Cloud Native on Google Cloud

Transcript

1. Confidential & Proprietary Cloud Native on Google Cloud Containers, Kubernetes,

   Istio, Knative Mete Atamel Developer Advocate at Google @meteatamel speakerdeck.com/meteatamel/cloud-native-on-google-cloud github.com/meteatamel/istio-on-gke-tutorial github.com/meteatamel/knative-tutorial

2. Containers

3. Confidential & Proprietary Virtual machine OS Dependencies Application Code Hardware

   Bare-metal server OS Dependencies Application Code Hardware Container OS Dependencies Application Code Hardware

4. Confidential & Proprietary Virtual machine Container ImageMagick 6.4.90 Container ImageMagick

   7.0.28 Payments application Rendering application OS Hardware Virtual machine ImageMagick 6.4.90 Payments application Rendering application Hardware OS

5. 5 Docker: Tooling for containers FROM debian:latest RUN apt-get update

   RUN apt-get install -y nginx CMD [“nginx”,”-g”,”daemon off;”] EXPOSE 80 Docker is a container runtime and image format Dockerfile defines the dependencies, environment and the code to run Container is a consistent invocation of a Dockerfile

6. #GoogleCloudSummit Benefits of containers Versioning Ease of sharing Reusability Introspection

   Faster deployments Portability Immutable infrastructure Isolation

7. Confidential & Proprietary Containers are not enough Service Discovery Redundancy

   Scheduling Scaling up & down Rolling out & back Resiliency Config & Secrets Health Checks

8. Kubernetes

9. Confidential & Proprietary Kubernetes Κυβερνήτης means “governor” in Greek •

   Manages container clusters • Inspired and informed by Google’s internal container system called Borg • Supports multiple cloud and bare-metal environments • 100% Open source Manage applications, not machines

10. Confidential & Proprietary The 10000 foot view kubelet UI kubelet

    CLI API users master nodes etcd kubelet scheduler controllers apiserver

11. Confidential & Proprietary Microservices in Kubernetes world Service Pods Each

    pod containers one or more containers Nodes Role: frontend Role: frontend Role: frontend Role: frontend Deployment Replicas: 3 Env: prod microservice labels Service communication channel Blueprint “pod template” Env: prod Env: prod Env: prod registry containers

12. 12 Compute Engine Full control: VMs for Linux and Windows

    Server App Engine Deploy your code and we scale it for you Cloud Functions A serverless platform for event-based microservices Google Kubernetes Engine (GKE) Kubernetes-as-a-service

13. 13 $ gcloud container clusters create cluster-1 Creating cluster cluster-1...done.

    Created [https://container.googleapis.com/v1/projects/sandbox/zones/europe-west1-c/clusters/cluster-1]. kubeconfig entry generated for cluster-1. NAME ZONE MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS cluster-1 europe-west1-c 1.4.6 104.199.87.107 n1-standard-1 1.4.6 3 RUNNING $ gcloud container clusters get-credentials cluster-1 Fetching cluster endpoint and auth data. kubeconfig entry generated for cluster-1. $ kubectl get nodes NAME STATUS AGE gke-cluster-1-default-pool-6c50430d-chjm Ready 2m gke-cluster-1-default-pool-6c50430d-esqq Ready 2m gke-cluster-1-default-pool-6c50430d-zfm9 Ready 2m $ kubectl get pods $ $ gcloud container clusters resize cluster-1 --size 5 Pool [default-pool] for [cluster-1] will be resized to 5. Resizing cluster-1...done. Updated [https://container.googleapis.com/v1/projects/sandbox/zones/europe-west1-c/clusters/cluster-1].

14. Confidential & Proprietary Kubernetes Terminology Deployment Pod Volume Label Selector

    ReplicaSet Liveness Probe Readiness Probe Service DaemonSet Job StatefulSet ConfigMap Secret

15. Confidential & Proprietary Benefits of Kubernetes Utilization Scaling Rolling upgrades

    Availability and failover No vendor lock-in

16. Confidential & Proprietary Kubernetes is not enough either Dependency Visualisation

    Tracing Metrics Logging Circuit Breaking Service Identity & Auth Fault Injection Traffic Flow & Policies Failover

17. Istio: Service Mesh

18. Ιστιο means “sail” in Greek An open framework for connecting,

    securing, managing and monitoring services

19. Service architecture Auth Frontend Pictures Payments Users Cloud SQL External

    Payment Processor

20. Service architecture with Istio Proxy Auth Proxy Frontend Users Cloud

    SQL Pictures Proxy Payments Proxy External Payment Processor External Payment Processor

