Google Cloud Platform Blog: Open Source

On GCP, your database your way

Wednesday, July 25, 2018

By Brad Calder, VP of engineering, GCPGoogle Cloud PlatformGoogle Compute EngineKubernetes Engine

Oracle workloads can now be brought to GCP

SAP HANA workloads can run on GCP persistent-memory VMs

Cloud Firestore launching for all users developing cloud-native apps

Regional replication, visualization tool available for Cloud Bigtable

Cloud Spanner updates, by popular demand

Managing Oracle^Ⓡ workloads with Google partnersyour Oracle workloads with Google partners Partnering with Intel and SAPIntel and SAPsign up here Accelerate app development with Cloud FirestoreCloud Firestore is a serverless, NoSQL document databasehere about Cloud Firestore Simplicity, speed and replication with Cloud Bigtableregional replication is generally availablemore information about regional replication for Cloud Bigtable.on our website

Key Visualizer, now in beta, shows an access pattern heat map so you can debug performance issues in Cloud Bigtable.

Cloud Bigtable client libraries Cloud Spanner updates, by popular requestCloud Spannerrecently announcedApache AvroApache Beamconnector

Cloud Services Platform: bringing the best of the cloud to you

Tuesday, July 24, 2018

By Urs Hölzle, Senior Vice President, Technical InfrastructureCloud Services Platform

Service mesh: Availability of Istio 1.0 in open source, Managed Istio, and Apigee API Management for Istio

Hybrid computing: GKE On-Prem with multi-cluster management

Policy enforcement: GKE Policy Management, to take control of Kubernetes workloads

Ops tooling: Stackdriver Service Monitoring

Serverless computing: GKE Serverless add-on and Knative, an open source serverless framework

Developer tools: Cloud Build, a fully managed CI/CD platform

The Cloud Services Platform family

“We needed a consistent platform to deploy and manage containers on-premise and in the cloud. As Kubernetes has become the industry standard, it was natural for us to adopt Kubernetes Engine on GCP to reduce the risk and cost of our deployments.”
- Dinesh KESWANI, Global Chief Technology Officer at HSBC Modernizing application architecture with IstioIstio, an open-source service mesh

Service discovery and intelligent traffic management—Managed Istio surfaces all the services running in your cluster and manages network traffic between them. Using application-level load balancing and sophisticated traffic routing for container and VM workloads, it also provides health checks, plus canary and blue/green deployments, enabling fault tolerant applications with circuit breaking and timeouts.

Secure, authenticated communications—Managed Istio offers segmentation and granular policy for endpoints, compliance and detecting anomalous behavior, and traffic encryption by default using mTLS.

Monitoring and management—Understand and troubleshoot the system of services running across Managed Istio, including integration with Stackdriver, our suite of monitoring and management tools.

Enterprise-grade Kubernetes, wherever you goKubernetes Engine managed service is battle-testedGKE On-Prem

Unified multi-cluster registration and upgrade management

Centralized monitoring and logging with Stackdriver integration

Hybrid Identity and Access Management

GCP Marketplace for Kubernetes applications

Unified cluster management for GCP and on-premise

Professional services and enterprise-grade support

Automatically take control of your Kubernetes workloadssign up here A service-centric view of your environment

Service graph: A real-time bird’s-eye visualization of the entire environment—see all your microservices, how they communicate, and their dependencies.

Service level objective (SLO) monitoring: Monitor and alert in the same customer-centric, low-toil manner as Google Site Reliability Engineers (SRE) do for our own services.

Service dashboard: All your signals for a given service are in a single place so that you can debug faster and easier than ever before and lower your mean-time-to-resolution (MTTR).

When microservices become APIsApigee API Management Making cloud all it could be

GKE serverless add-on lets you run serverless workloads on Kubernetes Engine with a one-step deploy. You can go from source to containers amazingly fast, auto-scale your stateless container-based workloads, and even scale down to zero. Sign up for an early preview for the GKE serverless add-on here.

Knative (pronounced kay-nay-tiv), open-source serverless components from the same technology that enables the GKE serverless add-on. Knative lets you create modern, container-based and cloud-native applications by providing building blocks you need to build and deploy container-based serverless applications anywhere on Kubernetes.

Cloud Build is a fully-managed Continuous Integration/Continuous Delivery (CI/CD) platform that lets you build, test, and deploy software quickly, at scale.

serverless computing

Why we believe in an open cloud

Wednesday, June 27, 2018

By Melody Meckfessel and Eric Brewer, Vice Presidents, Google Cloud; Miles Ward, Director of Solution Architecture, Google Cloud; and Sarah Novotny, Open Source Strategy Lead, Google CloudRightscale

Open is about the power to pick up an app and move it—to and from on-premises, our cloud, or another cloud—at any time.

