Cloud architecture refers to how technologies and components are built in a cloud environment. A cloud environment comprises a network of servers that are located in various places globally, and each serves a specific purpose. With the growth of cloud computing and cloud-native development, modern development practices are constantly changing to adapt to this rapid evolution. This Zone offers the latest information on cloud architecture, covering topics such as builds and deployments to cloud-native environments, Kubernetes practices, cloud databases, hybrid and multi-cloud environments, cloud computing, and more!
Designing Databases for Distributed Systems
Ansible by Example
In this blog post, you will learn how to build a Serverless solution for entity detection using Amazon Comprehend, AWS Lambda, and the Go programming language. Text files uploaded to Amazon Simple Storage Service (S3) will trigger a Lambda function which will further analyze it, extract entity metadata (name, type, etc.) using the AWS Go SDK, and persist it to an Amazon DynamoDB table. You will use Go bindings for AWS CDK to implement "Infrastructure-as-code" for the entire solution and deploy it with the AWS Cloud Development Kit (CDK) CLI. The code is available on GitHub. Introduction Amazon Comprehend leverages NLP to extract insights from documents, including entities, key phrases, language, sentiments, and other elements. It utilizes a pre-trained model that is continuously updated with a large body of text, eliminating the need for training data. Additionally, users can build their own custom models for classification and entity recognition with the help of Flywheels. The platform also offers built-in topic modeling to organize documents based on similar keywords. For document processing, there is the synchronous mode for a single document or a batch of up to 25 documents, while asynchronous jobs are recommended for processing large numbers of documents. Let's learn Amazon Comprehend with a hands-on tutorial. We will be making use of the entity detection feature wherein, Comprehend analyzes the text and identifies all the entities present, as well as their corresponding entity type (e.g. person, organization, location). Comprehend can also identify relationships between entities, such as identifying that a particular person works for a specific company. Automatically identifying entities within large amounts of text data can help businesses save time and resources that would otherwise be spent manually analyzing and categorizing text data. Prerequisites Before you proceed, make sure you have the following installed: Go programming language (v1.18 or higher) AWS CDK AWS CLI Clone the project and change to the right directory: git clone https://github.com/abhirockzz/ai-ml-golang-comprehend-entity-detection cd ai-ml-golang-comprehend-entity-detection Use AWS CDK To Deploy the Solution The AWS Cloud Development Kit (AWS CDK) is a framework that lets you define your cloud infrastructure as code in one of its supported programming and provision it through AWS CloudFormation. To start the deployment, simply invoke cdk deploy and wait for a bit. You will see a list of resources that will be created and will need to provide your confirmation to proceed. cd cdk cdk deploy # output Bundling asset ComprehendEntityDetectionGolangStack/comprehend-entity-detection-function/Code/Stage... ✨ Synthesis time: 4.32 //.... omitted Do you wish to deploy these changes (y/n)? y Enter y to start creating the AWS resources required for the application. If you want to see the AWS CloudFormation template which will be used behind the scenes, run cdk synth and check the cdk.out folder. You can keep track of the stack creation progress in the terminal or navigate to the AWS console: CloudFormation > Stacks > ComprehendEntityDetectionGolangStack. Once the stack creation is complete, you should have: An S3 bucket - Source bucket to upload text file A Lambda function to execute entity detection on the file contents using Amazon Comprehend A DyanmoDB table to store the entity detection result for each file A few other components (like IAM roles, etc.) You will also see the following output in the terminal (resource names will differ in your case). In this case, these are the names of the S3 bucket and the DynamoDB table created by CDK: ✅ ComprehendEntityDetectionGolangStack ✨ Deployment time: 139.02s Outputs: ComprehendEntityDetectionGolangStack.entityoutputtablename = comprehendentitydetection-textinputbucket293fcab7-8suwpesuz1oc_entity_output ComprehendEntityDetectionGolangStack.textfileinputbucketname = comprehendentitydetection-textinputbucket293fcab7-8suwpesuz1oc ..... You can now try out the end-to-end solution! Detect Entities in Text File To try the solution, you can either use a text file of your own or the sample files provided in the GitHub repository. I will be using the S3 CLI to upload the file, but you can use the AWS console as well. export SOURCE_BUCKET=<enter source S3 bucket name - check the CDK output> aws s3 cp ./file_1.txt s3://$SOURCE_BUCKET aws s3 cp ./file_2.txt s3://$SOURCE_BUCKET # verify that the file was uploaded aws s3 ls s3://$SOURCE_BUCKET This Lambda function will extract detect entities and store the result (entity name, type, and confidence score) in a DynamoDB table. Check