Modern Application Development Sandeep Parikh, Google

Monolith → Microservices

Containers Great!

Kubernetes Also great!

Kubernetes is for developers operators

Scheduling Lifecycle and health Naming and discovery Load balancing Storage volumes Logging and monitoring Identity and authorization Kubernetes for operators

Want to Write code Still Have to Build docker image locally Upload image to registry Deploy service Expose to the internet Setup logging & monitoring Scale workload... Kubernetes for developers

Let’s go back to the basics

What does it mean to be Cloud Native? Services over Servers Configuration over Convention Immutable over Maintained Automation over Manipulation

The basics of Serverless Operational Model No Infra Management Fully Managed Security Pay only for usage Programming Model Service-based Event-driven Open Stateless

Is this functions only? Not for applications? What about containers? Operational Model No Infra Management Fully Managed Security Pay only for usage Programming Model Service-based Event-driven Open Stateless

Containers Flexibility Serverless Velocity

Say hello to Cloud Run The next step in bringing serverless to containers

Cloud Run Just ‘deploy’ Any stateless container Any language, any library URL in seconds Focus on writing code Scale up fast Scale down to zero Pay for exact usage No servers to manage

Cloud Run use cases Public ● Website ● API endpoint ● Mobile backend ● Webhook Private ● Microservices ● Asynchronous tasks

Cloud Run Container to prod in seconds Natively Serverless One experience, where you want it

Cloud Run Container to prod in seconds Natively Serverless One experience, where you want it

Cloud Run on GKE Same great Cloud Run, but on Kubernetes More flexibility and control, operator required. Integrates with k8s-based policy, control & mgmt Custom nodes, hardware accelerators, VPC Build on your existing investment in Kubernetes

Cloud Run Fully serverless, no cluster Pay for what you use Cloud Run on GKE Serverless developer experience Runs in your GKE cluster Serverless containers, where you want them

Runs in your GKE cluster Provisioned resources Kubernetes operations Custom machine types Hardware accelerators (GPUs) Fully managed, no cluster Pay-per-use Minimal operations Limited instance size Autoscaling Stackdriver UI & CLI Custom URLs Knative Cloud Run Cloud Run on GKE

One experience, where you want it

Knative open source building blocks for serverless on Kubernetes

Activates & scales up/down based on requests Manages code and config revisions Service mesh integration for request path/service access control Custom domains, certificate management Orchestrates on/off cluster resources Bindings for event sources, triggers, and services Scales from few events to full streaming Builds on CloudEvents Reproducible builds Source to serving URL templates No need for Docker or cross-compilation Supports de-coupled CI/CD Support for policy and audit controls Knative components Serving Eventing Build

Cloud Run & Knative Portable via common API and runtime environment. Cloud Run implements Knative Serving and Knative Runtime Contract.

Products Google Cloud Run Red Hat OpenShift SAP Kyma Google Cloud Run on GKE IBM Cloud Kubernetes Service TriggerMesh Build Serving Kubernetes Platform Primitives Events ... Knative ecosystem

Service revisions using Cloud Run & Knative Revision 1 Revision 2 Revision 3 Configuration Route Service

2 1 3 Service rollouts using Cloud Run & Knative

Container runtime contract State Listen for HTTP requests on $PORT CPU outside of requests

Cloud Run & Knative in action

Office Space When bank transactions are computed with interest, the transaction value is rounded down and deposited into the bank’s account. The remainder is deposited into a separate, personal account.

Thank you! Find me @crcsmnky on Twitter or Github github.com/crcsmnky/cloud-run-office-space speakerdeck/crcsmnky/modern-app-dev-cloud-run

Cloud Run Details

Authorization

GCP Invoker permissions Service IAM Requests Auth check: "allUsers" "user:[email protected]" "serviceAccount:..."

Public service Frontend IAM: role: "roles/run.invoker" member: "allUsers"

Leverage "Invoker" IAM role and service identity. Private service to service Frontend Backend IAM: role: "roles/run.invoker" member: "serviceAccount:frontend@..." header:"Authorization: Bearer ID_TOKEN"

Push Events with Pub/Sub Pub/Sub push to Cloud Run URL with authentication token. Leverage "Invoker" IAM role to authorize push. No need to validate URL. Cloud Run Service Cloud Pub/Sub IAM: role: "roles/run.invoker" member: "serviceAccount:pubsub@..." gcloud alpha pubsub subscriptions create my-sub --topic my-topic --push-endpoint=https://service.run.app --push-auth-service-account=pubsub@...

Async tasks Cloud Tasks HTTP targets (Beta soon) push to Cloud Run URL with authentication token Leverage "Invoker" IAM role. Service Cloud Tasks IAM: role: "roles/run.invoker" member: "serviceAccount:tasks@..." HTTP target

Scheduled services Cloud Scheduler with authentication token Leverage "Invoker" IAM role. Service Cloud Scheduler IAM: role: "roles/run.invoker" member: "serviceAccount:scheduler@..."

Concurrency

Concurrency in Cloud Run Each Service is autoscaled to many container instances. Concurrency = "maximum number of requests that can be sent at the same time to a given container instance" AWS Lambda or Google Cloud Functions: only one request at a time to each instance, "concurrency = 1". With Cloud Run: set concurrency value from 1 to 80 (default: 80) → optimized resource consumption → optimized costs concurrency = 1 concurrency = 80

concurrency = 1 concurrency = 80 400 clients, making 3 req/sec

Other details

Monitoring & Logging ✓ Monitoring Out of the box: ✓ Error Reporting ✓ Logging Stackdriver

gVisor Container sandbox runtime gvisor.dev Secure container isolation. Most applications run well. Contact GCP support if you encounter a limitation due to unsupported system call. Container gVisor Host System calls Limited system calls Secure isolation }

Current limits ● Max to 1 vCPU and 2GB RAM ● No access to GPUs ● No Cloud SQL Coming Soon ● No VPC access Coming Soon → No Cloud Memorystore ● No Global Load Balancer Cloud Run on GKE Solution