Confidential & Proprietary Cloud Native on Google Cloud Containers, Kubernetes, Istio, Knative Mete Atamel Developer Advocate at Google @meteatamel speakerdeck.com/meteatamel/cloud-native-on-google-cloud github.com/meteatamel/istio-on-gke-tutorial github.com/meteatamel/knative-tutorial

Containers

Confidential & Proprietary Virtual machine OS Dependencies Application Code Hardware Bare-metal server OS Dependencies Application Code Hardware Container OS Dependencies Application Code Hardware

Confidential & Proprietary Virtual machine Container ImageMagick 6.4.90 Container ImageMagick 7.0.28 Payments application Rendering application OS Hardware Virtual machine ImageMagick 6.4.90 Payments application Rendering application Hardware OS

5 Docker: Tooling for containers FROM debian:latest RUN apt-get update RUN apt-get install -y nginx CMD [“nginx”,”-g”,”daemon off;”] EXPOSE 80 Docker is a container runtime and image format Dockerfile defines the dependencies, environment and the code to run Container is a consistent invocation of a Dockerfile

#GoogleCloudSummit Benefits of containers Versioning Ease of sharing Reusability Introspection Faster deployments Portability Immutable infrastructure Isolation

Confidential & Proprietary Containers are not enough Service Discovery Redundancy Scheduling Scaling up & down Rolling out & back Resiliency Config & Secrets Health Checks

Kubernetes

Confidential & Proprietary Kubernetes Κυβερνήτης means “governor” in Greek • Manages container clusters • Inspired and informed by Google’s internal container system called Borg • Supports multiple cloud and bare-metal environments • 100% Open source Manage applications, not machines

Confidential & Proprietary The 10000 foot view kubelet UI kubelet CLI API users master nodes etcd kubelet scheduler controllers apiserver

Confidential & Proprietary Microservices in Kubernetes world Service Pods Each pod containers one or more containers Nodes Role: frontend Role: frontend Role: frontend Role: frontend Deployment Replicas: 3 Env: prod microservice labels Service communication channel Blueprint “pod template” Env: prod Env: prod Env: prod registry containers

12 Compute Engine Full control: VMs for Linux and Windows Server App Engine Deploy your code and we scale it for you Cloud Functions A serverless platform for event-based microservices Google Kubernetes Engine (GKE) Kubernetes-as-a-service

13 $ gcloud container clusters create cluster-1 Creating cluster cluster-1...done. Created [https://container.googleapis.com/v1/projects/sandbox/zones/europe-west1-c/clusters/cluster-1]. kubeconfig entry generated for cluster-1. NAME ZONE MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS cluster-1 europe-west1-c 1.4.6 104.199.87.107 n1-standard-1 1.4.6 3 RUNNING $ gcloud container clusters get-credentials cluster-1 Fetching cluster endpoint and auth data. kubeconfig entry generated for cluster-1. $ kubectl get nodes NAME STATUS AGE gke-cluster-1-default-pool-6c50430d-chjm Ready 2m gke-cluster-1-default-pool-6c50430d-esqq Ready 2m gke-cluster-1-default-pool-6c50430d-zfm9 Ready 2m $ kubectl get pods $ $ gcloud container clusters resize cluster-1 --size 5 Pool [default-pool] for [cluster-1] will be resized to 5. Resizing cluster-1...done. Updated [https://container.googleapis.com/v1/projects/sandbox/zones/europe-west1-c/clusters/cluster-1].

Confidential & Proprietary Kubernetes Terminology Deployment Pod Volume Label Selector ReplicaSet Liveness Probe Readiness Probe Service DaemonSet Job StatefulSet ConfigMap Secret

Confidential & Proprietary Benefits of Kubernetes Utilization Scaling Rolling upgrades Availability and failover No vendor lock-in

Confidential & Proprietary Kubernetes is not enough either Dependency Visualisation Tracing Metrics Logging Circuit Breaking Service Identity & Auth Fault Injection Traffic Flow & Policies Failover

Istio: Service Mesh

Ιστιο means “sail” in Greek An open framework for connecting, securing, managing and monitoring services

Service architecture Auth Frontend Pictures Payments Users Cloud SQL External Payment Processor