the DynamoDB table in the AWS console: You can also use the CLI to scan the table: aws dynamodb scan --table-name <enter table name - check the CDK output> Don’t Forget To Clean Up Once you're done, to delete all the services, simply use: cdk destroy #output prompt (choose 'y' to continue) Are you sure you want to delete: ComprehendEntityDetectionGolangStack (y/n)? You were able to set up and try the complete solution. Before we wrap up, let's quickly walk through some of the important parts of the code to get a better understanding of what's going on behind the scenes. Code Walkthrough We will only focus on the important parts - some code has been omitted for brevity. CDK You can refer to the complete CDK code here. bucket := awss3.NewBucket(stack, jsii.String("text-input-bucket"), &awss3.BucketProps{ BlockPublicAccess: awss3.BlockPublicAccess_BLOCK_ALL(), RemovalPolicy: awscdk.RemovalPolicy_DESTROY, AutoDeleteObjects: jsii.Bool(true), }) We start by creating the source S3 bucket. table := awsdynamodb.NewTable(stack, jsii.String("entites-output-table"), &awsdynamodb.TableProps{ PartitionKey: &awsdynamodb.Attribute{ Name: jsii.String("entity_type"), Type: awsdynamodb.AttributeType_STRING}, TableName: jsii.String(*bucket.BucketName() + "_entity_output"), SortKey: &awsdynamodb.Attribute{ Name: jsii.String("entity_name"), Type: awsdynamodb.AttributeType_STRING}, }) Then, we create a DynamoDB table to store entity detection results for each file. function := awscdklambdagoalpha.NewGoFunction(stack, jsii.String("comprehend-entity-detection-function"), &awscdklambdagoalpha.GoFunctionProps{ Runtime: awslambda.Runtime_GO_1_X(), Environment: &map[string]*string{"TABLE_NAME": table.TableName()}, Entry: jsii.String(functionDir), }) table.GrantWriteData(function) bucket.GrantRead(function, "*") function.Role().AddManagedPolicy(awsiam.ManagedPolicy_FromAwsManagedPolicyName(jsii.String("ComprehendReadOnly"))) Next, we create the Lambda function, passing the DynamoDB table name as an environment variable to the function. We also grant the function access to the DynamoDB table and the S3 bucket. We also grant the function access to the ComprehendReadOnly managed policy. function.AddEventSource(awslambdaeventsources.NewS3EventSource(sourceBucket, &awslambdaeventsources.S3EventSourceProps{ Events: &[]awss3.EventType{awss3.EventType_OBJECT_CREATED}, })) We add an event source to the Lambda function to trigger it when an invoice image is uploaded to the source bucket. awscdk.NewCfnOutput(stack, jsii.String("text-file-input-bucket-name"), &awscdk.CfnOutputProps{ ExportName: jsii.String("text-file-input-bucket-name"), Value: bucket.BucketName()}) awscdk.NewCfnOutput(stack, jsii.String("entity-output-table-name"), &awscdk.CfnOutputProps{ ExportName: jsii.String("entity-output-table-name"), Value: table.TableName()}) Finally, we export the S3 bucket and DynamoDB table names as CloudFormation output. Lambda Function You can refer to the complete Lambda Function code here. func handler(ctx context.Context, s3Event events.S3Event) { for _, record := range s3Event.Records { sourceBucketName := record.S3.Bucket.Name fileName := record.S3.Object.Key err := detectEntities(sourceBucketName, fileName) } } The Lambda function is triggered when a text file is uploaded to the source bucket. For each text file, the function extracts the text and invokes the detectEntities function. Let's go through it. func detectEntities(sourceBucketName, fileName string) error { result, err := s3Client.GetObject(context.Background(), &s3.GetObjectInput{ Bucket: aws.String(sourceBucketName), Key: aws.String(fileName), }) buffer := new(bytes.Buffer) buffer.ReadFrom(result.Body) text := buffer.String() resp, err := comprehendClient.DetectEntities(context.Background(), &comprehend.DetectEntitiesInput{ Text: aws.String(text), LanguageCode: types.LanguageCodeEn, }) for _, entity := range resp.Entities { item := make(map[string]ddbTypes.AttributeValue) item["entity_type"] = &ddbTypes.AttributeValueMemberS{Value: fmt.Sprintf("%s#%v", fileName, entity.Type)} item["entity_name"] = &ddbTypes.AttributeValueMemberS{Value: *entity.Text} item["confidence_score"] = &ddbTypes.AttributeValueMemberS{Value: fmt.Sprintf("%v", *entity.Score)} _, err := dynamodbClient.PutItem(context.Background(), &dynamodb.PutItemInput{ TableName: aws.String(table), Item: item, }) } return nil } The detectEntities function first reads the text file from the source bucket. It then invokes the DetectEntities API of the Amazon Comprehend service. The response contains the detected entities. The function then stores the entity type, name, and confidence score in the DynamoDB table. Conclusion and Next Steps In this post, you saw how to create a serverless solution using Amazon Comprehend. The entire infrastructure life-cycle was automated using AWS CDK. All this was done using the Go programming language, which is well-supported in AWS Lambda and AWS CDK. Here are a few things you can try out to extend this solution: Try experimenting with other Comprehend features such as Detecting PII entities. The entity detection used a pre-trained model. You can also train a custom model using the Comprehend Custom Entity Recognition feature that allows you to use images, scanned files, etc. as inputs (rather than just text files). Happy building!
