- Not just the log collection. It now does monitoring, debugging, tracing, and error reporting
- 4 golden signals: latency, traffic, saturation, errors
- Metrics collection with https://opencensus.io/
- Anomaly detection
- Metrics dashboard
- Alerts
- BigQuery
- Auditing and monitoring, Stackdriver
- The Kubernetes Dashboard is disabled
- Master authorized network is enabled
- The cluster isn't using the default network
- The cluster nodes are running the Container-optimized OS (COS)
- Network policy is enabled
- Segmentation with Network Policy: defense in depth, per pod firewalls
- Authorization with RBAC
- Hybrid Cloud
- Platform Security: resources, permissions, roles, Service Accounts, IAM Policy
- GKE Infrastructure — Google manages master node
- Stay updated and use least privilege
- Run Container-optimized OS: minimum OS possible, based on Chromium OS and maintained by Google
- Pod Security Policy: do not allow privileged pods, do not allow privilege escalation, forbid running as root, forbid adding the root group
- Protect the Control Plane: Disable the K8S Web UI, Use Authorized Networks
- Trusted networking: Global VPC, Shared VPC
- Leverage GCP Network Features: Shared VPC, Private Clusters, IP Aliases, Network Policy
- Going Private: private clusters, NAT Gateway
Originally developed by Lyft. Used by Istio project. It can be easily added to existing deployments as a sidecar container. https://www.envoyproxy.io/
https://github.com/jonmosco/kube-ps1
Adds the current Kubernetes context and namespace to the command prompt.
https://abhishek-tiwari.com/a-sidecar-for-your-service-mesh/
https://istio.io/docs/concepts/what-is-istio/overview/
Istio is a network mesh that runs on top of the Kubernetes cluster and provides additional features like routing, load balancing, policy enforcement, telemetry. Version 1.0 will be released August 1st and will be part of default GCP features.
- Kubectl plugins
- Mutating Webhook
- Mutating Webhook tutorial
- Kubernetes Initializer tutorial
- Custom Resources
- Operator SDK
- Zipkin — Distributed tracing system
- Skaffold
- Kustomize
- Google Cloud Build
- Production cluster
- Canary cluster
- Using Spinnaker in the hybrid cloud
- Kubernetes takes care of OS updates and patches
- GKE has been in production for 3 years
- GKE is being extended with Istio to provide management and monitoring
- Cloud Service Platform — fully managed, traffic management, integation with apigee, unified security model (across different clouds), support for serverless
- GKE on prem
- Kubernetes apps in GCP Markeplace
- Contributors: Google, Redhat, VMWare, Lyft, IBM, ...
- "Zero Trust"
- Secure network perimeter: VPC Network + Firewalls, Kubernetes Engine Private Clusters
- Firewall for every microservice
- Central administration and monitoring
- BeyondCorp: Employee, Device, Rules engine, Proxy, Corp Services, Identity Aware Proxy, VPC Service Controls
- Components: Pilot, Mixer, Citadel
- Secure every service: mTLS, authorize access, finer-grained RPC-level access control
- BigQuery, BigQuery ML
- AutoML
- GCP: 17 regions, 125 POPs
- Network security – Cloud Armor (DDOS defense, SQLi attacks, HTTP flood attacks, custom defense rules)
- Velostrata — migration to GCP
- Cloud Filestore
- Cloud Spanner
- Twitter — migrated 300PB of data to GCP, like GCP performance/storage/pricing
- Maps Platform — updated more than 25 million times a day, overhaul in the past year, API (Maps, Routes, Places), Asset tracking, Gaming solutions, Ride sharing.
- Cloud Services Platform — hybrid cloud, managed services, Istio, Binary Autorization, Shielded VMs, Cloud Functions, Knative, Marketplace.