Executive Summary

CITIC Securities, a leading Chinese investment bank, has successfully implemented a comprehensive database containerization platform using KubeBlocks. This initiative covers 30 mission-critical business systems and has achieved a 60% improvement in server resource utilization while maintaining stringent security requirements.

I. Business Context and Requirements

As a premier comprehensive securities firm in China, CITIC Securities operates diverse business units requiring varied database architectures. The company maintains a heterogeneous database ecosystem including:

• Distributed databases
• Centralized relational databases
• Analytics databases
• NoSQL databases (key-value, document, time-series, and graph)

The organization deployed KubeBlocks, a containerized database management platform, to achieve hardware-database decoupling through Kubernetes orchestration. This solution leverages highly standardized container images and intelligent resource allocation based on database characteristics, security requirements, and Service Level Objectives (SLOs).

Key Challenge: Implementing hybrid deployments that simultaneously satisfy diverse security levels and SLO requirements while maximizing resource efficiency.

II. Technical Architecture and Solution

Platform Foundation

CITIC Securities built a unified database management platform on Kubernetes infrastructure, utilizing domestic hardware including Hygon and Kunpeng processors. The platform provides:

• Unified Lifecycle Management: Streamlined deployment, scaling, and maintenance
• Automated Operations: Reduced manual intervention and human error
• Multi-cluster Management: Centralized control across environments
• Intelligent Scheduling: Resource-aware workload placement
• Resource Isolation: Secure multi-tenancy capabilities

Advanced Scheduling System

The platform implements a sophisticated multi-dimensional resource evaluation and constraint management system:

Resource Management Strategy:

• Real-time node resource monitoring and allocation tracking
• Multi-constraint scheduling policies:
  • Memory: No over-allocation
  • CPU: Controlled over-allocation permitted
  • IOPS: Reserved capacity management

Multi-Objective Optimization: The system employs algorithms that balance multiple criteria when selecting optimal nodes for database placement.

Workload Classification: Database instances are categorized by:

• Business criticality
• SLA requirements
• Access patterns
• Resource consumption profiles

Density-Based Resource Management

The platform supports node density classification with differentiated overselling ratios, achieving optimal balance between resource utilization and workload isolation. The system continuously monitors performance metrics and dynamically adjusts density levels and overselling strategies.

Intelligent Workload Profiling and Placement

Advanced profiling capabilities identify workload characteristics:

• Load Types: CPU-intensive, I/O-intensive, memory-intensive
• Peak Patterns: Temporal resource demand analysis
• Complementary Scheduling: Co-locating workloads with different resource profiles

Time-Aware Scheduling for Financial Markets

Recognizing the cyclical nature of securities trading, the platform implements temporal scheduling strategies:

• Trading Hours: Maximum resource priority for trading systems
• Settlement Periods: Dedicated resources for clearing operations
• Off-Hours: Resource reallocation to analytics, reporting, and administrative tasks

The system employs both manual configuration and automated analysis to identify peak periods, minimizing resource contention through strategic workload distribution.

Security-First Container Strategy

Addressing financial industry security requirements, CITIC Securities implemented an innovative dual-container runtime approach:

runC Containers:

• Lightweight runtime with native performance
• Shared kernel architecture
• Suitable for trusted, internally-developed applications
• High resource efficiency and broad compatibility

runD Containers (Secure Containers):

• Enhanced isolation through lightweight virtualization
• Independent kernel per container
• Designed for untrusted or higher-risk workloads
• Ideal for open-source databases and third-party applications

Hybrid Deployment Strategy:

• Trusted Workloads: Core business databases use runC for optimal performance
• Untrusted Workloads: External and open-source databases use runD for enhanced security
• Mixed SLO Support: Different service levels coexist on the same infrastructure

III. Implementation Results and Benefits

After six months of production deployment, the KubeBlocks platform has demonstrated significant improvements in compatibility with domestic databases and overall platform maturity. The KubeBlocks engineering team provided exceptional support for advanced features including peak-shifting scheduling, elastic resource prioritization, and hybrid trusted/untrusted container deployments.

Production Scale

The platform currently supports over 30 critical business systems across multiple departments:

• Wealth Management Committee
• Finance and Planning Department
• Asset Management Department
• Research Department
• Fixed Income Department

Quantified Benefits

1. Enhanced Security Posture

• Zero security incidents related to container interference since deployment
• Robust isolation between trusted and untrusted workloads
• Compliance with financial industry security standards

2. Significant Resource Optimization

• 60%+ improvement in server resource utilization
• Substantial reduction in hardware acquisition costs
• Improved infrastructure ROI

3. Operational Excellence

• Accelerated database deployment and maintenance cycles
• Enhanced IT operational efficiency through automation
• Reduced manual intervention and associated risks

Strategic Impact

This advanced containerization solution positions CITIC Securities for:

• Competitive Advantage: Enhanced agility in rapidly evolving financial markets
• Digital Transformation: Solid foundation for innovative business development
• Risk Management: Improved operational resilience and faster incident response
• Customer Experience: Enhanced service quality through improved system performance
• Sustainability: Alignment with ESG initiatives through improved resource efficiency and support for green finance objectives

The implementation demonstrates how modern container orchestration can address the unique challenges of financial services while delivering measurable business value through improved efficiency, security, and operational excellence.