This blog post explores the state of data streaming in 2023 for digital natives born in the cloud. The evolution of digital services and new business models requires real-time end-to-end visibility, fancy mobile apps, and integration with pioneering technologies like fully managed cloud services for fast time-to-market, 5G for low latency, or augmented reality for innovation. Data streaming allows integrating and correlating data in real-time at any scale to improve the most innovative applications leveraging Apache Kafka. I look at trends for digital natives to explore how data streaming helps as a business enabler, including customer stories from New Relic, Wix, Expedia, Apna, Grab, and more. A complete slide deck and on-demand video recording are included. General Trends for Digital Natives Digital natives are data-driven tech companies born in the cloud. The SaaS solutions are built on cloud-native infrastructure that provides elastic and flexible operations and scale. AI and Machine Learning improve business processes while the data flows through the backend systems. The Data-Driven Enterprise in 2023 McKinsey and Company published an excellent article on seven characteristics that will define the data-driven enterprise: Data embedded in every decision, interaction, and process Data is processed and delivered in real-time Flexible data stores enable integrated, ready-to-use data Data operating model treats data like a product The chief data officer’s role is expanded to generate value Data-ecosystem memberships are the norm Data management is prioritized and automated for privacy, security, and resiliency This quote from McKinsey and Company precisely maps to the value of data streaming for using data at the right time in the right context. The below success stories are all data-driven, leveraging these characteristics. Digital Natives Born in the Cloud A digital native enterprise can have many meanings. IDC has a great definition: "IDC defines Digital native businesses (DNBs) as companies built based on modern, cloud-native technologies, leveraging data and AI across all aspects of their operations, from logistics to business models to customer engagement. All core value or revenue-generating processes are dependent on digital technology.” Companies are born in the cloud, leverage fully managed services, and are consequently innovative with fast time to market. AI and Machine Learning (Beyond the Buzz) “ChatGPT, while cool, is just the beginning; enterprise uses for generative AI are far more sophisticated,” says Gartner. I can't agree more. But even more interesting, Machine Learning (the part of AI that is enterprise-ready) is already used in many companies. While everybody talks about Generative AI (GenAI) these days, I prefer talking about real-world success stories that have leveraged analytic models for many years already to detect fraud, upsell to customers, or predict machine failures. GenAI is "just" another more advanced model that you can embed into your IT infrastructure and business processes the same way. Data Streaming at Digital Native Tech Companies Adopting trends across industries is only possible if enterprises can provide and correlate information correctly in the proper context. Real-time, which means using the information in milliseconds, seconds, or minutes, is almost always better than processing data later (whatever later means): Digital natives combine all the power of data streaming: Real-time messaging at any scale with storage for true decoupling, data integration, and data correlation capabilities. Data streaming with the Apache Kafka ecosystem and cloud services are used throughout the supply chain of any industry. Here are just a few examples: Elastic Scale With Cloud-Native Infrastructure One of the most significant benefits of cloud-native SaaS offerings is elastic scalability out of the box. Tech companies can start new projects with a small footprint and pay-as-you-go. If the project is successful or if industry peaks come (like Black Friday or the Christmas season in retail), the cloud-native infrastructure scales up and back down after the peak: There is no need to change the architecture from a proof of concept to an extreme scale. Confluent's fully managed SaaS for Apache Kafka is an excellent example. Learn how to scale Apache Kafka to 10+ GB per second in Confluent Cloud without the need to re-architect your applications. Data Streaming + AI/Machine Learning = Real-Time Intelligence The combination of data streaming with Kafka and machine learning with TensorFlow or other ML frameworks is nothing new. I explored how to "Build and Deploy Scalable Machine Learning in Production with Apache Kafka" in 2017, i.e., six years ago. Since then, I have written many further articles and supported various enterprises deploying data streaming and machine learning. Here is an example of such an architecture: Data Mesh for Decoupling, Flexibility and Focus on Data Products Digital natives don't (have to) rely on monolithic, proprietary, and inflexible legacy infrastructure. Instead, tech companies start from scratch with modern architecture. Domain-driven design and microservices are combined in a data mesh, where business units focus on solving business problems with data products: Architecture Trends for Data Streaming Used by Digital Natives Digital natives leverage trends for enterprise architectures to improve cost, flexibility, security, and latency. Four essential topics I see these days at tech companies are: Decentralization with a data mesh Kappa architecture replacing Lambda Global data streaming AI/Machine Learning with data streaming Let's look deeper into some enterprise architectures that leverage data streaming. Decentralization With a Data Mesh There is no single technology or product for a data mesh! However, the heart of a decentralized data mesh infrastructure must be real-time, reliable, and scalable. Data streaming with Apache Kafka is the perfect foundation for a data mesh: Dumb pipes and smart endpoints truly decouple independent applications. This domain-driven design allows teams to focus on data products: Contrary to a data lake or data warehouse, the data streaming platform is real-time, scalable, and reliable — a unique advantage for building a decentralized data mesh. Kappa Architecture Replacing Lambda The Kappa architecture is an event-based software architecture that can handle all data at all scales in real time for transactional AND analytical workloads. The central premise behind the Kappa architecture is that you can perform real-time and batch processing with a single technology stack. The heart of the infrastructure is streaming architecture. Unlike the Lambda Architecture, in this approach, you only re-process when your processing code changes and need to recompute your results. Global Data Streaming Multi-cluster and cross-data center deployments of Apache Kafka have become the norm rather than an exception. Several scenarios require multi-cluster Kafka deployments with specific requirements and trade-offs, including disaster recovery, aggregation for analytics, cloud migration, mission-critical stretched deployments, and global Kafka. Natural Language Processing (NLP) With Data Streaming for Real-Time Generative AI (GenAI) Natural Language Processing (NLP) helps many projects in the real world for service desk automation, customer conversation with a chatbot, content moderation in social networks, and many other use cases. Generative AI (GenAI) is "just" the latest generation of these analytic models. Many enterprises have combined NLP with data streaming for many years for real-time business processes. Apache Kafka became the predominant orchestration layer in these machine learning platforms for integrating various data sources, processing at scale, and real-time model inference. Here is an architecture that shows how teams easily add Generative AI and other machine learning models (like large language models, LLM) to their existing data streaming architecture: Time to market is critical. AI does not require a completely new enterprise architecture. True decoupling allows the addition of new applications/technologies and embedding them into the existing business processes. An excellent example is Expedia: The online travel company added a chatbot to the existing call center scenario to reduce costs, increase response times, and make customers happier. New Customer Stories of Digital Natives Using Data Streaming So much innovation is happening with data streaming. Digital natives lead the race. Automation and digitalization change how tech companies create entirely new business models. Most digital natives use a cloud-first approach to improve time-to-market, increase flexibility, and focus on business logic instead of operating IT infrastructure. Elastic scalability gets even more critical when you start small but think big and global from the beginning. Here are a few customer stories from worldwide telecom companies: New Relic: Observability platform ingesting up to 7 billion data points per minute for real-time and historical analysis. Wix: Web development services with online drag-and-drop tools built with a global data mesh. Apna: India's largest hiring platform powered by AI to match client needs with applications. Expedia: Online travel platform leveraging data streaming for a conversational chatbot service incorporating complex technologies such as fulfillment, natural-language understanding, and real-time analytics. Alex Bank: A 100% digital and cloud-native bank using real-time data to enable a new digital banking experience. Grab: Asian mobility service that built a cybersecurity platform for monitoring 130M+ devices and generating 20M+ Al-driven risk verdicts daily. Resources To Learn More This blog post is just the starting point. Learn more about data streaming and digital natives in the following on-demand webinar recording, the related slide deck, and further resources, including pretty cool lightboard videos about use cases. On-Demand Video Recording The video recording explores the telecom industry's trends and architectures for data streaming. The primary focus is the data streaming case studies. Check out our on-demand recording: Slides If you prefer learning from slides, check out the deck used for the above recording: Slides: The State of Apache Kafka for Digital Natives in 2023 Data Streaming Case Studies and Lightboard Videos of Digital Natives The state of data streaming for digital natives in 2023 is fascinating. New use cases and case studies come up every month. This includes better data governance across the entire organization, real-time data collection and processing data from network infrastructure and mobile apps, data sharing and B2B partnerships with new business models, and many more scenarios. We recorded lightboard videos showing the value of data streaming simply and effectively. These five-minute videos explore the business value of data streaming, related architectures, and customer stories. Stay tuned; I will update the links in the next few weeks and publish a separate blog post for each story and lightboard video. And this is just the beginning. Every month, we will talk about the status of data streaming in a different industry. Manufacturing was the first. Financial services second, then retail, telcos, digital natives, gaming, and so on.
