Continuing our #powerupgrade series, expert practitioners at Powerup and GCP (Google Cloud Platform) organized a session on GKE - showcasing operational and cost efficiencies by completely eliminating the need to install, manage and operate one's own Kubernetes clusters. Do not miss being a part of this interactive learning and best-practice showcase. We also had domain experts and business leaders at the event who have successfully implemented GKE.
5. 83%
Use Kubernetes to
Manage Containers1
Are Deploying
Containers in
Production TODAY
73%
Source: CNCF Survey: Use of Cloud Native Technologies in Production Has Grown Over 200%, August 29,
2018
CNCF Survey(2018)
6. “Keeping our
infrastructure perfectly
homogenous is
giving me nightmares”
“It ran fine on
MY machine”
Problem: Deployments and Ops are Hard
“We want to get the
best utilization of
our infrastructure”
“Keeping our
infrastructure perfectly
homogenous is
giving me nightmares”
“It ran fine on
MY machine”
“My developers aren’t
as productive as they
should be. Deployments
are slowing us down”
7. • Self contained
• Portability
• Decoupling from machine
• Image immutability
• Faster development
• Faster deployment
Virtual machine
Container
ImageMagick
6.4.90
Container
ImageMagick
7.0.28
Payments
application
Rendering
application
Linux distribution
Hardware
Why Containers
8. “Where should I run
my containers?”
“If we run our
containers on VMs,
I don’t want to
manage anything”
“How do I get my containers
to talk
to one another?”
“How do we ensure
our containers are
running smoothly?”
“We don’t want to
be locked into one
cloud provider”
But they introduce a new set of challenges
9. ▪ Decoupling from infra
▪ Autoscaling
▪ Auto healing
▪ Automated rollout and rollbacks
▪ Abstractions that are cloud native and microservices
friendly
▪ Extensible
▪ Open-source
▪ Integrates well with other Devops tools
Why Kubernetes
10. How do customers use GKE?
•From Cloud Natives to Retail to Financial.
•From running fewer nodes per cluster to thousands of nodes per cluster.
•From a single dev team running a large scale app to hundreds of dev
teams sharing clusters.
•From running stateless web apps to stateful workloads like Redis, MySql,
and Kafka to ML workloads.
With 3+ years on the market GKE brings expertise and differentiation to all
those scenarios.
11. GKE
• Master management including master
redundancy, upgrade, replication and
backup
• Worker node lifecycle management
• IAM integration for security and
authentication
• Get all benefits of Google compute engine
including Networking and Storage
• Integration with other Google cloud services
like load balancer, storage, big data,
analytics
• Pod and cluster autoscale
• Integrated logging and monitoring with
Stackdriver
• 99.5% SLA
14. Software supply chain
Is my container image secure to
build and deploy?
Infrastructure security
Is my infrastructure secure
for developing containers?
Container runtime security
Is my container
secure to run?
Application security
Platform security
Are my applications secure?
Is my (cloud provider’s) infrastructure secure?