Open-source software permits a richness of thought and continuous feedback loop with users.

Open APIs preserve everyone’s ability to build on each other’s work.

1. Open is about the power to pick up an app and move it 2. Open-source software permits a richness of thought and continuous feedback loop with users

OSS such as Android, has an open code base and development is the sole responsibility of one organization.

OSS with community-driven changes such as TensorFlow, involves coordination between many companies and individuals.

OSS with community-driven strategy, for example collaboration with the Linux Foundation and Kubernetes community, involves collaborative, decision-making and accepting consensus over control.

corporate philosophiesBigQueryGHarchive.orgcomparative analysis of Google’s contribution to open source Google regularly open-sources internal projects

Kubernetes – container orchestration (github)

TensorFlow – #1 machine learning repository on github

BBR congestion control algorithm – your Internet just got faster (github)

Open compute project rack – efficient data center for everyone (pdf)

gRPC – high performance RPC framework (github)

Bazel – continuous integration system (github)

VP9 – royalty free video encoding format (project)

Chromium – the most popular browser (github)

Android – the most popular smartphone operating system (website)

Go -- develop simple, efficient and reliable software at scale (github)

V8 -- high-performance JavaScript engine (github)

3. Open APIs preserve everyone’s ability to build on each other’s workPeerreviewedresearchshowsOpen API InitiativeOpen API specificationgRPCCloud Bigtable compatibility with the HBase APICloud SpannerBigQueryCloud Storage Build an open cloud with uswatching our keynote at last year's Next
It’s worth noting that not all Google’s products will be open in every way at every stage of their life cycle. Openness is less of an absolute and more of a mindset when conducting business in general. You can, however, expect Google Cloud to continue investing in openness across our products over time, to contribute to open source projects, and to open source some of our internal projects.cloud.google.com/opencloud

Introducing Asylo: an open-source framework for confidential computing

Thursday, May 3, 2018

By Nelly Porter, Senior Product Manager, Google Cloud; Jason Garms, Engineering Director, Google Cloud Security; Sergey Simakov, Technical Program Manager, Google Cloud Security number one consideration

Asylo is an open source framework for confidential computingtrusted execution environments “With the Asylo toolset, Gemalto sees accelerated use of secure enclaves for high security assurance applications in cloud and container environments. Asylo makes it easy to attach container-based applications to securely isolate computations. Combining this with Gemalto’s SafeNet Data Protection On Demand paves the way to build trust across various industry applications, including; 5G, Virtual Network Functions (VNFs), Blockchain, payments, voting systems, secure analytics and others that require secure application secrets. Using Asylo, we envision our customers gaining deployment flexibility across multiple cloud environments and the assurance of meeting strict regulatory requirements for data protection and encryption key ownership.”
— Todd Moore, Senior Vice President of Data Protection at GemaltoGoogle Container Registry

Ease of use. With Asylo, it’s easy to create apps that take advantage of the security properties of TEEs. You won’t need to learn a completely new programming model, or rewrite your app.

Portability and deployment flexibility. Asylo applications do not need to be aware of the intricacies of specific TEE implementations; you can port your apps across different enclave backends with no code changes. Your apps can run on your laptop, a workstation under your desk, a virtual machine in an on-premises server, or an instance in the cloud. We are exploring future backends based on AMD Secure Encryption Virtualization (SEV) technology, Intel® Software Guard Extensions (Intel® SGX), and other industry-leading hardware technologies that could support the same rebuild-and-run portability.

Open source. As an open-source framework, everyone can take advantage of confidential computing technology. Keep on the lookout for Asylo’s rapidly-evolving capabilities!

The Asylo roadmap Getting started with AsyloGoogle Container Registryquick-start guidedocumentationmailing listGitHub

Kubernetes best practices: Organizing with Namespaces

Friday, April 27, 2018

By Sandeep Dinesh, Developer AdvocateEditor’s note: Today is the second installment in a seven-part video and blog series from Google Developer Advocate Sandeep Dinesh on how to get the most out of your Kubernetes environment. Kubernetes ServicesDeploymentsKubernetes Namespaces What is a Namespace? The “default” NamespaceGoogle Kubernetes Engine Creating Namespaceskubectl create namespace testtest.yaml:kind: Namespace apiVersion: v1 metadata: name: test labels: name: test kubectl apply -f test.yaml Viewing Namespaceskubectl get namespace