TIBCO recently held its annual TIBCO NEXT conference, outlining its product roadmap and strategy for modernizing its pioneering integration and analytics platform. As a trusted integration anchor for over 25 years, TIBCO aims to simplify connecting systems and data across today's complex hybrid technology landscapes. Several key themes indicate how TIBCO is adapting to emerging needs: Empowering developers: TIBCO is overhauling the developer experience with new tools, portals, and cloud-native capabilities that remove friction. Multi-cloud support: With a cloud-neutral approach, TIBCO provides flexibility to connect apps and data across diverse environments. Management convergence: Platforms like the TIBCO Control Plane aim to streamline managing on-premise, cloud, and hybrid resources. Focus on core strengths: Rather than pursue ancillary products, TIBCO is doubling down on integration, messaging, and analytics — their core heritage. Let’s explore highlights from TIBCO Next and what they mean for technology professionals. Boosting Developer Productivity A consistent pain point TIBCO acknowledges is fragmentation across their traditional tooling that hampers developer productivity. TIBCO’s answer is a new self-service developer portal consolidating access to documentation, APIs, templates, and reusable components in one place to aid discovery. TIBCO is also investing in integration tooling for Visual Studio Code, which has become the dominant developer IDE. Developers will build, test, and debug integrations natively within VS Code, avoiding proprietary IDEs. For infrastructure teams, TIBCO introduced the concept of a “control plane” to give administrators unified visibility into infrastructure, apps, APIs, and messaging across deployment environments from legacy to cloud. On-premise components will only require lightweight agents to onboard them into the management plane. Multi-Cloud Support With a Cloud-Agnostic Approach Rather than push a proprietary cloud platform, TIBCO is firmly committed to a cloud-agnostic strategy at TIBCO NEXT. This allows customers to bring their own Kubernetes runtimes on whichever cloud they prefer. While TIBCO will offer some pre-built public cloud integration capabilities, the focus is enabling choice rather than dictating a specific cloud platform. As TIBCO’s Matt Ellis described it, “It's your cloud, not my cloud.” For organizations with substantial legacy TIBCO infrastructure, this evolutionary path aims to maximize value from existing investments while providing an on-ramp to hybrid and cloud at each customer’s pace. Renewed Focus on Core Integration and Analytics Capabilities TIBCO admitted it diluting its focus in recent years by diversifying into too many ancillary product areas. Under general manager Ali Ahmed, TIBCO is narrowing its concentration around core integration and analytics capabilities that made it an industry leader — messaging, event processing, data management, etc. Rather than releasing wholly new products, TIBCO aims to strengthen existing solutions that customers rely on for mission-critical needs. For example, TIBCO added native Change Data Capture functionality directly within its BusinessWorks integration platform to enable real-time data synchronization. The Future of TIBCO: Making Hybrid Integration Seamless Summarizing TIBCO Next, the company’s strategic direction shows promise to deliver simplicity in a complex multi-cloud world. However, executing this hybrid vision could pose daunting technical hurdles. Many loyal TIBCO customers have substantial legacy on-premise investments amassed over the years. Assisting cautious transformation and migrations without disruption will test TIBCO’s capabilities. However, TIBCO asserts its secret weapon is unparalleled real-world expertise from thousands of mission-critical, large-scale deployments over the past 25+ years. This seasoned integration acumen helps guide customers through intricate modernization safely and pragmatically. Additionally, improving fragmented tooling, boosting developer experience, and embracing the cloud align TIBCO with how modern software teams operate. Its strengths in analytics and interconnectivity remain differentiated. Overall, TIBCO aims to make integrated data in motion the key enabler of digital experiences and AI initiatives. By adapting its robust backend engine to cloud-native models, TIBCO hopes to propel its platform into the future. Execution will be challenging, but TIBCO’s methodology has proven itself. If TIBCO can deliver integration joy and simplicity amidst increasing complexity, the company’s best days may still lie ahead. Evolving the TIBCO Platform To Meet Emerging Needs While TIBCO aims to simplify integration across environments, customers face new complexities emerging in the multi-cloud landscape: As applications are distributed, managing interconnected dependencies becomes exponentially harder. TIBCO will need to provide end-to-end traceability. Securing data flows spanning legacy systems, cloud services, IoT devices, and edge locations requires rethinking security models. TIBCO plans to address this through its Cloud Mashery solution. Supporting real-time intelligence at scale demands ingesting and processing myriad event streams. TIBCO Event Processing offers differentiation for harnessing events. Connecting new data sources like MongoDB requires constantly expanding connectivity. TIBCO plans to extend its technology ecosystem through partnerships. Developer expectations are shaped by modern software delivery practices. TIBCO must continuously improve experiences to attract talent. Rising cloud consumption costs necessitate FinOps monitoring and optimization. TIBCO intends to provide transparency in spending. To navigate these trends, TIBCO is actively soliciting customer feedback to evolve the platform. According to Rajeev Kozhikkattuthodi, TIBCO's VP of Product Management, “If there's one takeaway, it's that we're actively listening to customers and end users, specifically developers, operators, and business stakeholders.” By iterating based on real-world needs, TIBCO hopes to enable innovation rather than impede it. As technological change accelerates, users require platforms to enhance creativity, not restrict it. The Future of Digital Transformation Fundamentally, TIBCO aims to make data in motion the fuel propelling digital experiences and AI-driven decision-making. But fully realizing this requires tapping hidden value within legacy systems. Modernization initiatives often fail by underestimating the difficulty of rearchitecting entrenched systems. TIBCO's methodology emphasizes maximizing existing investments first before introducing new technologies. This prudent approach aims to make transformation inevitable by making it invisible. With meticulous integration architecture, TIBCO strives to bridge hybrid environments safely at customers' speed. Smoothly interoperating old and new unlocks trapped value. By instilling confidence in manageable evolution, TIBCO believes it can empower enterprises to confidently embrace the future.