● IAM, RBAC, Pod access policy
● Shared VPC
● Private cluster
● Network control policy
● Image scanning
● Binary authorization
● Container OS
● Node OS(CoS)
● Cloud security command center
● Tie-up - Aquasec, Capsule8,
Stackrox, Sysdig,
Twistlock
Container Security pillars
17. Container-optimized OS (COS) based on Chromium OS, and maintained by Google
● Built from source: Since COS is based on Chromium OS, Google maintains all
components and is able to rebuild from source if a new vulnerability is discovered and
needs to be patched
● Smaller attack surface: Container-Optimized OS is purpose-built to run containers, has
a smaller footprint, reducing your instance's potential attack surface
● Locked-down by default: Firewall restricts all TCP/UDP except SSH on port 22, and
prevents kernel modules. Root file system is mounted read-only
● Automatic Updates: COS instances automatically download weekly updates in the
background; only a reboot is necessary to use the latest updates. Google provides
patches and maintenance
https://cloud.google.com/container-optimized-os/
GKE: Minimal OS
18. ▪ Scans all images in your private Google Container Registry for known
Common Vulnerabilities and Exposures (CVEs)
▪ Examines images and packages
▪ Works for: Debian, Ubuntu and Alpine images
▪ Images are scanned when:
▪ An image is added to the registry
▪ There is an update to the vulnerability database
https://cloud.google.com/container-registry/docs/vulnerability-scanning
GCR: Vulnerability Scanning (Beta)
21. Microservices
Kubernetes makes it easy to
break monolithic applications
into independently scalable
microservices
More pieces to monitor
and operate
Abstracted Infrastructure
Kubernetes offers a lot of
flexibility, with many constructs
that support and make building
your app easier
Increased observability across
your entire Kubernetes
environment becomes
necessary
Highly Dynamic Environment
Your environment scales and
adapts as needed, changing as
it reschedules and restarts
components
Keep track of your applications,
which may be constantly
moving
Stackdriver - Rethinking monitoring
with Kubernetes
22. Multi-cluster monitoring
with support for
Kubernetes Engine on
GCP and Kubernetes
on-prem in a single
place
Hybrid, multi-cluster Kubernetes monitoring
23. • Two levels of load
balancing
• Inaccurate cloud-level
health checks
• Multiple network hops
Kubernetes Load Balancing - Suboptimal
24. Containers are “just another
endpoint”
Accurate cloud-level health checks
and load balancing
No extra network hops; direct
connection from load balancer to
container
GKE Load balancing with Network
Endpoint Group
25. Region: US West
Kubernetes
Engine
Alice
California
Google
Edge
myapp.com 120.1.1.1
Chao
Singapore
Google
Edge
myapp.com 120.1.1.1
Region: Asia East
Kubernetes
Engine
Bob
London
Google
Edge
myapp.com 120.1.1.1
Region: Europe West
Kubernetes
Engine
kind: Ingress Google Global HTTP(S) Load Balancing
Multi-region clusters
27. Each week, Google launches more than four billion containers
across its data centers around the world. These containers
house the full range of applications Google runs, including
user-facing applications such as Search, Gmail, and
YouTube.
Kubernetes was directly inspired by Google’s cluster
manager, internally known as Borg. Borg allows Google to
direct hundreds of thousands of software tasks across vast
clusters of machines numbering in the tens of thousands —
supporting seven businesses with over one billion users each.
Borg and Kubernetes are the culmination of Google’s
experience deploying resilient applications at scale.
Containers at Google
30. Source: Container Adoption Landscape Study; Dec 2018
Modernize/
containerize these
workloads on-prem
Lift and shift Leave as is Don’t know
6%
32%
39%
59%
Cloud transition is about hybrid
modernization
31. Introducing the Cloud Services
Platform
• Cloud Services Platform lets you build and manage
modern hybrid applications across environments. CSP
allows you to build once, to run anywhere, across
on-premises and cloud environments. With CSP, we
bring the cloud to you.
33. Modernize in-place
Modernize your applications no
matter where they are. Consistent
management of your applications
across multiple clouds and
on-premises. Faster time to
market, lower administrative
overhead, and increased
innovation capabilities.
Automate policy and
security at scale
Proactive service operations -
manage at a higher layer of the
stack, enabling greater application
awareness, consistency, and
control. Take a service-centric
view of your infrastructure.
Run anywhere
CSP gives you one platform that
you can run anywhere. It’s built on
open source technology created
and managed by Google; so it’s
portable, consistent, and
extensible to help you future-proof
your investments.
Do more with CSP
34. CSP: A TRUE Hybrid Platform
CSP Hosted Control Plane (on GCP)
Control Plane
Kubernetes Marketplace
Policy Management Services ManagementCluster Management
Additional Services
Binary Authorization
Basic API
Management
StackdriverMulti-cluster Ingress
ConsistentUX
GKE
Identity Aware Proxy
Cloud Identity
GKE on Prem GKE on Other Clouds
CSM / Istio
Policy Agent
CSM / Istio
Policy Agent
CSM / Istio
Policy Agent
35. Powerupcloud is an ISO 27001 and ISO 9001 certified company
Demohttps://github.com/Maheshbr91/product