Service architecture with Istio Proxy Auth Proxy Frontend Users Cloud SQL Pictures Proxy Payments Proxy External Payment Processor External Payment Processor

Traffic transparently proxied — unaware of proxies Pilot Mixer Discovery & config data to proxies TLS certs to proxies Policy checks, telemetry Proxy Frontend Proxy Payments Istio-Auth How Istio works Istio Control Plane

Confidential & Proprietary

23 $ gcloud beta container clusters create istio-demo \ --addons=Istio --istio-config=auth=MTLS_STRICT \ --cluster-version=latest \ --machine-type=n1-standard-2 \ --num-nodes=4 Creating cluster istio-demo in europe-west4-a Created[https://container.googleapis.com/v1beta1/projects/istio-project2517/zones/europe-west4-a/clus ters/istio-demo] NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS istio-demo europe-west4-a 1.12.5-gke.5 35.204.5.121 n1-standard-2 1.12.5-gke.5 4 RUNNING $ kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created

#GoogleCloudSummit In the past 10% canaries Load Balancing Traffic control tied to infrastructure Canary Default Default Default Default Default Default Default Default Default

#GoogleCloudSummit With Istio Traffic flow separated from infrastructure Canary Default 10% canaries Istio Load Balancing 90% of traffic 10% of traffic

#GoogleCloudSummit pictures App rollout destination: pictures.example.local match: source: frontend.example.local route: - tags: version: v1.5 env: prod weight: 90 - tags: version: v2.0-alpha env: staging weight: 10 version: 2.0-alpha env: staging version: 1.5 env: prod 90% 10% Proxy Frontend Pictures Proxy Pictures Proxy

#GoogleCloudSummit Traffic steering destination: pictures.example.local match: httpHeaders: user-agent: regex: ^(.*?;)?(iPhone)(;.*)?$ precedence: 2 route: - tags: version: 2.0-alpha env: staging pictures version: 2.0-alpha env: staging version: 1.5 env: prod Proxy Frontend Pictures Proxy Pictures Proxy

Communication without Istio Frontend Payments

Automatic security with Istio Istio Auth Istio Control Plane Proxy Frontend Proxy Payments

#GoogleCloudSummit Prometheus

#GoogleCloudSummit Grafana

#GoogleCloudSummit Zipkin

#GoogleCloudSummit ServiceGraph

Benefits of Istio Traffic control Observability Fault-injection Security Hybrid cloud

Knative

Confidential & Proprietary What is Knative? Kubernetes based open source building blocks for serverless

Confidential & Proprietary Ideal Serverless No servers Idiomatic Event-driven Portable

Confidential & Proprietary Developers want serverless ... just want to run their code. ... want to use their favorite languages and dependencies. ... don't want to manage the infrastructure. Operators want Kubernetes Kubernetes is great orchestrating microservices They love using GKE and not having to do operations for Kubernetes. Kubernetes is not the right abstraction for their developers.

Confidential & Proprietary Knative Project - github.com/knative Set of components for serverless Solves for modern development patterns Implements learnings from Google, partners

Knative stack Serving Eventing Kubernetes Platform Products Components Google Cloud Run Google Cloud Run on GKE Istio Gateway *No eventing * *

Confidential & Proprietary Knative Stack Build Serving Kubernetes Platform Products Primitives Events ... Serverless Containers on GCF GKE Serverless Add-on SAP Kyma Pivotal Function Service IBM Cloud Functions Red Hat Cloud Functions Pivotal riff OpenFaaS T-mobile Jazz Istio Service Mesh # Get a Kubernetes Cluster $ gcloud beta container clusters create $CLUSTER_NAME \ --addons=HorizontalPodAutoscaling,HttpLoadBalancing,Istio \ --machine-type=n1-standard-4 \ --cluster-version=latest --zone=$CLUSTER_ZONE \ --enable-stackdriver-kubernetes --enable-ip-alias \ --enable-autoscaling --min-nodes=1 --max-nodes=10 \ --enable-autorepair \ --scopes cloud-platform Creating cluster hello-knative...done. NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS Hello-knative europe-west1-b 1.13.6-gke.5 35.190.182.251 n1-standard-1 1.13.6-gke.5 4 RUNNING # Create Cluster Role Binding $ kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole=cluster-admin \ --user=$(gcloud config get-value core/account) clusterrolebinding "cluster-admin-binding" created

