Powerup & GCP | Workshop on Google Kubernetes Engine
0 likes324 views
The document details a workshop focused on leveraging Google Kubernetes Engine (GKE) for achieving operational and cost efficiencies. It covers the benefits of containers and Kubernetes, addressing challenges in deployments and operations, and outlines GKE's features, including security, scalability, and observability options. Additionally, it discusses the importance of a hybrid cloud services platform for modernizing applications across environments.
Powerup & GCP | Workshop on Google Kubernetes Engine
- 1. WORKSHOP - LEVERAGE GKE TO ACHIEVE OPERATIONAL & COST EFFICIENCIES Date: 19 Mar 2019, Time: 9:30 AM to 12:30 PM
- 2. Google Cloud Partner and Authorized Re-seller
- 3. SERVICES CLOUD CONSULTING Cloud Migrations | Cloud Discovery | Devops Automation | Cost Optimization | Security Hardening | Architecture Validation 24*7 MANAGED SERVICES Monitoring & Alerting | Incident Management | Access Management | Backup Management | DR Drills | Cost Optimization ARTIFICIAL INTELLIGENCE Chatbots | Decision Making AI | Perception AI | NLP/NLU | Image Recognition | Video & Text Analytics | Speech Processing | Deep Learning DATA ANALYTICSData Lake | Data Warehouse | BI Dashboards | Machine Learning | Big Data
- 4. Objectives ▪Containers ▪Kubernetes Engine ▪Container Registry ▪Cluster Nodes and Pods ▪Service, Labels and Selectors ▪Deployment and Rolling Updates ▪Canary and Blue-Green deployments ▪Continuous deployment with Jenkins
- 5. 83% Use Kubernetes to Manage Containers1 Are Deploying Containers in Production TODAY 73% Source: CNCF Survey: Use of Cloud Native Technologies in Production Has Grown Over 200%, August 29, 2018 CNCF Survey(2018)
- 6. “Keeping our infrastructure perfectly homogenous is giving me nightmares” “It ran fine on MY machine” Problem: Deployments and Ops are Hard “We want to get the best utilization of our infrastructure” “Keeping our infrastructure perfectly homogenous is giving me nightmares” “It ran fine on MY machine” “My developers aren’t as productive as they should be. Deployments are slowing us down”
- 7. • Self contained • Portability • Decoupling from machine • Image immutability • Faster development • Faster deployment Virtual machine Container ImageMagick 6.4.90 Container ImageMagick 7.0.28 Payments application Rendering application Linux distribution Hardware Why Containers
- 8. “Where should I run my containers?” “If we run our containers on VMs, I don’t want to manage anything” “How do I get my containers to talk to one another?” “How do we ensure our containers are running smoothly?” “We don’t want to be locked into one cloud provider” But they introduce a new set of challenges
- 9. ▪ Decoupling from infra ▪ Autoscaling ▪ Auto healing ▪ Automated rollout and rollbacks ▪ Abstractions that are cloud native and microservices friendly ▪ Extensible ▪ Open-source ▪ Integrates well with other Devops tools Why Kubernetes
- 10. How do customers use GKE? •From Cloud Natives to Retail to Financial. •From running fewer nodes per cluster to thousands of nodes per cluster. •From a single dev team running a large scale app to hundreds of dev teams sharing clusters. •From running stateless web apps to stateful workloads like Redis, MySql, and Kafka to ML workloads. With 3+ years on the market GKE brings expertise and differentiation to all those scenarios.
- 11. GKE • Master management including master redundancy, upgrade, replication and backup • Worker node lifecycle management • IAM integration for security and authentication • Get all benefits of Google compute engine including Networking and Storage • Integration with other Google cloud services like load balancer, storage, big data, analytics • Pod and cluster autoscale • Integrated logging and monitoring with Stackdriver • 99.5% SLA
- 12. Observability Security Openness GKE for Enterprises - Top 3 reasons
- 14. Software supply chain Is my container image secure to build and deploy? Infrastructure security Is my infrastructure secure for developing containers? Container runtime security Is my container secure to run? Application security Platform security Are my applications secure? Is my (cloud provider’s) infrastructure secure? ● IAM, RBAC, Pod access policy ● Shared VPC ● Private cluster ● Network control policy ● Image scanning ● Binary authorization ● Container OS ● Node OS(CoS) ● Cloud security command center ● Tie-up - Aquasec, Capsule8, Stackrox, Sysdig, Twistlock Container Security pillars
- 15. Trusted Virtual Private Cloud (VPC) Kubernetes Engine Cluster Node Node Node Google Kubernetes Engine Kubernetes Master Trusted On-prem Host HostVPN Untrusted Internet Private Clusters
- 16. Organization Apps project Kubernetes Engine clusters Apps team Shared VPC network subnet-1 subnet-2 Network admin Host Project DB project Kubernetes Engine clusters DB team Infra project Kubernetes Engine clusters Infra team Private IP connectivity Shared VPC
