交互。在物理安全邊界消失之後,雲安全正在迎來一場深刻的變革。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此外,新冠疫情進一步讓企業更加關注IT成本優化。雲原生的一個重要優勢是充分利用雲的彈性能力,來按需提供業務所需計算資源,避免資源浪費,實現成本優化的目標。但是,與傳統成本預算審覈制度不同,雲原生的動態性、和高密度應用部署,讓 IT 成本管理更加複雜。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲此,雲原生理念和技術也在發展,幫助用戶持續降低潛在風險和系統複雜性。下面我們將介紹在雲原生應用交付與運維領域的一些新趨勢。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/89\/89fbf22989438aaeaa400127c796f962.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"Kubernetes 成爲了通用的、統一的雲控制平面"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes 這個單詞來自於希臘語,含義是舵手或領航員,是 “控制論”英文 “cybernetic” 的詞根。Kubernetes 成爲在容器編排的事實標準,不只得益於 Google 的光環和 CNCF(雲原生計算基金會)的努力運作。背後是 Google 在 Borg 大規模分佈式資源調度和自動化運維領域的沉澱和系統化思考,"},{"type":"text","marks":[{"type":"strong"}],"text":"認真理解 Kubernetes 架構設計,有助於思考在分佈式系統系統調度、管理的一些本質問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Kubernetes 架構的核心就是控制器循環,也是一個典型的\"負反饋\"控制系統。當控制器觀察到期望狀態與當前狀態存在不一致,就會持續調整資源,讓當前狀態趨近於期望狀態。比如,根據應用副本數變化進行擴縮容,節點宕機後自動遷移應用等。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/e6\/e62957d573ea553e1c5ff69b6322020f.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"K8s 的成功離不開 3 個重要的架構選擇:"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"聲明式(Declarative)的 API:"},{"type":"text","text":"在 Kubernetes 之上,開發者只需定義抽象資源的目標狀態,而由控制器來具體實現如何達成。比如 Deployment、StatefulSet、 Job 等不同類型工作負載資源的抽象。讓開發者可以關注於應用自身,而非系統執行細節。聲明式API是雲原生重要的設計理念,這樣的架構方式有助於將整體運維複雜性下沉,交給基礎設施實現和持續優化。此外由於分佈式系統的內生穩定性挑戰,基於聲明式的,面向終態的 “level-triggered” 實現比基於命令式 API、事件驅動的 “edge-triggered” 方式可以提供更加健壯的分佈式系統實現。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"屏蔽底層實現:"},{"type":"text","text":"K8s 通過一系列抽象如 Loadbalance Service、Ingress、CNI、CSI,幫助業務應用可以更好通過業務語義使用基礎設施,無需關注底層實現差異。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"可擴展性架構:"},{"type":"text","text":"所有 K8s 組件都是基於一致的、開放的 API 進行實現和交互。三方開發者也可通過 CRD(Custom Resource Definition)\/ Operator 等方法提供領域相關的擴展實現,極大擴展了 K8s 的應用場景。"}]}]}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/e3\/e33a83e663a0a57c0e5895b480f16c22.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"正因如此,Kubernetes 管理的資源和基礎設施範圍已經遠超容器應用。下面是幾個例子:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"基礎架構管理:"},{"type":"text","text":"與開源的 Terraform 或者雲供應商自身提供的 Infrastructure as Code(IaC)工具如阿里雲 ROS、AWS CloudFormation 不同,Crossplane(https:\/\/crossplane.io\/)和 AWS Controllers for Kubernetes 在 Kubernetes 基礎之上擴展了對基礎設施的管理和抽象。這樣可以採用一致的方式進行管理和變更 K8s 應用和雲基礎設施。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"虛擬機管理:"},{"type":"text","text":"K8s 通過 KubeVirt 可以實現對虛擬機和容器的統一調度與管理,可以利用虛擬化彌補容器技術的一些侷限性,比如在 CI\/CD 場景中,可以結合 Windows 虛擬機進行自動化測試。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"IoT 設備管理:"},{"type":"text","text":"KubeEdge 和 OpenYurt 等邊緣容器技術都提供了對海量邊緣設備的管理能力。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"K8s 集羣管理:"},{"type":"text","text":"阿里雲容器服務 ACK 的節點池管理,集羣管理等完全都是採用 Kubernetes 方式進行自動化管理與運維的。