Xiaowen is the product manager for security features within Android platform, Pixel, and Android Enterprise. She has almost fifteen years of experience in the tech industry, having worked on both Android and Chrome OS at Google, as well as at a number of startups and other major tech companies like Microsoft and EMC. Xiaowen earned a bachelor’s degree in computer science from MIT.View the profile
About the talk
Anthos enables platform teams to defragment application delivery across hybrid and multi cloud. Learn about how Anthos provides a consistent runtime and operational experience for a platform team to enable developers to move at an agile pace while minimizing operational overhead.
Speaker: Xiaowen Xin
Google Cloud Next ’20: OnAir → https://goo.gle/next2020
Subscribe to the GCP Channel → https://goo.gle/GCP
product: Anthos; fullname: Xiaowen Xin;
event: Google Cloud Next 2020; re_ty: Publish;
Hi everyone. My name is Sean and I'm really glad to have the opportunity to be here today to talk about, modernizing your ass to death that we consistently here. Running on older infrastructure Frameworks and how to become hard to maintain. Customers are looking for a platform to help modernize. He's older ass as well as lovers the modern best practices. Looking for answers from dead. Insults in an application modernization platform that helps teams, move, faster, and upscale.
Without those, you can modernize your new place. You can army policy of security at scale. And you get a consistent experience across all good. Associates designed to be deployed wherever you deploy your at. You can use it to fill out an application platform on top. That sucks away. Many specific details. The vast majority of Enterprises today are operating in a hybrid, or multi-cloud environment. A lot of customers, the flexibility to choose different environments for different apps while reducing operational overhead. Some local bus run on plan.
Other work with Amazon to take advantage of some lesser breeds Lucian from Coronavirus. Many customers want to ask me about any cloud and sometimes be able to simultaneously. Mako's. Wrist want to be able to persuade them to the cloud or favor from one cloud provider to another And do all this in order to achieve resilience equals cost savings. The newest hybrid multi card, use cases, varmints with a consistent operational experience that takes into account. We support Williams running on VMware, VMware vsphere, with their
metal support coming soon. Winter awkward with a large number of storage and networking providers. So the platform can easily integrates with your existing infrastructure. The cloud cloud specific services such as load balancers. And I didn't access management. Gcp, an interview with support coming soon. Not the little wedge. We're partnering with companies. No, on top of this distributed infrastructure. Where does Josh operators? We provided unified experience for managing a kubernetes cluster. Senior Apartments. Along with the
configuration policies, required, Enterprise security and compliance. What service operators, we provide a way to gain visibility and control of your services including traffic management. It was developed as we provide ways to easily deploy and run. Modern, serverless workloads without needing to learn about the underlying. These components open source Foundation, which was first developed at Google. What answer do we put the Lego pieces together to give you a message and support experience for your infrastructure so that you can focus on your demo a
bit more about how all this works. First. Look at some details of the individual clusters and I will take a look at the unified management experience. Here I have created for and those koster's. The first one is a gke cluster on a w s. The second one is an eks cluster also an AWS. In the bottom two are GK. Questions on gcp. Just breached J status recently, and we've heard of a lot of customer interest here. So let's take a quick look at how GK integrates with a w. S environment. Under the hood, the cluster is running as a number of ec2v on
Native us. The cluster control, plane consists of three volumes that can be deployed in the highly available fashion as we have it here across 3, availability zones in the same region. Your mom's here, belong to a single note pool deployed in a single availability Zone. You can also add an additional note boss and put them in different availability zones in the same region. No hear that. None of these notes have public IP addresses. Security reasons, most of our customers prefer that the Clusters are available,
only on an internal Network and can only be accessed via a VPN or similar mechanism. A lot of customers have well-established awsb PCS that have been through rigorous Security reviews, is designed to be able to install into the customers only PC and stay within the established boundaries From a management perspective. We're starting with the foundation that most customers are already familiar with. Just like the kubernetes face asks that you deploy and manage rosters and other answers resources.
Declarative me Additionally, you can afford policies on it, using the same tools that you used to enforce policies. For example, here is the yellow file. I used to define that you can you cluster on a w s that we saw. We Define hear what region the Clusters run in. What bpc to use? What subnets to use? And so on. With this customers can then later policies. On top such as to enforce that only certain bpc's may be used for jku clusters. Now is the music. We just replaced worth it and agrees with the native environment.
You may be wondering how we provide a unified operational experience on top of such a large variety of foster deployment. Dodge Journey starts with the unified authentication experience. Make us read a standardized on a few top identity providers for their corporate location needs such as Microsoft, active, directory, and others. Can you call Esther's Support Agency? Open tomorrow? Let's see how this works. Here, I registered my gke on a SS cluster. But I haven't yet. I thought I get it to it.
Let's quick the login button. In this case were using hasta as our example corporate identity provider. So interested in my Oster credentials here, and I've logged in, The process is similar on the command line and also works the same way for other and those clusters. Authentication, I can now use this what console to see information about the cluster. I can see the notes. I make up a question. And information about each node. Such as the pods running on that note. Now so far, we've explored running to the key on a WS.