Businesses find themselves at a pivotal crossroads when deciding on cloud computing options. Open-source and community-driven solutions offer one avenue, while enterprise solutions present another. With a myriad of considerations at play, it's easy to feel overwhelmed. This guide seeks to illuminate the path, providing clear distinctions to help you tailor your cloud infrastructure decision-making process. License Types and Considerations We begin by untangling the intricacies of licensing: Open Source Licenses: Examples include the GNU General Public License (GPL), MIT, or Apache License. They don't just permit usage; they often encourage community contributions. These licenses promote transparency and foster innovation, setting the stage for a global community of users and developers to collaborate. Proprietary Licenses: Here, users are essentially leasing software. They're granted permission to use, but there's no peeking behind the curtain, and redistribution is typically off the table. These licenses offer organizations a sense of exclusivity and often come with robust support. Questions To Reflect Upon Do you value the collaborative ethos and transparency of open source? Or do you seek the exclusivity and robust support accompanying proprietary licenses? How adept is your team at understanding and managing licensing intricacies? Development Considerations Let's explore the evolutionary journey of these solutions. Open Source Software Development Pros Collaborative evolution: Platforms like Kubernetes demonstrate that when minds from around the world converge, there's unparalleled innovation. This collective spirit can lead to features and solutions that are driven by real-world use cases. Rapid issue mitigation: Community-backed solutions mean many eyes are on the code. When platforms like Linux face issues, a global community rallies to patch them, often faster than conventional support channels. Flexibility: With platforms like OpenStack, you're not boxed into a specific operational paradigm. Instead, you can mold the software, ensuring it aligns perfectly with your unique operational requirements. Cons Variable quality: While there are flagship open-source projects known for impeccable quality, there's also a sea of projects with varying quality standards. Due diligence becomes paramount. Maintenance overheads: While customization offers power, it also brings responsibility. Customized solutions might necessitate dedicated teams for maintenance, adding to operational overheads. Proprietary Software Development Pros Structured progression: Solutions like AWS offer a sense of predictability. With clear development roadmaps, businesses can plan for the future with confidence, anticipating new features and improvements. Industry-aligned offerings: Platforms such as Azure don't just offer tools; they offer solutions crafted for specific industry needs, ensuring tighter alignment with business goals. Cons Reduced responsiveness: Being large entities, these platforms sometimes lack the agility of their open-source counterparts, potentially leading to slower adaptability. Feedback limitations: Without a sprawling community, there's a risk of becoming insular. Some user needs or innovative ideas might slip through the cracks. Questions To Reflect Upon Do you yearn for the organic, flexible evolution of open-source? Or is the structured, industry-aligned progression of proprietary platforms more your speed? How important is quick responsiveness and community feedback to your business's cloud infrastructure endeavors? Costs, Support, and Integration Dissecting the financial and operational nuances. Open Source and Community Solutions Cost efficiency: Beyond the apparent cost savings, open-source solutions often allow businesses to allocate resources more flexibly. As costs aren't tied to rigid licensing structures, there's room to invest in areas like training or customization. Driven by community: Solutions like Kubernetes are more than just tools; they're ecosystems. Their evolution is steered by user needs, industry trends, and a collective drive to push boundaries. Potential integration hurdles: While open-source offers flexibility, it sometimes lacks the seamless integration seen in proprietary ecosystems. Bridging the gap might require added expertise and resources. Paid or Enterprise Solutions Consistent reliability: Companies like AWS and Azure are behemoths for a reason. They offer SLA-backed performance, meaning businesses can expect a certain level of uptime and reliability, integral for mission-critical applications. Seamless ecosystems: Platforms like Google Cloud Platform go beyond standalone services. They offer a tapestry of interconnected tools, ensuring that different aspects of a business's operations harmoniously coexist. Navigating abundance: While a vast array of features is a boon, it also presents a challenge. Businesses must sift through the plethora, ensuring they harness tools that align with their goals without getting overwhelmed. Questions To Reflect Upon In terms of costs, are you looking for upfront savings or long-term, predictable investment structures? Do you value community-driven innovation, or is the cohesive, interconnected ecosystem of proprietary solutions more appealing? Conclusion Navigating the cloud landscape requires a blend of introspection and forward-thinking. Consider hybrid solutions — perhaps AWS for core operations paired with Kubernetes for container orchestration? Such combinations might offer a harmonious blend of both worlds. Whether drawn to the community-driven dynamism of open source or the structured dependability of enterprise solutions, your choice should echo both current needs and future aspirations.