21. Traffic transparently proxied — unaware of proxies Pilot Mixer Discovery

    & config data to proxies TLS certs to proxies Policy checks, telemetry Proxy Frontend Proxy Payments Istio-Auth How Istio works Istio Control Plane

22. Confidential & Proprietary

23. 23 $ gcloud beta container clusters create istio-demo \ --addons=Istio

    --istio-config=auth=MTLS_STRICT \ --cluster-version=latest \ --machine-type=n1-standard-2 \ --num-nodes=4 Creating cluster istio-demo in europe-west4-a Created[https://container.googleapis.com/v1beta1/projects/istio-project2517/zones/europe-west4-a/clus ters/istio-demo] NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS istio-demo europe-west4-a 1.12.5-gke.5 35.204.5.121 n1-standard-2 1.12.5-gke.5 4 RUNNING $ kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created

24. #GoogleCloudSummit In the past 10% canaries Load Balancing Traffic control

    tied to infrastructure Canary Default Default Default Default Default Default Default Default Default

25. #GoogleCloudSummit With Istio Traffic flow separated from infrastructure Canary Default

    10% canaries Istio Load Balancing 90% of traffic 10% of traffic

26. #GoogleCloudSummit pictures App rollout destination: pictures.example.local match: source: frontend.example.local route:

    - tags: version: v1.5 env: prod weight: 90 - tags: version: v2.0-alpha env: staging weight: 10 version: 2.0-alpha env: staging version: 1.5 env: prod 90% 10% Proxy Frontend Pictures Proxy Pictures Proxy

27. #GoogleCloudSummit Traffic steering destination: pictures.example.local match: httpHeaders: user-agent: regex: ^(.*?;)?(iPhone)(;.*)?$

    precedence: 2 route: - tags: version: 2.0-alpha env: staging pictures version: 2.0-alpha env: staging version: 1.5 env: prod Proxy Frontend Pictures Proxy Pictures Proxy

28. Communication without Istio Frontend Payments

29. Automatic security with Istio Istio Auth Istio Control Plane Proxy

    Frontend Proxy Payments

30. #GoogleCloudSummit Prometheus

31. #GoogleCloudSummit Grafana

32. #GoogleCloudSummit Zipkin

33. #GoogleCloudSummit ServiceGraph

34. Benefits of Istio Traffic control Observability Fault-injection Security Hybrid cloud

35. Knative

36. Confidential & Proprietary What is Knative? Kubernetes based open source

    building blocks for serverless

37. Confidential & Proprietary Ideal Serverless No servers Idiomatic Event-driven Portable

38. Confidential & Proprietary Developers want serverless ... just want to

    run their code. ... want to use their favorite languages and dependencies. ... don't want to manage the infrastructure. Operators want Kubernetes Kubernetes is great orchestrating microservices They love using GKE and not having to do operations for Kubernetes. Kubernetes is not the right abstraction for their developers.

39. Confidential & Proprietary Knative Project - github.com/knative Set of components

    for serverless Solves for modern development patterns Implements learnings from Google, partners

40. Knative stack Serving Eventing Kubernetes Platform Products Components Google Cloud

    Run Google Cloud Run on GKE Istio Gateway *No eventing * *

41. Confidential & Proprietary Knative Stack Build Serving Kubernetes Platform Products

    Primitives Events ... Serverless Containers on GCF GKE Serverless Add-on SAP Kyma Pivotal Function Service IBM Cloud Functions Red Hat Cloud Functions Pivotal riff OpenFaaS T-mobile Jazz Istio Service Mesh # Get a Kubernetes Cluster $ gcloud beta container clusters create $CLUSTER_NAME \ --addons=HorizontalPodAutoscaling,HttpLoadBalancing,Istio \ --machine-type=n1-standard-4 \ --cluster-version=latest --zone=$CLUSTER_ZONE \ --enable-stackdriver-kubernetes --enable-ip-alias \ --enable-autoscaling --min-nodes=1 --max-nodes=10 \ --enable-autorepair \ --scopes cloud-platform Creating cluster hello-knative...done. NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS Hello-knative europe-west1-b 1.13.6-gke.5 35.190.182.251 n1-standard-1 1.13.6-gke.5 4 RUNNING # Create Cluster Role Binding $ kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created