Creating Resources in the NamespaceapiVersion: v1 kind: Pod metadata: name: mypod labels: name: mypod spec: containers: - name: mypod image: nginxkubectl apply -f pod.yaml --namespace=testapiVersion: v1 kind: Pod metadata: name: mypod namespace: test labels: name: mypod spec: containers: - name: mypod image: nginx Viewing resources in the Namespace$ kubectl get pods No resources found.$ kubectl get pods --namespace=test NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 10s Managing your active NamespacekubensAhmet Alp Balkan

kubens test

$ kubectl get pods NAME READY STATUS RESTARTS AGE mypod 1/1 Running 0 10m Cross Namespace communication<Service Aame>.<Namespace Name>.svc.cluster.localdatabase.testdatabase.productionWarning:Note:Network Policies Namespace granularity The small teamMinikube Rapidly growing team(s) The large companygRPCistioSpinnakerRBACResourceQuotasNote: I’ll deep dive into gRPC, Istio, Spinnaker, RBAC, and resources in future episodes! Enterprise Conclusion

Introducing Kubernetes Service Catalog and Google Cloud Platform Service Broker: find and connect services to your cloud-native apps

Thursday, April 26, 2018

By Chris Crall, Product ManagerGoogle Cloud PlatformGoogle Cloud Platform Service BrokerKubernetes Catalog SIGOpen Service Broker APIinstallGoogle Kubernetes EngineCloud Pub/SubGoogle Cloud StorageBigQueryCloud SQL

Google Cloud Console UIdocumentation

Exploring container security: Running a tight ship with Kubernetes Engine 1.10

Thursday, April 26, 2018

By Aaron Small, Product Manager, Google Kubernetes Engine, and Vic Iglesias, Cloud Solutions Architect, Google Cloud PlatformEditor’s note: This is the fifth in a series of blog posts on container security at Google.securing Google Kubernetes EngineKubernetes Engine 1. Follow the steps in the previous hardening guiderun though that guide real quick 2. Service Accounts and Access Scopes

gcloud container clusters create example-cluster \ --scopes=compute-rw,gke-defaultgke-default 3. Create good RBAC rolesCloud IAMPROJECT_ID=$(gcloud config get-value project) PRIMARY_ACCOUNT=$(gcloud config get-value account) # Specify your cluster name. CLUSTER=cluster-1 # You may have to grant yourself permission to manage roles kubectl create clusterrolebinding cluster-admin-binding \ --clusterrole cluster-admin --user $PRIMARY_ACCOUNT # Create an IAM service account for the user “gke-pod-reader”, which we will allow to read pods gcloud iam service-accounts create gke-pod-reader \ --display-name "GKE Pod Reader" \ USER_EMAIL=gke-pod-reader@$PROJECT_ID.iam.gserviceaccount.com cat > pod-reader-clusterrole.yaml<<EOF kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: namespace: default name: pod-reader rules: - apiGroups: [""] # "" indicates the core API group resources: ["pods"] verbs: ["get", "watch", "list"] EOF kubectl create -f pod-reader-clusterrole.yaml cat > pod-reader-clusterrolebinding.yaml<<EOF kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: pod-reader-global subjects: - kind: User name: $USER_EMAIL apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: pod-reader apiGroup: rbac.authorization.k8s.io EOF kubectl create -f pod-reader-clusterrolebinding.yaml # Check the permissions of our Pod Reader user. gcloud iam service-accounts keys create \ --iam-account $USER_EMAIL pod-reader-key.json gcloud container clusters get-credentials $CLUSTER gcloud auth activate-service-account $USER_EMAIL \ --key-file=pod-reader-key.json # Our user can get/list all pods in the cluster. kubectl get pods --all-namespaces # But they can’t see the deployments, services, or nodes. kubectl get deployments --all-namespaces kubectl get services --all-namespaces kubectl get nodes # Reset gcloud and kubectl to your main user. gcloud config set account $PRIMARY_ACCOUNT gcloud container clusters get-credentials $CLUSTERhow to configure RBAC 4. Consider custom IAM rolespredefined IAM rolesCustom IAM Roles 5. Explore the cutting edgegcloud config set container/use_v1_api false Conceal your host VM’s metadata Server [Beta] Compute EngineMany practical attacksenable Metadata Concealment Enable and define a Pod Security Policy [beta]Pod Security Policyrestricted-psp.yamlexample policiesget started with Pod Security Policies 6. Where to look for practical adviceOverview of Kubernetes Engine SecurityKubernetes Engine hardening guide