VAR-As-A-Service is an MLOps approach for the unification and reuse of statistical models and machine learning models deployment pipelines. It is the second of a series of articles that is built on top of that project, representing experiments with various statistical and machine learning models, data pipelines implemented using existing DAG tools, and storage services, both cloud-based and alternative on-premises solutions. This article focuses on the model file storage using an approach also applicable and used for machine learning models. The implemented storage is based on MinIO as an AWS S3-compatible object storage service. Furthermore, the article gives an overview of alternative storage solutions and outlines the benefits of object-based storage. The first article of the series (Time Series Analysis: VARMAX-As-A-Service) compares statistical and machine learning models as being both mathematical models and provides an end-to-end implementation of a VARMAX-based statistical model for macroeconomic forecast using a Python library called statsmodels. The model is deployed as a REST service using Python Flask and Apache web server, packaged in a docker container. The high-level architecture of the application is depicted in the following picture: The model is serialized as a pickle file and deployed on the web server as part of the REST service package. However, in real projects, models are versioned, accompanied by metadata information, and secured, and the training experiments need to be logged and kept reproducible. Furthermore. from an architectural perspective, storing the model in the file system next to the application contradicts the single responsibility principle. A good example is a microservice-based architecture. Scaling the model service horizontally means that each and every microservice instance will have its own version of the physical pickle file replicated over all the service instances. That also means that the support of multiple versions of the models will require a new release and redeployment of the REST service and its infrastructure. The goal of this article is to decouple models from the web service infrastructure and enable the reuse of the web service logic with different versions of models. Before diving into the implementation, let's say a few words about statistical models and the VAR model used in that project. Statistical models are mathematical models, and so are machine learning models. More about the difference between the two can be found in the first article of the series. A statistical model is usually specified as a mathematical relationship between one or more random variables and other non-random variables. Vector autoregression (VAR) is a statistical model used to capture the relationship between multiple quantities as they change over time. VAR models generalize the single-variable autoregressive model (AR) by allowing for multivariate time series. In the presented project, the model is trained to do forecasting for two variables. VAR models are often used in economics and the natural sciences. In general, the model is represented by a system of equations, which in the project are hidden behind the Python library statsmodels. The architecture of the VAR model service application is depicted in the following picture: The VAR runtime component represents the actual model execution based on parameters sent by the user. It connects to a MinIO service via a REST interface, loads the model, and runs the prediction. Compared to the solution in the first article, where the VARMAX model is loaded and deserialized at application startup, the VAR model is read from the MinIO server each time a prediction is triggered. This comes at the cost of additional loading and deserialization time but also with the benefit of having the latest version of the deployed model at every single run. Furthermore, it enables dynamic versioning of models, making them automatically accessible to external systems and end-users, as will be shown later in the article. Note that due to that loading overhead, the performance of the selected storage service is of great importance. But why MinIO and object-based storage in general? MinIO is a high-performance object storage solution with native support for Kubernetes deployments that provides an Amazon Web Services S3-compatible API and supports all core S3 features. In the presented project, MinIO is in Standalone Mode, consisting of a single MinIO server and a single drive or storage volume on Linux using Docker Compose. For extended development or production environments, there is the option for a distributed mode described in the article Deploy MinIO in Distributed Mode. Let's have a quick look at some storage alternatives while a comprehensive description can be found here and here: Local/Distributed file storage: Local file storage is the solution implemented in the first article, as it is the simplest option. Computation and storage are on the same system. It is acceptable during the PoC phase or for very simple models supporting a single version of the model. Local file systems have limited storage capacity and are unsuitable for larger datasets in case we want to store additional metadata like the training data set used. Since there is no replication or autoscaling, a local file system can not operate in an available, reliable, and scalable fashion. Each service deployed for horizontal scaling is deployed with its own copy of the model. Furthermore, the local storage is as secure as the host system is. Alternatives to the local file storage are NAS (Network-attached storage), SAN (Storage-area network), distributed file systems (Hadoop Distributed File System (HDFS), Google File System (GFS), Amazon Elastic File System (EFS) and Azure Files). Compared to the local file system, those solutions are characterized by availability, scalability, and resilience but come with the cost of increased complexity. Relational databases: Due to the binary serialization of models, relational databases provide the option for a blob or binary storage of models in table columns. Software developers and many data scientists are familiar with relational databases, which makes that solution straightforward. Model versions can be stored as separate table rows with additional metadata, which is easy to read from the database, too. A disadvantage is that the database will require more storage space, and this will impact backups. Having large amounts of binary data in a database can also have an impact on performance. In addition, relational databases impose some constraints on the data structures, which might complicate the storing of heterogeneous data like CSV files, images, and JSON files as model metadata. Object storage: Object storage has been around for quite some time