Google Kubernetes Engine Deep Dive
November 5th, 2018
Google Cloud Training Architect II in Content
Kubernetes, the open-source system for deploying, managing, and scaling containerized apps, is at the heart of Google Kubernetes Engine. This integration is totally natural. Google developed Kubernetes in-house, and uses it to run its own most popular, global apps. Gmail, YouTube, and even Search run in Kubernetes Engine. It is a fully-managed service and, in this course, you’ll learn it from the ground up.
During this course, I’ll explain the concepts behind Kubernetes and explain its architecture in detail. You’ll learn what comprises a cluster, how to spin one up, deploy an application on one, and then scale out as needed. Such power needs to be handled properly. We’ll cover multiple levels of access control, from integration with Cloud IAM to Kubernetes-specific Role-Based Access Control. With any cloud computing system, networking is key. I’ll show you how Kubernetes Engine works with load balancers (both internal and external), as well as how to set up a private cluster, and declare a network policy.
Throughout the course, a fictitious company, LA Containers, is used to provide real-world scenarios in an interactive chart, which can be viewed here: https://interactive.linuxacademy.com/diagrams/LAContainers.html.
Additionally, the course describes how to convert the normally stateless Kubernetes Engine so that it handles stateful applications, with the addition of a persistent disk. We’ll also explore the techniques used for integrating Kubernetes Engine with other services on the Google Cloud platform, such as Cloud Pub/Sub, Cloud Storage, and Cloud SQL.
Kubernetes is the de facto standard for orchestrating containerized apps, and Google Kubernetes Engine is its most fully-realized implementation. Join me in the comprehensive exploration of this much in-demand technology in Google Kubernetes Engine Deep Dive.
This lesson provides an overview of Google Kubernetes Engine. I'll discuss what the course covers, how it's structured, and its intended audience.
About the Training Architect
Meet our course author, Joseph Lowery. Joe has been working with Google Cloud for over four years, transitioning websites to the cloud via App Engine, Compute Engine, Cloud Storage, Cloud Datastore, and other services. He's Linux Academy's training architect for Google Cloud Essentials and Google App Engine Deep Dive.
Using the Interactive Diagram
The Interactive Diagram for this course is a tool that provides both an overview and a detailed breakdown of all the Google Kubernetes Engine services covered. You'll see it incorporated throughout the course. In this lesson, you'll learn how you can also use it independently, and fortify your understanding of Kubernetes Engine. https://interactive.linuxacademy.com/diagrams/LAContainers.html
Course Features and Tools
This course, like all Linux Academy courses, is more than just a series of video lessons. Here, I'll detail the other online and offline features available for students.
Understanding Kubernetes Engine
Orchestrating Containers with Kubernetes Engine
Kubernetes Engine is like ground zero for trending Internet tech topics like clusters, containerized applications, orchestration, and of course Kubernetes itself. In this lesson, you'll get a complete overview of what Kubernetes is, how it fits into Kubernetes Engine, and how all the component parts work together.
Understanding Kubernetes Engine Architecture
Kubernetes Engine is a complex system. It's necessary to get a solid understanding of how it all works before putting that knowledge to use. In this lesson, we'll dive deeper into clusters, master and worker nodes, pods, pod pools, and containers.
What Does Kubernetes Engine Cost?
Let's say you are given the responsibility of leading a Kubernetes Engine project for your company. You handle all the cluster setup and container deployment just right, but you forget to monitor charges for the service and your company receives a bill beyond the declared budget. Avoid a situation like this by watching this lesson on Kubernetes Engine costs, so you'll know everything you need to know about the service.
Working with Kubernetes Engine
Creating and Managing Clusters
Spinning up your First Cluster
Creating clusters is an essential aspect of working with Kubernetes Engine. In this lesson, we'll step through the process, following a specific project-based scenario and examining all the selections in great detail. The availability of some options depends on other choices though. For example, the maximum number of virtual CPUs depends on the zone you select. Watch the lesson to get the full inside scoop.
Deploying to your Cluster
With the cluster created, as demonstrated in the previous lesson, everything is in place for deploying your app to Kubernetes Engine. The process is relatively straightforward, but there are quite a few steps involved. In this lesson, we'll walk through each of the necessary elements, detailing the code and showing how to use the shell as well as the console to get your containerized app up and running.
Scaling Clusters and Applications
Upgrading and Deleting Clusters
One of the key advantages of the Kubernetes open-source organization, its on-going committment to improvement, could prove to be a hassle for Kubernetes users with the constant need for upgrade. However, Kubernetes Engine offers automatic upgrading for both master and worker nodes in a cluster, which eases the managerial burden significantly. Additionally, Kubernetes Engine makes it possible to take complete control of the upgrade process, so you can easily upgrade your cluster just as you desire. You'll see how to accomplish all those goals in this lesson, as well as learning how to properly delete your clusters when they are no longer being used.