ACK Infra 支撐了部署在全球各地數萬個 Kubernetes 集羣,基於 K8s 完成自動化了擴縮容、故障發現\/自愈等能力。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"工作負載自動化升級"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"K8s 控制器 “把複雜留給自己,把簡單交給別人”的理想非常美好,然而實現一個高效、健壯的控制器卻充滿技術挑戰。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於 K8s 內置工作負載的侷限性,一些需求無法滿足企業應用遷移的需求,通過Operator framework 進行擴展成爲了常見的解決方案。但是一方面對重複的需求重複造輪子,會造成了資源的浪費;也會導致技術的碎片化,降低可移植性。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着越來越多的企業 IT 架構,從 on Kubernetes 到 in Kubernetes,大量的  CRD、自定義 Controller 給 Kubernetes 的穩定性和性能帶來大量的挑戰。"},{"type":"text","marks":[{"type":"strong"}],"text":"面向終態的自動化是一把 “雙刃劍”,它既爲應用帶來了聲明式的部署能力,同時也潛在地會將一些誤操作行爲被終態化放大。在發生操作故障時副本數維持、版本一致性、級聯刪除等機制反而很可能導致爆炸半徑擴大。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"OpenKruise 是阿里雲開源的雲原生應用自動化管理引擎,也是當前託管在 Cloud Native Computing Foundation (CNCF) 下的 Sandbox 項目。"},{"type":"text","text":"它來自阿里巴巴多年來容器化、雲原生的技術沉澱,是阿里內部生產環境大規模應用的基於 Kubernetes 之上的標準擴展組件,一套緊貼上游社區標準、適應互聯網規模化場景的技術理念與最佳實踐。以開源項目 OpenKruise 方式與社區開放、共建。"},{"type":"text","marks":[{"type":"strong"}],"text":"一方面幫助企業客戶在雲原生的探索的過程中,少走彎路,減少技術碎片,提升穩定性;一方面推動上游技術社區,逐漸完善和豐富 Kubernetes的應用週期自動化能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更多信息可以參考:"},{"type":"link","attrs":{"href":"http:\/\/mp.weixin.qq.com\/s?__biz=MzUzNzYxNjAzMg==&mid=2247499530&idx=1&sn=39d9661993b94e43aff0e0af7967ed4a&chksm=fae6f4c5cd917dd353f9464b73df0d9fecc0ed854a630621d46591fcc3f36fe8e4a9bdba30e5&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"OpenKruise 2021 規劃曝光:More than workloads"}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"開發與運維新協作界面浮現"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"雲原生技術出現也帶來了企業 IT 組織結構的變化。爲了更好應對業務敏捷性的需要,微服務應用架構催生了 “雙比薩團隊”(Two-pizza teams) 。較小的、獨立的、自包含的開發團隊可以更好達成共識,加速業務創新。SRE 團隊成爲了水平支撐團隊,支撐上層研發效率提升和系統穩定性。而隨着 Kubernetes 的發展,讓 SRE 團隊可以基於 K8s 構建自己企業的應用平臺,推進標準化和自動化,讓上層應用開發團隊通過自服務的方式進行資源管理和應用生命週期管理。我們看到組織方式進一步發生了變化,新的平臺工程團隊開始浮現。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/19\/19bc4de95da3ae01acf9f4d26ba00618.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"參考:https:\/\/blog.getambassador.io\/the-rise-of-cloud-native-engineering-organizations-1a244581bda5"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"這也與K8s自身定位是非常相契合的。Kubernetes 的技術定位面向應用運維的基礎設施和 Platform for Platform,並不是面向開發者的一體化應用平臺。越來越多的企業會由平臺工程團隊基於 Kubernetes 構建自己的 PaaS 平臺,提升研發效率和運維效率。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"類似 Cloud Foundry 的經典 PaaS 實現會建立一套獨立概念模型、技術實現和擴展機制,這種方式可以提供簡化用戶體驗,但是也引入了一些缺陷。無法和快速發展的 Kubernetes 體系相結合,無法充分組合使用多種新的技術實現,比如 Serverless 編程模型,支持 AI\/數據分析等新計算業務。但是基於 K8s 的 PaaS 平臺缺乏統一的架構設計和實現規劃,會出現很多碎片化的技術實現,並不利於可持續的發展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"Open Application Model(OAM)開放應用模型,以及它的 Kubernetes 實現 KubeVela 項目,正是阿里雲聯合微軟和雲原生社區,共同推出的雲原生應用交付與管理領域的標準模型與框架項目。"