but was revolutionized when Amazon made it the first AWS service in 2006 with Simple Storage Service (S3). Modern object storage is native to the cloud, and other clouds soon brought their offerings to market, too. Microsoft offers Azure Blob Storage, and Google has its Google Cloud Storage service. The S3 API is the de-facto standard for developers to interact with storage in the cloud, and there are multiple companies that offer S3-compatible storage for the public cloud, private cloud, and private on-premises solutions. Regardless of where an object store is located, it is accessed via a RESTful interface. While object storage eliminates the need for directories, folders, and other complex hierarchical organization, it’s not a good solution for dynamic data that is constantly changing as you’ll need to rewrite the entire object to modify it, but it is a good choice for storing serialized models and the mode's metadata. A summary of the main benefits of object storage are: Massive scalability: Object storage size is essentially limitless, so data can scale to exabytes by simply adding new devices. Object storage solutions also perform best when running as a distributed cluster. Reduced complexity: Data is stored in a flat structure. The lack of complex trees or partitions (no folders or directories) reduces the complexity of retrieving files easier as one doesn't need to know the exact location. Searchability: Metadata is part of objects, making it easy to search through and navigate without the need for a separate application. One can tag objects with attributes and information, such as consumption, cost, and policies for automated deletion, retention, and tiering. Due to the flat address space of the underlying storage (every object in only one bucket and no buckets within buckets), object stores can find an object among potentially billions of objects quickly. Resiliency: Object storage can automatically replicate data and store it across multiple devices and geographical locations. This can help protect against outages, safeguard against data loss, and help support disaster recovery strategies. Simplicity: Using a REST API to store and retrieve models implies almost no learning curve and makes the integrations into microservice-based architectures a natural choice. It is time to look at the implementation of the VAR model as a service and the integration with MinIO. The deployment of the presented solution is simplified by using Docker and Docker Compose. The organization of the whole project looks as follows: As in the first article, the preparation of the model is comprised of a few steps that are written in a Python script called var_model.py located in a dedicated GitHub repository : Load data Divide data into train and test data set Prepare endogenous variables Find optimal model parameter p ( first p lags of each variable used as regression predictors) Instantiate the model with the optimal parameters identified Serialize the instantiated model to a pickle file Store the pickle file as a versioned object in a MinIO bucket Those steps can also be implemented as tasks in a workflow engine (e.g., Apache Airflow) triggered by the need to train a new model version with more recent data. DAGs and their applications in MLOps will be the focus of another article. The last step implemented in var_model.py is storing the serialized as a pickle file model in a bucket in S3. Due to the flat structure of the object storage, the format selected is: <bucket name>/<file_name> However, for file names, it is allowed to use a forward slash to mimic a hierarchical structure, keeping the advantage of a fast linear search. The convention for storing VAR models is as follows: models/var/0_0_1/model.pkl Where the bucket name is models, and the file name is var/0_0_1/model.pkl and in MinIO UI, it looks as follows: This is a very convenient way of structuring various types of models and model versions while still having the performance and simplicity of flat file storage. Note that the model versioning is implemented as part of the model name. MinIO provides versioning of files, too, but the approach selected here has some benefits: Support of snapshot versions and overriding Usage of semantic versioning (dots replaced by '_' due to restrictions) Greater control of the versioning strategy Decoupling of the underlying storage mechanism in terms of specific versioning features Once the model is deployed, it is time to expose it as a REST service using Flask and deploy it using docker-compose running MinIO and an Apache Web server. The Docker image, as well as the model code, can be found on a dedicated GitHub repository. And finally, the steps needed to run the application are: Deploy application: docker-compose up -d Execute model preparation algorithm: python var_model.py (requires a running MinIO service) Check if the model has been deployed: http://127.0.0.1:9101/browser Test model: http://127.0.0.1:80/apidocs After deploying the project, the Swagger API is accessible via <host>:<port>/apidocs (e.g., 127.0.0.1:80/apidocs). There is one endpoint for the VAR model depicted next to the other two exposing a VARMAX model: Internally, the service uses the deserialized model pickle file loaded from a MinIO service: Requests are sent to the initialized model as follows: The presented project is a simplified VAR model workflow that can be extended step by step with additional functionalities like: Explore standard serialization formats and replace the pickle with an alternative solution Integrate time series data visualization tools like Kibana or Apache Superset Store time series data in a time series database like Prometheus, TimescaleDB, InfluxDB, or an Object Storage such as S3 Extend the pipeline with data loading and data preprocessing steps Incorporate metric reports as part of the pipelines Implement pipelines using specific tools like Apache Airflow or AWS Step Functions or more standard tools like Gitlab or GitHub Compare statistical models' performance and accuracy with machine learning models Implement end-to-end cloud-integrated solutions, including Infrastructure-As-Code Expose other statistical and ML models as services Implement a Model Storage API that abstracts away the actual storage mechanism and model's versioning, stores model metadata, and training data These future improvements will be the focus of upcoming articles and projects. The goal of this article is to integrate an S3-compatible storage API and enable the storage of versioned models. That functionality will be extracted in a separate library soon. The presented end-to-end infrastructural solution can be deployed on production and improved as part of a CI/CD process over time, also using the distributed deployment options of MinIO or replacing it with AWS S3.
