Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Cloud Native on Google Cloud

Cloud Native on Google Cloud

In this presentation, we go through basics of Containers, Kubernetes, Istio and Knative and see how they work on Google Cloud


Mete Atamel

July 08, 2019


  1. Confidential & Proprietary Cloud Native on Google Cloud Containers, Kubernetes,

    Istio, Knative Mete Atamel Developer Advocate at Google @meteatamel speakerdeck.com/meteatamel/cloud-native-on-google-cloud github.com/meteatamel/istio-on-gke-tutorial github.com/meteatamel/knative-tutorial
  2. Containers

  3. Confidential & Proprietary Virtual machine OS Dependencies Application Code Hardware

    Bare-metal server OS Dependencies Application Code Hardware Container OS Dependencies Application Code Hardware
  4. Confidential & Proprietary Virtual machine Container ImageMagick 6.4.90 Container ImageMagick

    7.0.28 Payments application Rendering application OS Hardware Virtual machine ImageMagick 6.4.90 Payments application Rendering application Hardware OS
  5. 5 Docker: Tooling for containers FROM debian:latest RUN apt-get update

    RUN apt-get install -y nginx CMD [“nginx”,”-g”,”daemon off;”] EXPOSE 80 Docker is a container runtime and image format Dockerfile defines the dependencies, environment and the code to run Container is a consistent invocation of a Dockerfile
  6. #GoogleCloudSummit Benefits of containers Versioning Ease of sharing Reusability Introspection

    Faster deployments Portability Immutable infrastructure Isolation
  7. Confidential & Proprietary Containers are not enough Service Discovery Redundancy

    Scheduling Scaling up & down Rolling out & back Resiliency Config & Secrets Health Checks
  8. Kubernetes

  9. Confidential & Proprietary Kubernetes Κυβερνήτης means “governor” in Greek •

    Manages container clusters • Inspired and informed by Google’s internal container system called Borg • Supports multiple cloud and bare-metal environments • 100% Open source Manage applications, not machines
  10. Confidential & Proprietary The 10000 foot view kubelet UI kubelet

    CLI API users master nodes etcd kubelet scheduler controllers apiserver
  11. Confidential & Proprietary Microservices in Kubernetes world Service Pods Each

    pod containers one or more containers Nodes Role: frontend Role: frontend Role: frontend Role: frontend Deployment Replicas: 3 Env: prod microservice labels Service communication channel Blueprint “pod template” Env: prod Env: prod Env: prod registry containers
  12. 12 Compute Engine Full control: VMs for Linux and Windows

    Server App Engine Deploy your code and we scale it for you Cloud Functions A serverless platform for event-based microservices Google Kubernetes Engine (GKE) Kubernetes-as-a-service
  13. 13 $ gcloud container clusters create cluster-1 Creating cluster cluster-1...done.

    Created [https://container.googleapis.com/v1/projects/sandbox/zones/europe-west1-c/clusters/cluster-1]. kubeconfig entry generated for cluster-1. NAME ZONE MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS cluster-1 europe-west1-c 1.4.6 n1-standard-1 1.4.6 3 RUNNING $ gcloud container clusters get-credentials cluster-1 Fetching cluster endpoint and auth data. kubeconfig entry generated for cluster-1. $ kubectl get nodes NAME STATUS AGE gke-cluster-1-default-pool-6c50430d-chjm Ready 2m gke-cluster-1-default-pool-6c50430d-esqq Ready 2m gke-cluster-1-default-pool-6c50430d-zfm9 Ready 2m $ kubectl get pods $ $ gcloud container clusters resize cluster-1 --size 5 Pool [default-pool] for [cluster-1] will be resized to 5. Resizing cluster-1...done. Updated [https://container.googleapis.com/v1/projects/sandbox/zones/europe-west1-c/clusters/cluster-1].
  14. Confidential & Proprietary Kubernetes Terminology Deployment Pod Volume Label Selector

    ReplicaSet Liveness Probe Readiness Probe Service DaemonSet Job StatefulSet ConfigMap Secret
  15. Confidential & Proprietary Benefits of Kubernetes Utilization Scaling Rolling upgrades

    Availability and failover No vendor lock-in
  16. Confidential & Proprietary Kubernetes is not enough either Dependency Visualisation

    Tracing Metrics Logging Circuit Breaking Service Identity & Auth Fault Injection Traffic Flow & Policies Failover
  17. Istio: Service Mesh