},{"type":"text","text":"其中,OAM 的設計思想是爲包括 Kubernetes 在內的任何雲端基礎設施提供一個統一、面向最終用戶的應用定義模型;而 KubeVela,則是這個統一模型在 Kubernetes 上的 PaaS 參考實現。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/85\/851e4b0eb3c87d0f5b4758b370548581.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"KubeVela\/OAM 提供了面向 Kubernetes 的服務抽象和服務組裝能力,可以將不同實現的工作負載和運維特徵進行統一抽象和描述,並提供插件式的註冊與發現機制,進行動態組裝。平臺工程團隊可以採用一致的方式進行新功能擴展,並且保持與 Kubernetes 上新的應用框架良好的互操作性。對於應用開發和運維團隊,實現了關注點分離(Separation of Concerns),可以將應用定義、運維能力與基礎設施實現解構,讓應用交付過程變得更加高效、可靠和自動化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在雲原生應用模型定義領域,業界也在不同方向進行探索。比如 AWS 新發布的 Proton 是面向雲原生應用交付的服務,通過 Proton,可以降低容器和 Serverless 部署、運維複雜性,並且可以和 GitOps 結合起來,提升整個應用交付流程的自動化和可管理性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"阿里雲 Serverless K8s 支持的 Knative 可以同時支持 Serverless 容器和函數來實現事件驅動的應用,讓開發者使用一個編程模型,可以高效選擇底層不同 Serverless 化算力進行優化執行等。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"無處不在的安全風險催生安全架構變革"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"DevSecOps 成爲關鍵因素"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/2c\/2ce4be841ac98291af23e8e0ac0b8b04.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"敏捷開發與可編程雲基礎設施結合在一起,大大提升了企業應用的交付效率。然而在這個過程中,如果忽視了安全風險控制,有可能造成巨大的損失。Gartner 論斷,到 2025年,雲上基礎設施 99% 的安全滲透問題是由於用戶錯誤的配置和管理造成的。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在傳統軟件開發流程中,在系統設計開發完成後和發佈交付前,安全人員纔開始介入進行安全審覈。這種流程無法滿足業務快速迭代的訴求。”Shifting left on security“ (安全性左移)”開始得到更多的關注,這將應用程序設計、開發人員儘早與安全團隊協作,並無縫地嵌入安全實踐。通過左移安全性,不僅可以降低安全風險,還可以降低修復成本。"},{"type":"text","marks":[{"type":"strong"}],"text":"IBM 的研究人員發現,解決設計中的安全問題比代碼開發期間能節省 6 倍左右的成本,比測試期間能節省 15 倍左右的成本。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DevOps 研發協作流程也隨之擴展成爲 DevSecOps。它首先是理念文化的變化,安全成爲每個人的責任,而非專注安全團隊的責任;其次儘早解決安全問題,將安全左移到軟件設計階段,降低整體安全治理成本;最後是通過自動化工具鏈而非人治方式,實現風險預防、持續監測和及時響應能力。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"DevSecOps 落地的技術前提是實現可驗證的、可復現的構建和部署流程,這樣可以保障我們在測試、預發、生產等不同環境對架構安全性進行持續驗證和改進。我們可以利用雲原生技術中的 immutable infrastructure (不可變基礎設施) 和聲明式的策略管理 Policy as Code 結合在一起實現 DevSecOps 的落地實踐。下圖是一個最簡化的容器應用 DevSecOps 流水線。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/51\/51698112fcef4a6a59374a73d45414a6.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"當代碼提交之後,可以通過阿里雲鏡像服務 ACR 主動掃描應用,並對鏡像進行簽名,當容器服務 K8s 集羣開始部署應用時,安全策略可以對鏡像進行驗籤,可以拒絕未通過驗籤的應用鏡像。同理,如果我們利用 Infrastructure as Code 的方式對基礎設施進行變更,我們可以通過掃描引擎在變更之前就進行風險掃描,如果發現相關的安全風險可以終止並告警。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此外,當應用部署到生產環境之後,任何變更都需通過上述自動化流程。這樣的方式最小化了人爲的錯誤配置引發的安全風險。Gartner 預測,到 2025年 60% 的企業會採納 DevSecOps 和不可變基礎設施實踐,與 2020 年相比降低 70% 安全事件。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"服務網格加速零信任安全架構落地"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"分佈式微服務應用不但部署和管理複雜性提升,其安全攻擊面也被放大。在傳統的三層架構中,安全防護主要在南北向流量,而在微服務架構中,東西向流量防護會有更大的挑戰。