Confidential & Proprietary Knative Stack Build Serving Kubernetes Platform Products Primitives Events ... Serverless Containers on GCF GKE Serverless Add-on SAP Kyma Pivotal Function Service IBM Cloud Functions Red Hat Cloud Functions Pivotal riff OpenFaaS T-mobile Jazz Istio Service Mesh # Install Knative $ kubectl apply -f https://github.com/knative/serving/releases/download/v0.9.0/serving.yaml \ -f https://github.com/knative/eventing/releases/download/v0.9.0/release.yaml \ -f https://github.com/knative/serving/releases/download/v0.9.0/monitoring.yaml

Confidential & Proprietary Knative Serving What is it? Rapid deployment of serverless containers Automatic (0-n) scaling Configuration and revision management Traffic splitting between revisions Pluggable Connect to your own logging and monitoring platform, or use the built-in system Auto-scaler can be tuned or swapped out for custom code

Confidential & Proprietary Knative Serving Primitives Knative Service High level abstraction for the application Configuration Current/desired state of an application Code & configuration separated (a la 12-factor) Revision Point in time snapshots for your code and configuration Route Maps traffic to revisions

Cloud Run Fully managed, deploy your workloads and don’t see the cluster. Cloud Run on Anthos Deploy into your GKE cluster, run serverless side-by-side with your existing workloads. Knative Everywhere Use the same APIs and tooling anywhere you run Kubernetes with Knative. Serverless on Google Cloud

Confidential & Proprietary Knative Eventing What is it? For loosely coupled, event-driven services with on/off cluster event sources Bind declaratively event sources, triggers and services Scales from just few events to live streams Uses standard CloudEvents Event type Flow Event source Event type Event type Event consumer(s)

Confidential & Proprietary Knative Event Sources Name Description Apache Camel Allows to use Apache Camel components for pushing events into Knative Apache Kafka Brings Apache Kafka messages into Knative AWS SQS Brings AWS Simple Queue Service messages into Knative Cron Job Uses an in-memory timer to produce events on the specified Cron schedule. GCP PubSub Brings GCP PubSub messages into Knative GitHub Brings GitHub organization/repository events into Knative GitLab Brings GitLab repository events into Knative. Google Cloud Scheduler Google Cloud Scheduler events in Knative when jobs are triggered Google Cloud Storage Brings Google Cloud Storage bucket/object events into Knative Kubernetes Brings Kubernetes cluster/infrastructure events into Knative https://github.com/knative/docs/tree/master/docs/eventing/sources

Confidential & Proprietary Knative Eventing Namespace subscribe Trigger Service (Callable) Broker Trigger Service (Callable) subscribe filter= filter= ✓ ✓ ✓ Source Events Source Events ingress ingress publish

Confidential & Proprietary Knative Events { "specversion": "0.2", "type": "com.github.pull.create", "source": "https://github.com/cloudevents/spec/pull/123", "id": "A234-1234-1234", "time": "2019-04-08T17:31:00Z", "datacontenttype": "application/json", "data": "{ GitHub Payload... }" } FTP GitHub GCS Broker FTP Receive Adapter GitHub Receive Adapter GCS Receive Adapter CloudEvent

Confidential & Proprietary Integrate Cloud Storage to Vision API Cloud Storage Bucket Cloud Storage -> Cloud PubSub -> Knative Eventing -> Knative Servicing -> Vision API Cloud PubSub Topic Knative Eventing Channel Knative Serving GKE Cloud Vision API Labels 1 2 3 4 5 6

Confidential & Proprietary Knative Build (Pre 0.8) Tekton Pipelines (Post 0.8)

Confidential & Proprietary Tekton Pipelines What is it? Kubernetes style resources for declaring CI/CD-style pipelines Go from source code to container images on repositories Build pipelines can have multiple steps and can push to different registries Builds run in containers in the cluster. No need for Docker locally Primitives Task: Represents the work to be executed with 1 or more steps TaskRun: Runs the Task with supplied parameters Pipeline: A list of Tasks to execute in order ServiceAccount: For authentication with DockerHub etc.

Confidential & Proprietary Thank you! @meteatamel github.com/meteatamel/istio-on-gke-tutorial github.com/meteatamel/knative-tutorial