  18. Ιστιο means “sail” in Greek An open framework for connecting,

    securing, managing and monitoring services
  19. Service architecture Auth Frontend Pictures Payments Users Cloud SQL External

    Payment Processor
  20. Service architecture with Istio Proxy Auth Proxy Frontend Users Cloud

    SQL Pictures Proxy Payments Proxy External Payment Processor External Payment Processor
  21. Traffic transparently proxied — unaware of proxies Pilot Mixer Discovery

    & config data to proxies TLS certs to proxies Policy checks, telemetry Proxy Frontend Proxy Payments Istio-Auth How Istio works Istio Control Plane
  22. Confidential & Proprietary

  23. 23 $ gcloud beta container clusters create istio-demo \ --addons=Istio

    --istio-config=auth=MTLS_STRICT \ --cluster-version=latest \ --machine-type=n1-standard-2 \ --num-nodes=4 Creating cluster istio-demo in europe-west4-a Created[https://container.googleapis.com/v1beta1/projects/istio-project2517/zones/europe-west4-a/clus ters/istio-demo] NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS istio-demo europe-west4-a 1.12.5-gke.5 n1-standard-2 1.12.5-gke.5 4 RUNNING $ kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created
  24. #GoogleCloudSummit In the past 10% canaries Load Balancing Traffic control

    tied to infrastructure Canary Default Default Default Default Default Default Default Default Default
  25. #GoogleCloudSummit With Istio Traffic flow separated from infrastructure Canary Default

    10% canaries Istio Load Balancing 90% of traffic 10% of traffic
  26. #GoogleCloudSummit pictures App rollout destination: pictures.example.local match: source: frontend.example.local route:

    - tags: version: v1.5 env: prod weight: 90 - tags: version: v2.0-alpha env: staging weight: 10 version: 2.0-alpha env: staging version: 1.5 env: prod 90% 10% Proxy Frontend Pictures Proxy Pictures Proxy
  27. #GoogleCloudSummit Traffic steering destination: pictures.example.local match: httpHeaders: user-agent: regex: ^(.*?;)?(iPhone)(;.*)?$

    precedence: 2 route: - tags: version: 2.0-alpha env: staging pictures version: 2.0-alpha env: staging version: 1.5 env: prod Proxy Frontend Pictures Proxy Pictures Proxy
  28. Communication without Istio Frontend Payments

  29. Automatic security with Istio Istio Auth Istio Control Plane Proxy

    Frontend Proxy Payments
  30. #GoogleCloudSummit Prometheus

  31. #GoogleCloudSummit Grafana

  32. #GoogleCloudSummit Zipkin

  33. #GoogleCloudSummit ServiceGraph

  34. Benefits of Istio Traffic control Observability Fault-injection Security Hybrid cloud

  35. Knative

  36. Confidential & Proprietary What is Knative? Kubernetes based open source

    building blocks for serverless
  37. Confidential & Proprietary Ideal Serverless No servers Idiomatic Event-driven Portable

  38. Confidential & Proprietary Developers want serverless ... just want to

    run their code. ... want to use their favorite languages and dependencies. ... don't want to manage the infrastructure. Operators want Kubernetes Kubernetes is great orchestrating microservices They love using GKE and not having to do operations for Kubernetes. Kubernetes is not the right abstraction for their developers.
  39. Confidential & Proprietary Knative Project - github.com/knative Set of components

    for serverless Solves for modern development patterns Implements learnings from Google, partners
  40. Knative stack Serving Eventing Kubernetes Platform Products Components Google Cloud

    Run Google Cloud Run on GKE Istio Gateway *No eventing * *
  41. Confidential & Proprietary Knative Stack Build Serving Kubernetes Platform Products

    Primitives Events ... Serverless Containers on GCF GKE Serverless Add-on SAP Kyma Pivotal Function Service IBM Cloud Functions Red Hat Cloud Functions Pivotal riff OpenFaaS T-mobile Jazz Istio Service Mesh # Get a Kubernetes Cluster $ gcloud beta container clusters create $CLUSTER_NAME \ --addons=HorizontalPodAutoscaling,HttpLoadBalancing,Istio \ --machine-type=n1-standard-4 \ --cluster-version=latest --zone=$CLUSTER_ZONE \ --enable-stackdriver-kubernetes --enable-ip-alias \ --enable-autoscaling --min-nodes=1 --max-nodes=10 \ --enable-autorepair \ --scopes cloud-platform Creating cluster hello-knative...done. NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS Hello-knative europe-west1-b 1.13.6-gke.5 n1-standard-1 1.13.6-gke.5 4 RUNNING # Create Cluster Role Binding $ kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created
  42. Confidential & Proprietary Knative Stack Build Serving Kubernetes Platform Products