That's one option for running away quotes. You can also on GTA V on other clouds or in your own dating site. You can attack your own existing eks or 8 yesterday and those be able to bring Beyonce. For example, the second question I have here in the web console isn't a w s eks cluster has been registered to my aunt's house in Byron and administrative domain for answers resource. Once registered, you can run the same higher level and those services on top such as configuration and
policy management, as well as service management. What does option customers can keep using their existing kubernetes distribution, and can more easily on board on the Enzo's while relying on Google the test and support the integrated solution? Ewic Chaos and Order a chaos or supported today. And more distributions will be supported in the future. Now isn't when you like to move to Decatur plastics distribution will be the same kubernetes distribution everywhere with same networking and
identity stock futures. You'll get a more consistent experience for managing a cluster in its life cycle. No, Switching gears. We just seeing how Echoes provides a consistent management. Ian access many customers also. Need a way to ensure that their policies and configuration can be applied across all clusters. You Lively, and uniformly. This is what they see on those computer Age Management. They say, yeah, you can have some policies to find an essentialist, get repository and I will be synchronized and applied across all here and those
clusters. This gives you away too easily, managed to flee to Foster's about dress with continuous monitoring. You can get as a source of Truth, you can manage your configuration policies as cold with the power source control. So, you can integrate code review, flowers on it changes and you can easily work back to previous version. Many of our customers use AC on to apply and enforce policies, like limiting host OS access as well as limiting access and shutting off.
What is demo? I can figure it all for my clusters. The polar configuration and policies from the same. Get repo. The all points in the same, get French naval updated to the latest commit. Quick to one of them. Forget me for URL is configured here. Sometimes we were using is configured here. If I navigate to this get repo. And then subdirectory. I can see the configuration and policies that are being flat. He said ugly in this cluster do I Siri I have a question. Why the configuration policies? For
example, we have a policy here that requires that all namespaces have a call center label for auditing purposes. Call you back. There's also a namespaces directory that defines a few needs cases. That will be managed by a cm. For example, in this file, we create a shipping does namespace with a cosigner label. Switching back to the terminal. We see that the shipping Dove needs space has been created by a cm. Let's see what happens if we try to delete that name space.
we see that the namespace was deleted and then immediately, recreated by Sia, So acim is constantly monitoring to make sure that was deployed matches the source of truth in your get repo. No. What if we were to try to do something that violates our policies? We saw earlier. There's a policy requiring that all names faces have a call center label. If we try to create an in space, that doesn't have such a label. This action is denied and the namespace does not get created.
Without questioning figuration in policies in place. The next thing we might want to set up is our CI, CD pipeline. One simple option is to use Google Cloud. So we manage Cirilla's CI, CD platform. With Google Chrome. So you can easily defined pipelines. Consisting of. They can be automatically triggered from your phone. Bruce m, o. I set up a really simple pipeline here. That performs three steps. First, we do a gift clone of the coronavirus examples, rainbow. We update the service definition to use a service of type load balancer instead of no part.
And finally, we can figure it to cuddle and use it to deploy the guestbook sample. Now, let's kick off the deployment. While it's running, let's hear The Promise in the web console. Here we can see the three steps and the output from each step. Notice that we deploy. The top two are endless. Jku on a table us collector. so while your CI CD pipeline, you can use it to her, including clusters on friend and in other clouds, in this case, our coasters actually sitting in a private bpc in a SS, We're able to access it because there's an engine running in a cluster that reaches out
sound a Google Cloud to maintain a persistent connection. We didn't need to open up any firewalls or expose any public IP addresses for lackluster. This ability to proxy kubernetes control plane traffic is currently in Alpha. This pipeline is pretty simple and it's finished quickly. You got of course, include many more steps. Such a steps to build, container images, run, validation, and get a test and so on. So it is fully managed service. Let's all move to the Community page in the web console.
We can throw a sequestered of you. Can we see here that our guest book workload has been deployed. In addition, I would guess what service is also running an 8lb elastic load. Balancer has been allocated. We can quick into that. We're just going to be empty. What does cloud build integration you can build your app one, using our serverless CI CD platform and deployed across multiple class. The customers that needed to be able to access private resources will need more configurability. We're also offering a new feature called custom worker, limited beta
where you can run Phil and your private Network on PCP using BBC Network. One more thing we might want to do. And those makes it easy with a smso service. With Anthem service operators can gain more visibility and control over your services including traffic management and monitoring and alerting. What is Domo? I deploy the sample online boutique out a few days ago on my to jku clusters on PCP. With the SMU, I we can see article on how all of our services are doing. We can also drop into a topology of you to see how the services communicate with each other.
From here, we can drill into each service to get more information about that service. We can see any of those we set for the service, as well as a lot of metrics for the service. Such as requests per second. Are Apes. Regency. Request eyes and so on. As of the latest release GK questions on gcp can be part of the same service Mash so they can load balance between them and we can I go Gates the metrics for the service is running. The metrics we see here are aggregated from both of our GK, questers that are on gcp.
If we wants, we can also break this down by cluster to monitor each cluster separately. For example, let's do that for this year. What is view? We can see how the services in each cluster perform relative to each other. the red line represents one cluster and the blue line represents the other And multi cutter capabilities, a great tool for operating your services. no, so that the authorities are currently only available for We just saw in the demo today whether you choose uck or
another kubernetes distribution. We saw unified authentication and management experience from the console. You put the same configuration policies to all Bark Busters. We deployed an app to what you can you question on a WS using Google call Bill? And we saw how we can use, ethyl servicemen to monitor the services, running in our coasters. There's a lot more. We didn't have a chance to cover today. So check out the other sessions this week, as well as our website, the cloud on google.com.
Buy this talk
Buy this video
With ConferenceCast.tv, you get access to our library of the world's best conference talks.