#13 July 23, 2018

Google Cloud Services Platform, with Aparna Sinha

Hosts: Craig Box, Adam Glick

Learn about the announcements from Google Cloud Next, including GKE On-Prem, Cloud Services Platform, and Istio 1.0. Google’s product management lead for Kubernetes and CNCF governing board member Aparna Sinha joins Adam and Craig to discuss what’s new.

Do you have something cool to share? Some questions? Let us know:

News of the week

ADAM GLICK: Hi. And welcome to the Kubernetes podcast from Google. I'm Adam Glick.

CRAIG BOX: And I'm Craig Box.


ADAM GLICK: Hey, Craig. How's it going?

CRAIG BOX: Well, there's obviously a very big event here in San Francisco. And that is, of course, the World Cup Rugby Sevens. Congratulations, of course, to my home country of New Zealand for winning both men's and women's events for the second tournament in a row. It just so happens by chance that I'm staying at the hotel that all the rugby players are at. So I actually held the Rugby Sevens World Cup yesterday.


CRAIG BOX: I have a lovely photo, which I will put in the show notes of me and one of the New Zealand players. It was great. A lot of gold medals, a lot of good times. I'm sure there'll probably be a lot of sore heads this morning. But I hear there are other things happening in San Francisco this week as well.

ADAM GLICK: There may be indeed. Next kicked off this week.

CRAIG BOX: It has.

ADAM GLICK: Next has been great. We're already the first day into it. And there have been some fantastic announcements we'll talk a little bit more about in the show notes section. But really great to see all the people out here, and especially the folks who are interested in Kubernetes. If you're listening to this during the show, and you want a Kubernetes sticker, feel free to find me. I'm carrying around a stack of them.


ADAM GLICK: People always ask for them, so I remembered to bring a stack this time.

CRAIG BOX: And if you do manage to find us on the show floor, berate us for not having made Kubernetes Podcast stickers. Because they really should be a thing by now. And of course, we're going to need audience demand to make that real.

ADAM GLICK: Sounds good. You want to get to the news?

CRAIG BOX: Why not.


ADAM GLICK: Kubernetes last week won the OSCON award for most impactful open-source project. It's great to see this recognition for something that grew out of some engineers here at Google wanting to make technology available to everyone. If you want to know more about the history of where Kubernetes came from, please check out episode 12 with Joe Beda where he talks about the history of where Kubernetes came from and the process he and the other early contributors went through to help get Kubernetes launched.

CRAIG BOX: Google Cloud today made a number of announcements around Kubernetes and the open-source ecosystem related to it. We announced the 1.0 release of the Istio service mesh, which lets you configure traffic encryption, routing, and monitoring on microservices networks. We announced GKE On-Prem, an on-premises, installable version of Google Kubernetes Engine with cloud-based management features just like GKE.

GCP Marketplace, which was previously known as Cloud Launcher, now supports installing Kubernetes applications and launches with a number of partnerships with vendors, giving you one-click access to their applications. Google also announced the Serverless platform, built on Kubernetes and Istio, called Knative, with a k, which helps you build, deploy, and manage modern serverless workloads.

Knative enables developers to just focus on writing interesting code without worrying about the boring but difficult parts. All these things together comprise Google's Cloud Services Platform. And today we'll talk to Aparna Sinha about that, as well as drilling into Knative and Istio in coming shows.

ADAM GLICK: The Next platform posted an interesting piece last week, questioning whether Kubernetes will become ubiquitous. They make the point that although Kubernetes is widely adopted as the container orchestration standard and has hosted versions provided by all major, and many minor, cloud vendors, it hasn't reached the point where it is invisible.

The article goes on to talk about invisibility as an interesting measure for ubiquity, as things that are invisible tend to be the ones that are so broadly adopted that there are dedicated people who provide it, and most people don't have to think about using it. The authors point out that there's still a bit of a ways to go to this end. But as we see more enterprise vendors getting into the Kubernetes space, it may just be a matter of time.

CRAIG BOX: And then podcast news, transcripts are coming. We've got a ton of great response to our recently posted transcript for the 1.11 release manager talk with Josh Berkus and Tim Pepper. So we're working to get transcripts made for each of our podcasts.