在傳統的邊界防護方式下,如果一個應用因爲安全缺陷被攻陷,缺乏安全控制機制來阻止內部威脅“橫向移動”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/c5\/c5e8aa51870a60c49ce1ed2559280551.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"https:\/\/www.nist.gov\/blogs\/taking-measure\/zero-trust-cybersecurity-never-trust-always-verify"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"“零信任”最早由 Forrester 在 2010年左右提出,簡單地說,零信任就是假定所有威脅都可能發生,不信任網絡內部和外部的任何人\/設備\/應用,需要基於認證和授權重構訪問控制的信任基礎,引導安全體系架構從“網絡中心化”走向“身份中心化”;不信任傳統網絡邊界保護,而代之以微邊界保護。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Google 在大力推動雲原生安全和零信任架構,比如  BeyondProd(https:\/\/cloud.google.com\/security\/beyondprod?hl=zh-cn)方法論。阿里和螞蟻集團上雲過程中,也開始引入零信任架構理念和實踐。其中的關鍵是:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"統一身份標識體系:爲微服務架構中每一個服務組件都提供一個獨立的身份標識。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"統一訪問的授權模型:服務間調用需要通過身份進行鑑權。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"統一訪問控制策略:所有服務的訪問控制通過標準化方向進行集中管理和統一控制。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"安全架構是一種 cross-cutting concern,貫穿在整個 IT 架構與所有組件相關的關注點。如果它與具體微服務框架實現耦合,任何安全架構調整都可能對每個應用服務進行重新編譯和部署,此外微服務的實現者可以繞開安全體系。而服務網格可以提供獨立於應用實現的,松耦合、分佈式的零信任安全架構。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"下圖是 Istio 服務網格的安全架構:"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/ef\/ef8fc2edc211afa4539c7fa4a3f1c7ef.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"既可以利用現有身份服務提供身份標識,也支持 SPIFFE 格式的身份標識。身份標識可以通過 X.509 證書或者 JWT 格式進行傳遞。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"通過服務網格控制平面 API 來統一管理,認證、授權、服務命名等安全策略。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"通過 Envoy Sidecar 或者邊界代理服務器作爲策略執行點(PEP)來執行安全策略,可以爲東西向和南北向的服務訪問提供安全訪問控制。而且 Sidecar 爲每個微服務提供了應用級別的防火牆,網絡微分段最小化了安全攻擊面。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"服務網格讓網絡安全架構與應用實現解耦,可以獨立演進,獨立管理,提升安全合規保障。此外利用其對服務調用的遙測能力,可以進一步通過數據化、智能化方法對服務間通信流量進行風險分析、自動化防禦。雲原生零信任安全還在早期,我們期待未來更多的安全能力下沉到基礎設施之中。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"新一代軟件交付方式開始浮現"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"從 Infrastructure as Code 到 Everything as Code"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基礎架構即代碼(Infrastructure-as-Code, IaC)是一種典型的聲明式 API,它改變了雲上企業IT架構的管理、配置和協同方式。利用 IaC 工具,我們可以將雲服務器、網絡和數據庫等雲端資源,進而實現完全自動化的創建、配置和組裝。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"我們可以將 IaC 概念進行延伸,可以覆蓋整個雲原生軟件的交付、運維流程,即  Everything as Code。下圖中涉及了應用環境中各種模型,從基礎設施到應用模型定義到全局性的交付方式和安全體系,我們都可以通過聲明式方式對應用配置進行創建、管理和變更。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/00\/00b26053b00ae78158d36d7d583e8993.jpeg","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過這種方式,我們可以爲分佈式的雲原生應用提供靈活、健壯、自動化的全生命週期管理能力:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有配置可被版本管理,可追溯,可審計。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有配置可維護、可測試、可理解、可協作。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有配置可以進行靜態分析、保障變更的可預期性。