42. Confidential & Proprietary Knative Stack Build Serving Kubernetes Platform Products

    Primitives Events ... Serverless Containers on GCF GKE Serverless Add-on SAP Kyma Pivotal Function Service IBM Cloud Functions Red Hat Cloud Functions Pivotal riff OpenFaaS T-mobile Jazz Istio Service Mesh # Install Knative $ kubectl apply -f https://github.com/knative/serving/releases/download/v0.9.0/serving.yaml \ -f https://github.com/knative/eventing/releases/download/v0.9.0/release.yaml \ -f https://github.com/knative/serving/releases/download/v0.9.0/monitoring.yaml

43. Confidential & Proprietary Knative Serving What is it? Rapid deployment

    of serverless containers Automatic (0-n) scaling Configuration and revision management Traffic splitting between revisions Pluggable Connect to your own logging and monitoring platform, or use the built-in system Auto-scaler can be tuned or swapped out for custom code

44. Confidential & Proprietary Knative Serving Primitives Knative Service High level

    abstraction for the application Configuration Current/desired state of an application Code & configuration separated (a la 12-factor) Revision Point in time snapshots for your code and configuration Route Maps traffic to revisions

45. Cloud Run Fully managed, deploy your workloads and don’t see

    the cluster. Cloud Run on Anthos Deploy into your GKE cluster, run serverless side-by-side with your existing workloads. Knative Everywhere Use the same APIs and tooling anywhere you run Kubernetes with Knative. Serverless on Google Cloud

46. Confidential & Proprietary Knative Eventing What is it? For loosely

    coupled, event-driven services with on/off cluster event sources Bind declaratively event sources, triggers and services Scales from just few events to live streams Uses standard CloudEvents Event type Flow Event source Event type Event type Event consumer(s)

47. Confidential & Proprietary Knative Event Sources Name Description Apache Camel

    Allows to use Apache Camel components for pushing events into Knative Apache Kafka Brings Apache Kafka messages into Knative AWS SQS Brings AWS Simple Queue Service messages into Knative Cron Job Uses an in-memory timer to produce events on the specified Cron schedule. GCP PubSub Brings GCP PubSub messages into Knative GitHub Brings GitHub organization/repository events into Knative GitLab Brings GitLab repository events into Knative. Google Cloud Scheduler Google Cloud Scheduler events in Knative when jobs are triggered Google Cloud Storage Brings Google Cloud Storage bucket/object events into Knative Kubernetes Brings Kubernetes cluster/infrastructure events into Knative https://github.com/knative/docs/tree/master/docs/eventing/sources

48. Confidential & Proprietary Knative Eventing Namespace subscribe Trigger Service (Callable)

    Broker Trigger Service (Callable) subscribe filter= filter= ✓ ✓ ✓ Source Events Source Events ingress ingress publish

49. Confidential & Proprietary Knative Events { "specversion": "0.2", "type": "com.github.pull.create",

    "source": "https://github.com/cloudevents/spec/pull/123", "id": "A234-1234-1234", "time": "2019-04-08T17:31:00Z", "datacontenttype": "application/json", "data": "{ GitHub Payload... }" } FTP GitHub GCS Broker FTP Receive Adapter GitHub Receive Adapter GCS Receive Adapter CloudEvent

50. Confidential & Proprietary Integrate Cloud Storage to Vision API Cloud

    Storage Bucket Cloud Storage -> Cloud PubSub -> Knative Eventing -> Knative Servicing -> Vision API Cloud PubSub Topic Knative Eventing Channel Knative Serving GKE Cloud Vision API Labels 1 2 3 4 5 6

51. Confidential & Proprietary Knative Build (Pre 0.8) Tekton Pipelines (Post

    0.8)

52. Confidential & Proprietary Tekton Pipelines What is it? Kubernetes style

    resources for declaring CI/CD-style pipelines Go from source code to container images on repositories Build pipelines can have multiple steps and can push to different registries Builds run in containers in the cluster. No need for Docker locally Primitives Task: Represents the work to be executed with 1 or more steps TaskRun: Runs the Task with supplied parameters Pipeline: A list of Tasks to execute in order ServiceAccount: For authentication with DockerHub etc.

53. Confidential & Proprietary Thank you! @meteatamel github.com/meteatamel/istio-on-gke-tutorial github.com/meteatamel/knative-tutorial