Transcription does take a couple of days after each episode is out, but we'll post the transcript for each episode to kubernetespodcast.com to better serve our community, including those who might be hearing impaired or for anyone who wants to be able to search for things that they heard a guest say. We thank you for all the feedback you've sent us and look forward to continuing to improve the podcast with your input.

ADAM GLICK: And that's the news.


Our guest today is Aparna Sinha, who leads product management for Kubernetes at Google. Aparna is a member of the CNCF governing board and is also co-chair of the Kubernetes product management SIG. She has a PhD in electrical engineering from Stanford and a patent on Android IoT protocols. Welcome, Aparna.

APARNA SINHA: Thank you, Adam. It's a pleasure to be here.

CRAIG BOX: We've just finished the first day keynote here at Google Cloud Next. Can you talk us through the announcements as they relate to the Kubernetes ecosystem?

APARNA SINHA: Yes. I am very excited about Cloud Services Platform and the announcements that Urs made today. Cloud Services Platform is hybrid cloud software delivered by Google that is meant for companies that want to modernize applications, on-premises, and in the public cloud. And it comprises a set of software and services that work on-prem and in GCP and are managed by GCP or through GCP.

So an example of that is GKE On-Prem. GKE On-Prem is essentially Kubernetes for on-premise environments. And it is custom configured, tested, certified, managed, and supported by Google in on-prem environments. It is connected to GCP. And essentially, through that connection, Google takes care of basic management, obviously, things like logging, monitoring, single pane of glass for observability, and also, quite importantly, upgrades, frequent upgrades, that are certified with Upstream. So that's one piece.

Another piece that I think is unique and very valuable is the GKE Policy Manager. GKE Policy Manager is a capability that allows admins to gain centralized control over the hybrid environment, both on-prem clusters as well as clusters in any region or any zone in GCP, and it could even be clusters elsewhere. GKE Policy Manager provides an easy way for admins to create a single source of truth for policies, policies for are RBAC, policies for authentication, policies for quota management, various types of policies. And the Policy Manager automatically syncs these policies across all the clusters that are registered in the environment. So I think that's a truly remarkable capability. And it will be available also through GCP IAM.

The third piece is, of course, Istio. And so we announced Istio on GKE, which is easy to deploy, easy to manage, and supported. And again, Istio is a core part of Cloud Services Platform. And I find it's a very natural fit for anyone that's working with services, whether they be microservices in the Kubernetes area or they're planning to move to a service-based architecture on VMs. Istio provides that decoupling between developers and operators. It frees developers to focus on developing code that's differentiated rather than developing services that are common services, such as auth or monitoring or logging or billing or traffic management.

And at the same time, it gives operations visibility that they previously didn't have at the service level so they can both implement those common services as well as make sure that the services that are running are production ready and are running reliably in production, ensure the SLOs and so forth. So there is a nice demo that we did earlier this morning showing the service topology graph in Stackdriver and the ability to manage SLOs. So that's one of the good use cases of Istio of course.

So GKE On-Prem, Policy Manager, and Istio, I think that forms the core of Cloud Services Platform. There's, of course, also the Kubernetes Marketplace that was announced earlier. And that is extremely exciting. It's a place where many of our partners are participating. And the exciting thing about that is that with a single click, you can deploy applications from the Marketplace to any of your Kubernetes clusters. And these are applications that our partner supported and Google Certified.

And of course, there's third party applications. There's also things that are Kubernetes specific, like Kubernetes Operators. So there's a Spark Operator, and there will be many more Operators. There's an Airflow Operator as well. So these are Operators that allow you to deploy and also manage those applications on your Kubernetes clusters and, again, anywhere. So those are the pieces I think I'm most excited about in Cloud Services Platform.

And of course, given that it is a hybrid platform, it gives you that consistent environment, that centralized control, that agility and reliability. And then it gives you the flexibility given that it is based on open-source. It gives you a lot of flexibility in terms of extending the platform and creating your own custom plug-ins or bringing in other plug-ins or customizing and integrating that platform for your enterprise environments.

And then lastly, we are building a number of solutions both in the open-source with the community as well as with partners and at Google. There's a number of solutions that will run in hybrid environments on Cloud Services Platform. CubeFlow, of course, is one of those. And that's been discussed and is already getting quite a bit of use. And then Knative and Serverless for GKE that were announced at Next as well.