    Primitives Events ... Serverless Containers on GCF GKE Serverless Add-on SAP Kyma Pivotal Function Service IBM Cloud Functions Red Hat Cloud Functions Pivotal riff OpenFaaS T-mobile Jazz Istio Service Mesh # Install Knative $ kubectl apply -f https://github.com/knative/serving/releases/download/v0.9.0/serving.yaml \ -f https://github.com/knative/eventing/releases/download/v0.9.0/release.yaml \ -f https://github.com/knative/serving/releases/download/v0.9.0/monitoring.yaml
  43. Confidential & Proprietary Knative Serving What is it? Rapid deployment

    of serverless containers Automatic (0-n) scaling Configuration and revision management Traffic splitting between revisions Pluggable Connect to your own logging and monitoring platform, or use the built-in system Auto-scaler can be tuned or swapped out for custom code
  44. Confidential & Proprietary Knative Serving Primitives Knative Service High level

    abstraction for the application Configuration Current/desired state of an application Code & configuration separated (a la 12-factor) Revision Point in time snapshots for your code and configuration Route Maps traffic to revisions
  45. Cloud Run Fully managed, deploy your workloads and don’t see

    the cluster. Cloud Run on Anthos Deploy into your GKE cluster, run serverless side-by-side with your existing workloads. Knative Everywhere Use the same APIs and tooling anywhere you run Kubernetes with Knative. Serverless on Google Cloud
  46. Confidential & Proprietary Knative Eventing What is it? For loosely

    coupled, event-driven services with on/off cluster event sources Bind declaratively event sources, triggers and services Scales from just few events to live streams Uses standard CloudEvents Event type Flow Event source Event type Event type Event consumer(s)
  47. Confidential & Proprietary Knative Event Sources Name Description Apache Camel

    Allows to use Apache Camel components for pushing events into Knative Apache Kafka Brings Apache Kafka messages into Knative AWS SQS Brings AWS Simple Queue Service messages into Knative Cron Job Uses an in-memory timer to produce events on the specified Cron schedule. GCP PubSub Brings GCP PubSub messages into Knative GitHub Brings GitHub organization/repository events into Knative GitLab Brings GitLab repository events into Knative. Google Cloud Scheduler Google Cloud Scheduler events in Knative when jobs are triggered Google Cloud Storage Brings Google Cloud Storage bucket/object events into Knative Kubernetes Brings Kubernetes cluster/infrastructure events into Knative https://github.com/knative/docs/tree/master/docs/eventing/sources
  48. Confidential & Proprietary Knative Eventing Namespace subscribe Trigger Service (Callable)

    Broker Trigger Service (Callable) subscribe filter= filter= ✓ ✓ ✓ Source Events Source Events ingress ingress publish
  49. Confidential & Proprietary Knative Events { "specversion": "0.2", "type": "com.github.pull.create",

    "source": "https://github.com/cloudevents/spec/pull/123", "id": "A234-1234-1234", "time": "2019-04-08T17:31:00Z", "datacontenttype": "application/json", "data": "{ GitHub Payload... }" } FTP GitHub GCS Broker FTP Receive Adapter GitHub Receive Adapter GCS Receive Adapter CloudEvent
  50. Confidential & Proprietary Integrate Cloud Storage to Vision API Cloud

    Storage Bucket Cloud Storage -> Cloud PubSub -> Knative Eventing -> Knative Servicing -> Vision API Cloud PubSub Topic Knative Eventing Channel Knative Serving GKE Cloud Vision API Labels 1 2 3 4 5 6
  51. Confidential & Proprietary Knative Build (Pre 0.8) Tekton Pipelines (Post

  52. Confidential & Proprietary Tekton Pipelines What is it? Kubernetes style

    resources for declaring CI/CD-style pipelines Go from source code to container images on repositories Build pipelines can have multiple steps and can push to different registries Builds run in containers in the cluster. No need for Docker locally Primitives Task: Represents the work to be executed with 1 or more steps TaskRun: Runs the Task with supplied parameters Pipeline: A list of Tasks to execute in order ServiceAccount: For authentication with DockerHub etc.
  53. Confidential & Proprietary Thank you! @meteatamel github.com/meteatamel/istio-on-gke-tutorial github.com/meteatamel/knative-tutorial