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"所有配置可以在不同環境重現,所有環境差異也需要進行顯示聲明,提升一致性。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"聲明式的 CI\/CD 實踐逐漸受到關注"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"更進一步,我們可以將應用程序的所有環境配置都通過源代碼控制系統進行管理,並通過自動化的流程進行面向終態地交付和變更,這就是 GitOps 的核心理念。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"GitOps 最初由 Weaveworks 的 Alexis Richardson 提出,目標是提供一套統一部署、管理和監控應用程序的最佳實踐。在 GitOps 中,從應用定義到基礎設施配置的所有環境信息都作爲源代碼,通過 Git 進行版本管理;所有發佈、審批、變更的流程都記錄在 Git 的歷史狀態中。這樣 Git 成爲 source of truth,我們可以高效地追溯歷史變更、可以輕鬆回滾到指定版本。GitOps 與 Kubernetes 提倡的聲明式 API、不可變基礎設施相結合,我們可以保障相同配置的可復現性,避免線上環境由於配置漂移導致的不可預測的穩定性風險。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"結合上文提到的 DevSecOps 自動化流程,我們可以在業務上線之前,提供一致的測試和預發環境,更早,更快地捕獲系統中的穩定性風險,更完善地驗證灰度、回滾措施。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/cc\/cc217b2e7c1514418b8e202611d98375.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"GitOps 提升了交付效率,改進了開發者的體驗,也提升了分佈式應用交付的穩定性。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"GitOps 在過去兩年時間裏,在阿里集團和螞蟻都被廣泛使用,成爲雲原生應用標準化的交付方式。目前 GitOps 還在發展初期,開源社區還在不斷完善相關的工具和最佳實踐。2020年,Weaveworks 的 Flagger 目併入 Flux,開發者可以通過 GitOps 的方式實現灰度發佈、藍綠髮布、A\/B 測試等漸進的交付策略,可以控制發佈的爆炸半徑,提升發佈的穩定性。在 2020 年末,CNCF 應用交付領域小組正式宣佈了 GitOps Working Group 的組建,我們期待未來社區將進一步推動相關領域標準化過程和技術落地。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/17\/17a908f45f5ef8b3d66bd116043eb28b.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"運維體系從標準化、自動化向數據化、智能化演進"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着微服務應用規模的發展,問題定位、性能優化的複雜度呈爆炸式增長。企業在IT服務管理領域雖然已經擁有多種工具集合,比如,日誌分析、性能監控、配置管理等。但是不同管理系統之間是一個個數據孤島,無法提供複雜問題診斷所必需的端到端可見性。許多現有工具都採用基於規則的方法進行監視、警報。在日益複雜和動態的雲原生環境中,基於規則的方法過於脆弱,維護成本高且難以擴展。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"AIOps 是利用大數據分析和機器學習等技術自動化IT運維流程。AIOps 可以通過大量的日誌和性能數據處理、系統的環境配置分析,獲得對IT系統內部和外部的依賴的可見性,增強前瞻性和問題洞察,實現自治運維。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"得益於雲原生技術生態的發展,AIOps 與Kubernetes 等技術將相互促進,進一步完善企業IT的成本優化、故障檢測和集羣優化等方案。這裏面有幾個重要的助力:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"可觀測能力的標準化"},{"type":"text","text":":隨着雲原生技術社區 Prometheus、OpenTelemetry、OpenMetrics 等項目的發展,應用可觀測性領域在日誌、監控、鏈路追蹤等領域進一步標準化和融合,使得多指標、根因分析的數據集更加豐富。Service Mesh 非侵入的數據遙測能力可以在不修改現有應用的前提下獲取更加豐富的業務指標。從而提高 AIOPS 的 AI 層面的準確率和覆蓋率。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"應用交付管理能力的標準化:"},{"type":"text","text":"Kubernetes 聲明式 API、面向終態的應用交付方式,提供了更加一致的管理運維體驗。Service Mesh 非侵入的服務流量管理能力,讓我們可以用透明的方式對應用進行管理和自動化運維。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"通過阿里集團的 DevOps 平臺“雲效”和容器平臺發佈變更系統相結合,可以實現應用的“無人值守發佈”。"},{"type":"text","text":"在發佈過程中,系統持續收集包括系統數據、日誌數據、業務數據等各種指標,並通過算法比對發佈前後的指標異動。一旦發現問題,就可以對發佈過程進行阻斷,甚至自動化回滾。有了這項技術,任何一個開發團隊都可以安全的做好發佈工作,而不必擔心線上變更導致的重大故障了。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"雲原生成本優化逐漸受到關注"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"隨着企業將更多核心業務從數據中心遷移到雲上,越來越多的企業迫切需要對雲上環境進行預算制定、成本覈算和成本優化。