ADAM GLICK: Wow. That's a lot of stuff there. One of the ones that piqued my years and probably will pique a lot of the ears of the people listening was the GKE On-Prem, which sounds like you're building Kubernetes separate distribution or-- what exactly is that?

APARNA SINHA: We have been running Google Kubernetes Engine since the early days of Kubernetes itself. So it's been more than three years since GKE, Google Kubernetes Engine, has been GA. And we've gotten excellent feedback on that product. I think you saw the growth numbers. They've been phenomenal.

Basically, customers really like that Google manages Kubernetes and configures Kubernetes, I think particularly the control plane and the master, making sure that that is healthy, and scale, does your cluster scale, taken care of etcd, and, of course, we manage the nodes as well in GKE. So those are some of the things that customers have been asking for that to be also available on-prem. And so we've decided that we are going to provide GKE functionality on-prem. And so this is software that deploys in your On-Prem data center.

At the moment, it is for vSphere. And at the moment, it is in alpha. But it does deploy in your own On-Prem data center and then connects up to Google and can be managed from Google. And by management, I'm talking about things like, again, making sure that your masters are up and running, so availability, and, of course, scaling the master as you grow your cluster on-prem.

And then I think what's really important for our users is access to upgrades. GKE has always has been very current with the Upstream. We have a track record of getting the latest release of Kubernetes into GKE within a week. So that's the same for GKE On-Prem.

CRAIG BOX: Who is GKE On-Prem for?

APARNA SINHA: GKE On-Prem is for anybody that is interested in having managed on-prem Kubernetes as an extension of Google Cloud. And I think, well, certainly the large clusters and enterprises that we've been speaking to are very interested in this offering. Kubernetes, as you know, has become quite well adopted as a technology that enables application modernization and is a great orchestrator for containerized workloads. We've been building a number of features to extend it to stateful applications, batch processing, and just as a platform that translates easily from On-Prem to Cloud as well as to other clouds.

So anyone that is interested in those benefits, which tends to be a lot of people, but anyone that has their own data center and has a reason to stay on their own data center, it could be regulatory, compliance reasons, it could be because they have some sort of local environment like a retail warehouse or for regulatory reasons, they need to stay and keep their records or their data or their clusters in a particular data center, those would all be good use cases for GKE On-Prem.

CRAIG BOX: And in what ways is it different than the ways that some of those customers will already be running Kubernetes in there data center environments?

APARNA SINHA: So a lot of customers were running Kubernetes on their own in their own data centers. And usually, these are extremely capable IT teams and developer teams. So whether you have a DevOps team or you have a separate developer or an operations team, you may be deploying and managing Kubernetes cluster in your on-prem environment. And what we've heard is that that can be challenging.

And it certainly is time consuming, particularly as you try and keep that cluster or that set of clusters up to date with the Upstream. Managing upgrades is something that's quite challenging. So often times, especially when you have a highly qualified team on-premise, you want to make sure that they're working on the highest strategic tasks for your organization.

So what I hear customers say is that I want to use my talented resources for value added work that adds to my business impact. I want my developers, for example, to only focus on code that is truly core to the application. And I want my operators to be working on things that only they can do. So often, managing Kubernetes is not in that set. And they're looking for someone who has that expertise, has that credential, has done it for a while, and maybe also has access to the open-source maintainers and so forth.

ADAM GLICK: You also mentioned policy management and excitement around managing policy. How would this be different than how people are used to managing policy today with Kubernetes?

CRAIG BOX: And how exactly can policy management be exciting just as a topic?

APARNA SINHA: Oh, policy management is very exciting as a topic. And it actually is very seamlessly integrated into how policies are managed in Kubernetes and actually also how customers are managing identities and access control both in the Cloud and on-prem. And that's been something that's been a guiding principle in developing GKE policy management. We want to make sure it integrates with the way that you do policy management today in your enterprise.

And we also want to make sure it integrates nicely with IAM. And it does. It uses IAM as a single source of truth. It can also use some other repository as a single source of truth. But what it basically does is in any Kubernetes cluster, it deploys as a separate namespace with a small set of agents. And then you, as an admin, can define policies in a central repository or in the IAM service in GCP.