Kubernetes best practices: How and why to build small container images

Friday, April 20, 2018

By Sandeep Dinesh, Developer AdvocateEditor’s note: Today marks the first installment in a seven-part video and blog series from Google Developer Advocate Sandeep Dinesh on how to get the most out of your Kubernetes environment. Today he tackles the theory and practicalities of keeping your container images as small as possible.Alpine Linuxbuilder pattern Containerizing interpreted languagesNode.js applicationFROM node:onbuild EXPOSE 8080

FROM node:alpine WORKDIR /app COPY package.json /app/package.json RUN npm install --production COPY server.js /app/server.js EXPOSE 8080 CMD npm start

Containerizing compiled languagesmulti-step buildsGo applicationFROM golang:onbuild EXPOSE 8080

FROM golang:alpine WORKDIR /app ADD . /app RUN cd /app && go build -o goapp EXPOSE 8080 ENTRYPOINT ./goapp

FROM golang:alpine AS build-env WORKDIR /app ADD . /app RUN cd /app && go build -o goapp FROM alpine RUN apk update && \ apk add ca-certificates && \ update-ca-certificates && \ rm -rf /var/cache/apk/* WORKDIR /app COPY --from=build-env /app/goapp /app EXPOSE 8080 ENTRYPOINT ./goapp

scratch Where to build and store your containersGoogle Container BuilderGoogle Container RegistryGoogle Cloud StorageGoogle Kubernetes EngineIAM Evaluating performance of smaller containersTL;DR: No significant difference for powerful computers or Container Builder, but significant difference for smaller computers and shared systems (like many CI/CD systems). Small Images are always better in terms of absolute performance. Building images on a large machine

Go Onbuild: 35 Seconds Go Multistage: 23 SecondsContinuous IntegrationGo Onbuild: 15 Seconds Go Multistage: 14 SecondsGo Onbuild: 26 Seconds Go Multistage: 6 SecondsGo Onbuild: 25 Seconds Go Multistage: 20 Seconds Building images on small machinesGoogle Compute EngineGo Onbuild: 52 seconds Go Multistage: 6 secondsGo Onbuild: 54 seconds Go Multistage: 28 seconds

Go Onbuild: 48 Seconds
Go Multistage: 16 seconds

Pulling on KubernetesKubernetes Engine Autoscaling Security and vulnerabilitiesVulnerability Scanning

ConclusionCheck in next week when we’ll talk about using Kubernetes namespaces to isolate clusters from one another. And don’t forget to subscribe to our YouTube channel and Twitter for the latest updates.
If you haven’t tried GCP and our various container services before, you can quickly get started with our $300 free credits.

Introducing kaniko: Build container images in Kubernetes securely

Monday, April 16, 2018

By Priya Wadhwa, Software EngineerissuekanikoGoogle Kubernetes Engine How does kaniko work?

Running kaniko in a Kubernetes clusterGoogle Cloud StorageapiVersion: v1 kind: Pod metadata: name: kaniko spec: containers: - name: kaniko image: gcr.io/kaniko-project/executor:latest args: ["--dockerfile=<path to Dockerfile>", "--bucket=<GCS bucket>", "--destination=<gcr.io/$PROJECT/$REPO:$TAG"] volumeMounts: - name: kaniko-secret mountPath: /secret env: - name: GOOGLE_APPLICATION_CREDENTIALS value: /secret/kaniko-secret.json restartPolicy: Never volumes: - name: kaniko-secret secret: secretName: kaniko-secretsecrethere Running kaniko in Google Cloud Container BuilderGoogle Cloud Container Buildersteps: - name: gcr.io/kaniko-project/executor:latest args: ["--dockerfile=<path to Dockerfile>", "--context=<path to build context>", "--destination=<gcr.io/[PROJECT]/[IMAGE]:[TAG]>"]
Comparison with other toolsimgorca-buildrunc
Conclusion GitHub repoGoogle group

Now, you can deploy to Kubernetes Engine from GitLab with a few clicks

Thursday, April 5, 2018

By William Denniss, Product Manager, Google Kubernetes Engine, and William Chia, Senior Product Marketing Manager, GitLab GitLabnew integration of GitLab and Kubernetes EngineGitLab

Once connected, you can deploy the GitLab Runner into your cluster. This means that the continuous integration jobs will run on your Kubernetes Engine cluster, enabling you fine-grained control over the resources you allocate. For more information read the GitLab Runner docs.—AutoDev Ops docs

Join us for a webinar co-hosted by Google Cloud and GitLab Register hereTry it out