從固定的財務成本模型,轉化爲變化的、按需付費的雲財務模型,這是一個重要的觀念和技術轉變。然而大多數企業尚未對雲財務管理有清晰的認知和技術手段,在 FinOps 2020年調研報告(https:\/\/data.finops.org\/)中,將近一半的受訪者(49%)幾乎沒有或沒有自動化方法管理雲支出。爲了幫助組織更好了解雲成本和IT收益,FinOps 理念開始流行。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":"br"}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"FinOps 是雲財務管理的方式,是企業 IT 運營模式的轉變,目標是提升組織對雲成本的理解和更好地做決策。2020年8月,Linux基金會宣佈成立FinOps基金會(https:\/\/www.finops.org\/),通過最佳實踐、教育和標準推進雲財務管學科。目前雲廠商開始逐漸加大對 FinOps 的支持,幫助企業的財務流程可以更好適應雲資源的可變性和動態性。比如 AWS Cost Explorer, 阿里雲費用中心,可以幫助企業更好進行成本分析和分攤。詳見:https:\/\/developer.aliyun.com\/article\/772964。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"越來越多的企業在雲上通過 Kubernetes 平臺來管理、使用基礎設施資源。通過容器來提升部署密度和應用彈性,從而降低整體計算成本。但是在 Kubernetes 的動態性爲資源計量和成本分攤引入新的複雜性挑戰。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"由於多個容器可以被動態部署在同一個虛擬機實例之上,可以按需彈性伸縮,我們無法簡單將底層雲資源與容器應用一一對應。2020年11月,CNCF 基金會和 FinOps 基金會發布了一份新的關於 Kubernetes 雲財務管理的白皮書 《FinOps for Kubernetes: Unpacking container cost allocation and optimization》來幫助大家更好理解相關財務管理實踐。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"阿里雲容器服務也在產品中內置了很多成本管理和優化的最佳實踐。"},{"type":"text","text":"很多客戶非常關心如何基於 Kubernetes 和資源彈性實現成本優化,通常我們建議企業更好了解自己業務類型,爲 K8s 集羣劃分不同的節點池,在成本、穩定性和性能等多維度考量中尋找平衡點。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/54\/54be7cbb117898933b64094672900550.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"日常業務:"},{"type":"text","text":"對於可預測的、相對不變的負載,我們可以利用包年包月的裸金屬或者大規格虛擬機來提升資源利用率,降低成本。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"計劃內的短期或週期性業務:"},{"type":"text","text":"比如雙十一大促,跨年活動等短期業務峯值,或者月底結算等週期性業務負載變化,我們可以利用虛擬機或者彈性容器實例來應對業務高峯。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"非預期的突發彈性業務:"},{"type":"text","text":"比如突發新聞熱點,或者臨時的計算任務。彈性容器實例可以輕鬆實現每分鐘上千實例的擴容。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"更多關於 Kubernetes 規劃問題,可以參考:"},{"type":"link","attrs":{"href":"http:\/\/mp.weixin.qq.com\/s?__biz=MzUzNzYxNjAzMg==&mid=2247489636&idx=1&sn=908c4b80399831cbd0178a31456c18fa&chksm=fae513abcd929abd3299651bc0d4f5ebc27d59038cab2c6ec282a00f6ee5ae9d2f03a2e56164&scene=21#wechat_redirect","title":null,"type":null},"content":[{"type":"text","text":"關於Kubernetes規劃的靈魂n問"}]},{"type":"text","text":"。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"總結"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"過去十年,基礎架構上雲,互聯網應用架構升級,研發流程敏捷化幾個技術大趨勢相交匯,與容器、Serverless、服務網格等技術創新相結合,共同催生了雲原生的理念誕生和發展。雲原生正在重新定義的計算基礎設施、應用架構和組織流程,是雲計算髮展的歷史的必然。"},{"type":"text","marks":[{"type":"strong"}],"text":"感謝所有一起在雲原生時代的同行者,讓我們共同探索和定義雲原生的未來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:阿里巴巴中間件(ID:Aliware_2018)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/vlCCsbA2DpWO9dYrhKBZ5w","title":"xxx","type":null},"content":[{"type":"text","text":"應雲而生,幽靈的威脅 - 雲原生應用交付與運維的思考"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章