And this GKE Policy Manager syncs those policies from that single source of truth to all of the clusters that are enrolled in the service. So those clusters could be on-prem, they could be in GKE, they could be in GCE, they could be spread out across different regions, they could even be somewhere else in another cloud. And this Policy Manager will synchronize those policies. And examples of policies would be access control, security policies, and RBAC policies, like Kubernetes RBAC and Quota.

ADAM GLICK: As you deploy those policies, you've mentioned before about On-Prem and GKE in the Cloud, is there a management piece that's going to manage both of those? Or is this just packaging the software up so that people can run the same thing that people are used to in the cloud on-premises?

APARNA SINHA: I think that, obviously, providing an offering that's packaged up with best practices from Google is useful and is interesting for many, many users. But I think the most important part of this announcement is the management piece, which is the multi-cluster management regardless of where that cluster is, whether it's on-prem or in GCP. And so what do we mean by multi-cluster management?

Well, one is the ability to register those on-prem clusters in Google Cloud consoles so you can have a single pane of glass where you can view all of your workloads, all of your services, everything across all of those clusters. So you can do things like diff and see what's the difference between this cluster and that cluster? Which workloads are here, which workloads are there?

You can, in the future, do more sophisticated things but also push upgrades from the central management management control plane to your on-premise clusters. But certainly, all of the logging, monitoring pieces, I think we actually did a demo on stage where we showed Stackdriver monitoring and troubleshooting for different clusters, one of which was On-Prem, or was revealed to be On-Prem at the end.

CRAIG BOX: Love a bit of theatre. You also mentioned Istio, which came out twice today in the context of the 1.0 release, and then also it being available packaged as part of GKE. Tell us a little bit about that latter piece.

APARNA SINHA: Really, Istio is a core part of Cloud Services Platform. Kubernetes kind of gives you that consistent environment, and GKE Policy Management gives you that centralized control. But all of that is really in service of making your business successful. In order to make your business successful, you have to make sure that your developers are productive and your operators are also productive.

Oftentimes, these two things are at odds, where your developers are trying to push code faster and your operators are trying to make sure that everything is production ready and reliable and doesn't go down. Istio breaks this trade off. Istio is the technology that actually raises the plane at which we work from, say, the VMs containers network level to the services level.

And so with Istio, what it does is it makes it possible for your developers to just focus on writing their code while your Operators have visibility into what are the services? And how are they talking to each other? And are they being successful? Or are they running hot?

And then it gives those Operators control, again, at the service level to change things with regard to the services, change things like, hey, this service needs to have more traffic going to it or this service should not talk to this other service or this service needs to be authenticated and to be able to push those changes to the entire environment. So it helps you ensure greater reliability, making the Ops people happy, and it frees the developers to do more of their core work.

ADAM GLICK: Not to tease too much of the interview that we're going to be doing around the Knative stuff coming up, but Knative was one of the things that was announced that can easily deploy on top of the GKE work that you're talking about, and that that would also be open-sourced. How does that fit in with the vision for the Kubernetes platform as a whole moving forward?

APARNA SINHA: That's right. So Knative is an open-source framework for building serverless applications and, of course, functions. And we had been, as Google working in the open-source on Serverless for a while, we realized that there was an opportunity to basically partner with a number of companies to create a standard for how service applications should be run and what components they can use. And of course, it makes sense to base this as something that would run on Kubernetes.

And so with Cloud Services Platform, since it's based on Kubernetes and Istio, Knative runs natively. Right? Knative. It runs natively on Cloud Services Platform. And so the goal is-- again, we've been working, I mentioned, with Kubernetes to support more and more types of applications. So I mentioned it started, obviously, with stateless applications. And then we've added support over the last two years for stateful applications and batch processing and, of course, machine learning. And you see CubeFlow and other things that make it easier.

And then with Knative, support for serverless applications are functions as well. So that's how it integrates. And I think that it's a huge step forward. Because, again, it's open-source, it's something that is going to enable hybrid. That interoperability is really important to developers who are writing functions.

And then it inherits all of the underlying capabilities of the platform, so the auth, the IAM. All of those pieces, it just inherits automatic monitoring, logging. You don't have to do that separately for your serverless apps. You don't have to do it separately for your batch apps. That's the whole point of a platform.

