Modern App Dev using Cloud Run and Knative

Transcript

1. Modern Application Development Sandeep Parikh, Google

2. Monolith → Microservices

3. Containers Great!

4. Kubernetes Also great!

5. Kubernetes is for developers operators

6. Scheduling Lifecycle and health Naming and discovery Load balancing Storage

   volumes Logging and monitoring Identity and authorization Kubernetes for operators

7. Want to Write code Still Have to Build docker image

   locally Upload image to registry Deploy service Expose to the internet Setup logging & monitoring Scale workload... Kubernetes for developers

8. Let’s go back to the basics

9. What does it mean to be Cloud Native? Services over

   Servers Configuration over Convention Immutable over Maintained Automation over Manipulation

10. The basics of Serverless Operational Model No Infra Management Fully

    Managed Security Pay only for usage Programming Model Service-based Event-driven Open Stateless

11. Is this functions only? Not for applications? What about containers?

    Operational Model No Infra Management Fully Managed Security Pay only for usage Programming Model Service-based Event-driven Open Stateless

12. Containers Flexibility Serverless Velocity

13. Say hello to Cloud Run The next step in bringing

    serverless to containers

14. Cloud Run Just ‘deploy’ Any stateless container Any language, any

    library URL in seconds Focus on writing code Scale up fast Scale down to zero Pay for exact usage No servers to manage

15. Cloud Run use cases Public • Website • API endpoint

    • Mobile backend • Webhook Private • Microservices • Asynchronous tasks

16. Cloud Run Container to prod in seconds Natively Serverless One

    experience, where you want it

17. Cloud Run Container to prod in seconds Natively Serverless One

    experience, where you want it

18. Cloud Run on GKE Same great Cloud Run, but on

    Kubernetes More flexibility and control, operator required. Integrates with k8s-based policy, control & mgmt Custom nodes, hardware accelerators, VPC Build on your existing investment in Kubernetes

19. Cloud Run Fully serverless, no cluster Pay for what you

    use Cloud Run on GKE Serverless developer experience Runs in your GKE cluster Serverless containers, where you want them

20. Runs in your GKE cluster Provisioned resources Kubernetes operations Custom

    machine types Hardware accelerators (GPUs) Fully managed, no cluster Pay-per-use Minimal operations Limited instance size Autoscaling Stackdriver UI & CLI Custom URLs Knative Cloud Run Cloud Run on GKE

21. One experience, where you want it

22. Knative open source building blocks for serverless on Kubernetes

23. Activates & scales up/down based on requests Manages code and

    config revisions Service mesh integration for request path/service access control Custom domains, certificate management Orchestrates on/off cluster resources Bindings for event sources, triggers, and services Scales from few events to full streaming Builds on CloudEvents Reproducible builds Source to serving URL templates No need for Docker or cross-compilation Supports de-coupled CI/CD Support for policy and audit controls Knative components Serving Eventing Build

24. Cloud Run & Knative Portable via common API and runtime

    environment. Cloud Run implements Knative Serving and Knative Runtime Contract.

25. Products Google Cloud Run Red Hat OpenShift SAP Kyma Google

    Cloud Run on GKE IBM Cloud Kubernetes Service TriggerMesh Build Serving Kubernetes Platform Primitives Events ... Knative ecosystem

26. Service revisions using Cloud Run & Knative Revision 1 Revision

    2 Revision 3 Configuration Route Service

27. 2 1 3 Service rollouts using Cloud Run & Knative

28. Container runtime contract State Listen for HTTP requests on $PORT

    CPU outside of requests

29. Cloud Run & Knative in action

30. Office Space When bank transactions are computed with interest, the

    transaction value is rounded down and deposited into the bank’s account. The remainder is deposited into a separate, personal account.

31. Thank you! Find me @crcsmnky on Twitter or Github github.com/crcsmnky/cloud-run-office-space

    speakerdeck/crcsmnky/modern-app-dev-cloud-run

32. Cloud Run Details

33. Authorization

34. GCP Invoker permissions Service IAM Requests Auth check: "allUsers" "user:[email protected]"

    "serviceAccount:..."

35. Public service Frontend IAM: role: "roles/run.invoker" member: "allUsers"

36. Leverage "Invoker" IAM role and service identity. Private service to

    service Frontend Backend IAM: role: "roles/run.invoker" member: "serviceAccount:frontend@..." header:"Authorization: Bearer ID_TOKEN"

37. Push Events with Pub/Sub Pub/Sub push to Cloud Run URL

    with authentication token. Leverage "Invoker" IAM role to authorize push. No need to validate URL. Cloud Run Service Cloud Pub/Sub IAM: role: "roles/run.invoker" member: "serviceAccount:pubsub@..." gcloud alpha pubsub subscriptions create my-sub --topic my-topic --push-endpoint=https://service.run.app --push-auth-service-account=pubsub@...

38. Async tasks Cloud Tasks HTTP targets (Beta soon) push to

    Cloud Run URL with authentication token Leverage "Invoker" IAM role. Service Cloud Tasks IAM: role: "roles/run.invoker" member: "serviceAccount:tasks@..." HTTP target

39. Scheduled services Cloud Scheduler with authentication token Leverage "Invoker" IAM

    role. Service Cloud Scheduler IAM: role: "roles/run.invoker" member: "serviceAccount:scheduler@..."

40. Concurrency

41. Concurrency in Cloud Run Each Service is autoscaled to many

    container instances. Concurrency = "maximum number of requests that can be sent at the same time to a given container instance" AWS Lambda or Google Cloud Functions: only one request at a time to each instance, "concurrency = 1". With Cloud Run: set concurrency value from 1 to 80 (default: 80) → optimized resource consumption → optimized costs concurrency = 1 concurrency = 80

42. concurrency = 1 concurrency = 80 400 clients, making 3

    req/sec

43. Other details

44. Monitoring & Logging ✓ Monitoring Out of the box: ✓

    Error Reporting ✓ Logging Stackdriver

45. gVisor Container sandbox runtime gvisor.dev Secure container isolation. Most applications

    run well. Contact GCP support if you encounter a limitation due to unsupported system call. Container gVisor Host System calls Limited system calls Secure isolation }

46. Current limits • Max to 1 vCPU and 2GB RAM

    • No access to GPUs • No Cloud SQL Coming Soon • No VPC access Coming Soon → No Cloud Memorystore • No Global Load Balancer Cloud Run on GKE Solution