Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Modern App Dev using Cloud Run and Knative

Modern App Dev using Cloud Run and Knative


Sandeep Parikh

September 18, 2019


  1. Modern Application Development Sandeep Parikh, Google

  2. Monolith → Microservices

  3. Containers Great!

  4. Kubernetes Also great!

  5. Kubernetes is for developers operators

  6. Scheduling Lifecycle and health Naming and discovery Load balancing Storage

    volumes Logging and monitoring Identity and authorization Kubernetes for operators
  7. Want to Write code Still Have to Build docker image

    locally Upload image to registry Deploy service Expose to the internet Setup logging & monitoring Scale workload... Kubernetes for developers
  8. Let’s go back to the basics

  9. What does it mean to be Cloud Native? Services over

    Servers Configuration over Convention Immutable over Maintained Automation over Manipulation
  10. The basics of Serverless Operational Model No Infra Management Fully

    Managed Security Pay only for usage Programming Model Service-based Event-driven Open Stateless
  11. Is this functions only? Not for applications? What about containers?

    Operational Model No Infra Management Fully Managed Security Pay only for usage Programming Model Service-based Event-driven Open Stateless
  12. Containers Flexibility Serverless Velocity

  13. Say hello to Cloud Run The next step in bringing

    serverless to containers
  14. Cloud Run Just ‘deploy’ Any stateless container Any language, any

    library URL in seconds Focus on writing code Scale up fast Scale down to zero Pay for exact usage No servers to manage
  15. Cloud Run use cases Public • Website • API endpoint

    • Mobile backend • Webhook Private • Microservices • Asynchronous tasks
  16. Cloud Run Container to prod in seconds Natively Serverless One

    experience, where you want it
  17. Cloud Run Container to prod in seconds Natively Serverless One

    experience, where you want it
  18. Cloud Run on GKE Same great Cloud Run, but on

    Kubernetes More flexibility and control, operator required. Integrates with k8s-based policy, control & mgmt Custom nodes, hardware accelerators, VPC Build on your existing investment in Kubernetes
  19. Cloud Run Fully serverless, no cluster Pay for what you

    use Cloud Run on GKE Serverless developer experience Runs in your GKE cluster Serverless containers, where you want them
  20. Runs in your GKE cluster Provisioned resources Kubernetes operations Custom

    machine types Hardware accelerators (GPUs) Fully managed, no cluster Pay-per-use Minimal operations Limited instance size Autoscaling Stackdriver UI & CLI Custom URLs Knative Cloud Run Cloud Run on GKE
  21. One experience, where you want it

  22. Knative open source building blocks for serverless on Kubernetes

  23. Activates & scales up/down based on requests Manages code and

    config revisions Service mesh integration for request path/service access control Custom domains, certificate management Orchestrates on/off cluster resources Bindings for event sources, triggers, and services Scales from few events to full streaming Builds on CloudEvents Reproducible builds Source to serving URL templates No need for Docker or cross-compilation Supports de-coupled CI/CD Support for policy and audit controls Knative components Serving Eventing Build
  24. Cloud Run & Knative Portable via common API and runtime

    environment. Cloud Run implements Knative Serving and Knative Runtime Contract.
  25. Products Google Cloud Run Red Hat OpenShift SAP Kyma Google

    Cloud Run on GKE IBM Cloud Kubernetes Service TriggerMesh Build Serving Kubernetes Platform Primitives Events ... Knative ecosystem
  26. Service revisions using Cloud Run & Knative Revision 1 Revision

    2 Revision 3 Configuration Route Service
  27. 2 1 3 Service rollouts using Cloud Run & Knative

  28. Container runtime contract State Listen for HTTP requests on $PORT

    CPU outside of requests
  29. Cloud Run & Knative in action

  30. Office Space When bank transactions are computed with interest, the

    transaction value is rounded down and deposited into the bank’s account. The remainder is deposited into a separate, personal account.
  31. Thank you! Find me @crcsmnky on Twitter or Github github.com/crcsmnky/cloud-run-office-space

  32. Cloud Run Details

  33. Authorization

  34. GCP Invoker permissions Service IAM Requests Auth check: "allUsers" "user:mail@domain.com"

  35. Public service Frontend IAM: role: "roles/run.invoker" member: "allUsers"

  36. Leverage "Invoker" IAM role and service identity. Private service to

    service Frontend Backend IAM: role: "roles/run.invoker" member: "serviceAccount:frontend@..." header:"Authorization: Bearer ID_TOKEN"
  37. Push Events with Pub/Sub Pub/Sub push to Cloud Run URL

    with authentication token. Leverage "Invoker" IAM role to authorize push. No need to validate URL. Cloud Run Service Cloud Pub/Sub IAM: role: "roles/run.invoker" member: "serviceAccount:pubsub@..." gcloud alpha pubsub subscriptions create my-sub --topic my-topic --push-endpoint=https://service.run.app --push-auth-service-account=pubsub@...
  38. Async tasks Cloud Tasks HTTP targets (Beta soon) push to

    Cloud Run URL with authentication token Leverage "Invoker" IAM role. Service Cloud Tasks IAM: role: "roles/run.invoker" member: "serviceAccount:tasks@..." HTTP target
  39. Scheduled services Cloud Scheduler with authentication token Leverage "Invoker" IAM

    role. Service Cloud Scheduler IAM: role: "roles/run.invoker" member: "serviceAccount:scheduler@..."
  40. Concurrency

  41. Concurrency in Cloud Run Each Service is autoscaled to many

    container instances. Concurrency = "maximum number of requests that can be sent at the same time to a given container instance" AWS Lambda or Google Cloud Functions: only one request at a time to each instance, "concurrency = 1". With Cloud Run: set concurrency value from 1 to 80 (default: 80) → optimized resource consumption → optimized costs concurrency = 1 concurrency = 80
  42. concurrency = 1 concurrency = 80 400 clients, making 3

  43. Other details

  44. Monitoring & Logging ✓ Monitoring Out of the box: ✓

    Error Reporting ✓ Logging Stackdriver
  45. gVisor Container sandbox runtime gvisor.dev Secure container isolation. Most applications

    run well. Contact GCP support if you encounter a limitation due to unsupported system call. Container gVisor Host System calls Limited system calls Secure isolation }
  46. Current limits • Max to 1 vCPU and 2GB RAM

    • No access to GPUs • No Cloud SQL Coming Soon • No VPC access Coming Soon → No Cloud Memorystore • No Global Load Balancer Cloud Run on GKE Solution