CRAIG BOX: And as a GKE customer, am I going to have to take the open-source pieces and deploy them in my cluster? Or am I going to have Google look after this for me?

APARNA SINHA: So I think we also announced GKE Serverless, which is an add-on. And I believe that's also in alpha. And so no, you don't have to do that on your own. And you can use GKE Serverless.

ADAM GLICK: Aparna, this all sounds really interesting. What's the feedback you're hearing from customers? Have you been testing this with folks yet? I know the announcement just came out this morning.

APARNA SINHA: I've seen a lot of interest, a lot of interest, and particularly from existing GKE customers and also folks that have been interested in using Kubernetes that we've interacted with through that. So I think certainly folks that have been using GKE have been waiting for Istio. It's just a very natural extension.

So in my talk actually, my Spotlight Session, we had eBay up on stage. And Jeff from eBay mentioned that as they started using GKE, it just became really easy, almost too easy, for the developers to create services. And so then they had a proliferation of services. And they really needed us as an operations team to be able to have a standard way of monitoring services. And these were polyglots services.

People were writing in, obviously, whatever language was best for their application, which they should. And so they deployed Istio on GKE. And they were one of the early adopters. Now, of course, we're offering Istio and GKE as alpha. But they found that that was extremely valuable. And so I encourage everyone to listen to their talk and my session. But they found that they were able to enforce a common standard for monitoring.

And Istio goes beyond that. It also helps you enable security by default and implement MTLS across all of your services in a very nice, solid fashion, versus having everybody implement MTLS individually. And then, of course, traffic monitoring and traffic control, quota control, and the list goes on. There's a nice talk by Dan Ciruli actually, who goes into all of the pieces of Istio.

But many customers are interested in those capabilities. Service discovery has been something people have been asking for a long time, L7 load balancing, and, of course, security. So those are top of minds. And then I think the GKE On-Prem piece, definitely, as I said, that is very much in response to customer demand and customer interest that we've seen. So I don't think that's surprising at all that there's lot of interest in that.

CRAIG BOX: I realize it's been all of 30 minutes since the announcement was actually made. There's going to be a lot of videos. The keynote videos obviously stream live. But the session videos will be made available throughout the week. For people who want to learn more about the Cloud Services Platform, where would you suggest that they start?

APARNA SINHA: Well, the Cloud Services Platform website is a great place to start. So we have a description of Cloud Services Platform. Also GKE On-Prem has a website. And that has a lot of detail there. And then there's many links attached there. And given that we're pretty early right now at Next, if you're at Next, please come by. We have 50 plus talks on many different aspects of Cloud Services Platform.

And so I highly recommend any talk on the policy management piece. There's a deep dive on GKE On-Prem by Weston Hutchins and Matt DeLio from my team. Also, there's a Spotlight Session tomorrow from [INAUDIBLE] and Oren Teich that talks about Serverless but also goes into Istio in quite a bit of detail, and then a series of talks, I think there are four or five talks, with demos on Istio and Istio on GKE. And the same thing for GKE Policy Management, I think there's three.

And then if you're not able to delve into any of that, there's going to be a series of blog posts. And I love blog posts, because they really get into the details, and then they give you all of the links. So that's another place to find out more about Cloud Services Platform and its pieces. And then many of these pieces are alpha today. So you can sign up. There's usually a sign up form to start to use them.

CRAIG BOX: Well, podcasts are great at giving you links too. So if you want to find links to those blog posts and the videos as they become available, check out our show notes at kubernetespodcast.com.

APARNA SINHA: That's great.

CRAIG BOX: So, Aparna, thank you very much for your time today.

APARNA SINHA: Absolutely.

ADAM GLICK: Great having you here.

APARNA SINHA: It was a pleasure to be here.


ADAM GLICK: It's time for us to get back out on the show floor. If you want to learn more about GKE On-Prem or Cloud Services Platform, you can find all the links in the show notes.

CRAIG BOX: Thanks for listening. As always, if you've enjoyed the show, please help spread the word, tell a friend. Come see us, get a sticker. If you have any feedback, you can find us on Twitter at kubernetespod or send us an email at kubernetespodcast@google.com.

ADAM GLICK: You can also check out our website at kubernetespodcast.com. Until next time, take care.

CRAIG BOX: See you later.