- 17. Container-optimized OS (COS) based on Chromium OS, and maintained by Google ● Built from source: Since COS is based on Chromium OS, Google maintains all components and is able to rebuild from source if a new vulnerability is discovered and needs to be patched ● Smaller attack surface: Container-Optimized OS is purpose-built to run containers, has a smaller footprint, reducing your instance's potential attack surface ● Locked-down by default: Firewall restricts all TCP/UDP except SSH on port 22, and prevents kernel modules. Root file system is mounted read-only ● Automatic Updates: COS instances automatically download weekly updates in the background; only a reboot is necessary to use the latest updates. Google provides patches and maintenance https://cloud.google.com/container-optimized-os/ GKE: Minimal OS
- 18. ▪ Scans all images in your private Google Container Registry for known Common Vulnerabilities and Exposures (CVEs) ▪ Examines images and packages ▪ Works for: Debian, Ubuntu and Alpine images ▪ Images are scanned when: ▪ An image is added to the registry ▪ There is an update to the vulnerability database https://cloud.google.com/container-registry/docs/vulnerability-scanning GCR: Vulnerability Scanning (Beta)
- 19. Launch container Requirements met?YES Requirements Grafeas Binary Authorization policyNO Block launch Attestations Code Signed by: * Builder * Analysis tool Must be built by myphotos.com Binary authorization (Beta)
- 21. Microservices Kubernetes makes it easy to break monolithic applications into independently scalable microservices More pieces to monitor and operate Abstracted Infrastructure Kubernetes offers a lot of flexibility, with many constructs that support and make building your app easier Increased observability across your entire Kubernetes environment becomes necessary Highly Dynamic Environment Your environment scales and adapts as needed, changing as it reschedules and restarts components Keep track of your applications, which may be constantly moving Stackdriver - Rethinking monitoring with Kubernetes
- 22. Multi-cluster monitoring with support for Kubernetes Engine on GCP and Kubernetes on-prem in a single place Hybrid, multi-cluster Kubernetes monitoring
- 23. • Two levels of load balancing • Inaccurate cloud-level health checks • Multiple network hops Kubernetes Load Balancing - Suboptimal
- 24. Containers are “just another endpoint” Accurate cloud-level health checks and load balancing No extra network hops; direct connection from load balancer to container GKE Load balancing with Network Endpoint Group
- 25. Region: US West Kubernetes Engine Alice California Google Edge myapp.com 120.1.1.1 Chao Singapore Google Edge myapp.com 120.1.1.1 Region: Asia East Kubernetes Engine Bob London Google Edge myapp.com 120.1.1.1 Region: Europe West Kubernetes Engine kind: Ingress Google Global HTTP(S) Load Balancing Multi-region clusters
- 26. GKE for Enterprises - Open & Mature
- 27. Each week, Google launches more than four billion containers across its data centers around the world. These containers house the full range of applications Google runs, including user-facing applications such as Search, Gmail, and YouTube. Kubernetes was directly inspired by Google’s cluster manager, internally known as Borg. Borg allows Google to direct hundreds of thousands of software tasks across vast clusters of machines numbering in the tens of thousands — supporting seven businesses with over one billion users each. Borg and Kubernetes are the culmination of Google’s experience deploying resilient applications at scale. Containers at Google
- 28. GA for 3 years
- 29. Marquee customers Kubernetes Engine (GKE) marquee customers
- 30. Source: Container Adoption Landscape Study; Dec 2018 Modernize/ containerize these workloads on-prem Lift and shift Leave as is Don’t know 6% 32% 39% 59% Cloud transition is about hybrid modernization
- 31. Introducing the Cloud Services Platform • Cloud Services Platform lets you build and manage modern hybrid applications across environments. CSP allows you to build once, to run anywhere, across on-premises and cloud environments. With CSP, we bring the cloud to you.
- 32. CI/CD Logging & monitoring Service management Serverless MarketplaceOn-prem Cloud Policy management Solutions Core Services Cloud Services Platform
- 33. Modernize in-place Modernize your applications no matter where they are. Consistent management of your applications across multiple clouds and on-premises. Faster time to market, lower administrative overhead, and increased innovation capabilities. Automate policy and security at scale Proactive service operations - manage at a higher layer of the stack, enabling greater application awareness, consistency, and control. Take a service-centric view of your infrastructure. Run anywhere CSP gives you one platform that you can run anywhere. It’s built on open source technology created and managed by Google; so it’s portable, consistent, and extensible to help you future-proof your investments. Do more with CSP
- 34. CSP: A TRUE Hybrid Platform CSP Hosted Control Plane (on GCP) Control Plane Kubernetes Marketplace Policy Management Services ManagementCluster Management Additional Services Binary Authorization Basic API Management StackdriverMulti-cluster Ingress ConsistentUX GKE Identity Aware Proxy Cloud Identity GKE on Prem GKE on Other Clouds CSM / Istio Policy Agent CSM / Istio Policy Agent CSM / Istio Policy Agent
- 35. Powerupcloud is an ISO 27001 and ISO 9001 certified company Demohttps://github.com/Maheshbr91/product
- 36. Thank you! Bangalore | Chicago | Singapore