Hands-On Demonstration: Creating and Managing Clusters
In this lesson, you'll get a demonstration of the hands-on techniques used to create, manage, and delete clusters. It's the entire cluster life-cycle. Use this lesson to pull together the information presented in all the previous lessons of this chapter.
Handling Security with Kubernetes Engine
Integrating with Cloud IAM
Controlling access to the various aspects of your Kubernetes Engine implementation is critical. Google Cloud IAM provides the necessary identify and access management, for both individuals and applications. In this lesson, we'll see how to assign Kubernetes Engine specific roles, granting only the desired permissions for creating and managing Kubernetes clusters and their workloads.
Managing Role-Based Access Control
While Cloud IAM is a good first level of security for Kubernetes Engine, many scenarios requires a higher degree of granularity. For example, let's say your app, running on Kubernetes Engine, is being developed by one team, tested by another, and handled in production by yet another. It'd really be best to keep the permissions for all these different teams separate. With Role-Based Access Control, you can do exactly that. In this lesson, you'll see concrete examples of how different namespaces can be secured as well as how cluster-wide permissions are granted.
Establishing a Pod Security Policy
Google Kubernetes Engine doesn't just make it possible to secure namespaces or cluster-wide access through RBAC. It also supports defining pod access using a pod security policy. In this lesson, we'll see what a pod security policy is, how it is most often used, and how to create one. Defining a pod security policy involves roles and rolebindings, so be sure you have reviewed the previous lesson on Role-Based Access Control before proceeding with this lesson.
Implementing Security Protocols
Security is a constantly evolving concern for all computing environments, and Kubernetes Engine is no exception. This lesson explores a range of additional strategies that people can implement to further protect Kubernetes Engine nodes and workloads.
Hands-on Demonstration: Handling Security with Kubernetes Engine
Do you think you understood everything we covered in this section? Test your knowledge of Kubernetes Engine security along with me, as I demonstrate carrying out related tasks, such as assigning Kubernetes roles to users and enabling a pod security policy.
Coordinating Networking and Kubernetes Engine
Configuring Load Balancers
Load balancers are the front-line for access to your Kubernetes Engine cluster. In this lesson, we'll explore two types of load balancers: external and internal. External load balancers are used to expose clusters and their applications to Internet traffic. Internal load balancers handle traffic from other services on Google Cloud and your clusters. You'll see how to configure both in this lesson.
Establishing a Network Policy
Kubernetes Engine supports network policies for a specific cluster. Such a policy sets up a series of whitelisted rules for ingress or egress or both of a pod—essentially provided a pod-level firewall. In this lesson, I'll explain how Kubernetes Engine network policies work, their limitations, and then show you how to implement one.
Creating a Private Cluster
By default, Kubernetes clusters make it easy to expose their workloads publicly. However, that doesn't have to always be the case. This lesson will explain how private clusters work, what use cases they are good for, and show you how to set one up with all the necessary subnets and authorized networks declared.
Hands-on Demonstration: Coordinating Networking and Kubernetes Engine
Here's your chance to make sure you've nailed all the key concepts in this section. Join me in the demo as we walk through all the critical steps for setting up an internal load balancer, creating a private cluster, and establishing a network policy.
Expanding Kubernetes Engine
Implementing Stateful Applications
A stateful application is anyone that stores data or application state so that it can be accessed after the user's session is over. Obviously, a great many apps fall into this category. However, Kubernetes Engine, by default, is set up for stateless apps—so does that mean stateful apps are out-of-reach? Absolutely not! In this video, I'll show you all the necessary steps for creating a persistent disk so you can incorporate both stateless and stateful apps on Kubernetes Engine.
Transitioning from On-Prem
Organizations running Kubernetes clusters in their own data centers often struggle with questions about transitioning to cloud computing. Google Cloud has just made it possible to enjoy the best of both worlds—as well as easing that transition@mdash;with its latest offering GKE On-Prem. In this lesson, I'll preview the newly announced service, explaining what it is, its features, and common use cases.
Integrating Other Google Cloud Services
There’s no question that Kubernetes Engine is stronger because it is a fully integrated member of the Google Cloud platform. The ability to quickly and easily connect to services like BigQuery, Cloud Storage, Cloud Machine Learning Engine, Cloud SQL, and many others intensifies the power and functionality of Kubernetes Engine. Knowing this, the question then becomes, “How? How do I connect Kubernetes Engine to these services?” In this lesson, we’ll explore the steps necessary for connecting to a wide range of services, from the most common to the very specific. This lesson is essential for learning to harness the full power of Kubernetes Engine.
Monitoring and Logging with Stackdriver
Stackdriver is Google Cloud's cross-platform monitoring and logging service. They recently released a version specifically for Kubernetes Engine that aggregates metrics and data from all your clusters, nodes, pods, and containers into a single dashboard. In this lesson, I'll explain all you need to know to enable and access this critical service.
Now that you've completed your deep dive of Google Kubernetes Engine, here are a few suggestions on what you should do next.
Get Recognized for you hard work and certification!