Background of Multitenancy DevOps and solution architects often implement RBAC and multitenancy in their Kubernetes infrastructure to achieve isolation of workspace and allow authorized persons to access resources with least privilege resources. The implementation of RBAC and multitenancy can be very simple or complicated, and this depends of the following parameters: Application: Microservice-based architecture Deployment speed and frequency: High or low Architecture: Multi-cloud cloud/Hybrid cloud/On-prem Environment: Dev/stage/prod Teams/Groups: Developers, DevOps, SREs, Marketing/Pre-sales Users: Application developer, full stack developer, web-API engineer Budget in hand Goal: Simple administration vs. granular security Geography team: Multi-geo In this article, we will discuss how to implement RBAC and multitenancy (simple or complicated) in Kubernetes using the open-source Istio service mesh. Enabling RBAC for K8s Service Accounts and Users Using K8s Resources We have discussed at length about how to enable Kubernetes RBAC using various resources, such as Role, ClusterRole, RoleBinding, and ClusterRoleBinding. The idea of using all the Kubernetes RBAC resources is to create various actions that can be taken on namespaces or resources and then allocate (or bind) the actions to users and service accounts. To restrict IPs, i.e., ingress and egress traffic, network policy resources (see the YAML below) in Kubernetes can be used. YAML apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: banking-network-policy namespace: dev-namespace spec: podSelector: matchLabels: role: db policyTypes: - Ingress - Egress ingress: - from: - ipBlock: cidr: 172.17.0.0/16 except: - 172.17.1.0/24 egress: - to: - ipBlock: cidr: 10.0.0.0/24 ports: - protocol: TCP port: 5978 However, there can be certain limitations of using K8s RBAC. Limitations of Using Kubernetes RBAC for Workloads and Services You see, the Kubernetes RBAC is good for implementing users’ access to certain resources by applying checks on API servers. It is very good when you want to allow developers to perform experiments on a cluster or a namespace or testers to deploy services and test in testing workspaces. But what about authorization of workloads or services? How to implement granular controls to workload authorization in production environments. Some of the limitations are: K8s RBAC is challenging to implement for granular usage. Imagine you want to restrict accounts to use few resources in an endpoint (a service in a namespace) or want to control REST operations on the pods, K8s RBAC will not be sufficient in this case. Difficult to create RBAC policies in Roles and RoleBinding. For example, in a large organization, there can be multiple clusters and namespaces. There can be 100+ services running in all these namespaces and is handled by various application teams. And many of these services need to talk to each other. DevOps may end up creating too many Roles, RoleBinding, ClusterRoles, and ClusterRoleBinding objects. Similarly, in large set up updating and deleting an RBAC policy in the Kubernetes resource can also be daunting. For ingress and egress traffic (or east-west and north-south traffic), one has to create additional Network policies along with Kubernetes RBAC. To make the RBAC implementation simple, Istio can be used. Note: It is not Kubernetes RBAC vs. Istio, but Kubernetes RBAC and Istio for better manageability and implementation of RBAC and multitenancy for users and production workloads. Achieving RBAC Multitenancy With Istio In case you are using Istio for simplifying your network, security, or observability, you can use Istio service mesh for implementing RBAC and multitenancy in your Kubernetes workloads and for your teams. Note: The approach of Kubernetes RBAC is user-first, i.e., defining what user can do what operations. But Istio uses the resource-first approach, i.e., it dictates who can do what on a particular service (and its resources). The advantage of Istio’s approach is manageability of the RBAC and multitenancy rules (we will see later in this article) with its Authorization policy. There can be multiple easy-to-complicated scenarios where Istio can be used to implement RBAC: Single cluster-multiple namespace Multicluster-multiple namespaces Multicloud- multiple cluster (multiple namespace) We will look into each scenario and understand how Istio can be used for RBAC and multitenancy. Scenario 1: RBAC for Single Cluster-Multiple Namespace Using Istio Let us take an example where there are multiple namespaces for various non-prod environments which have to be shared among developers and DevOps. In the image below, we have dev-namespace and staging-namespace where a banking application with multiple services are deployed. And each namespace will be allowed the editing rights to certain team members. The banking application contains 3 services — profile, transactions and account-summary — that talk to each other and share data. One can achieve isolation of workspace and allow least privilege access to team members using Kubernetes RBAC, i.e., through defining Role and RoleBinding, and workloads authorization can be implemented using Istio Authorization policy (sample below): YAML apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: restrict-access-policy namespace: stage-ns spec: selector: matchLabels: app: account-summary action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/stage-ns/sa/profile","cluster.local/ns/stage-ns/sa/transaction" ] - source: namespaces: ["dev-namespace"] to: - operation: methods: ["GET","PUT","POST"] The best part is that, as the network and security is abstracted from the application using Istio service mesh, it is easy to implement and modify authorization policies or rules. The above Authorization policy in Istio is implemented to sidecar proxies which will validate any REST API request to any workloads. In case you have an end-point for a microservices and there are many resources to be used, for example, if account-summary microservice has 2 resources, i.e., current-year and previous-year for getting the account summary for current year or previous year — in that case, you can use path (or URI) in the Istio Authorization policy. Check the sample Istio Authorization policy below. YAML apiVersion: security.istio.io/v1beta1 kind: AuthorizationPolicy metadata: name: account-summary namespace: staging-ns spec: action: ALLOW rules: - from: - source: principals: ["cluster.local/ns/stage-ns/sa/profile"] - source: namespaces: ["staging-ns"] to: - operation: methods: ["GET"] paths: ["/previous-year", "/current-year"] Note, this is just a few use cases. You can apply any RBAC use cases to services using Istio. The Istio Authorization policy provides various actions such as ALLOW, DENY, CUSTOM that can be applied to any workloads for the REST calls. Read more about Istio Authorization policy. You can also watch the video below on how to set up RBAC and multitenancy using Istio service mesh. Scenario 2: RBAC for Multiple Clusters With Multiple Namespaces Using Istio Let’s say there is another scenario where the production clusters are different from the development or staging clusters. In those cases too, Istio can be used for practicing RBAC. However, it depends on the implementation. For example, if you have resource constraints, you can configure one Istio control plane in one cluster and then manage all the workloads in all the cluster using the Istio control plane. You can use an east-west gateway to implement multiple cloud Istio. For user management, you can use Kubernetes RBAC, and for workload authorization, you can use Istio Authorization policy. Scenario 3: RBAC for Multicloud and Multi Cluster Application Using Istio Similarly, there can be an application whose services are stored in multiple clusters for high availability. In the image below, a passive version of the transaction service is deployed into multiple clouds (another Kubernetes cluster) to ensure HA. Again, RBAC can be implemented using Istio authorization policy. But it depends on the budget and level of logical partitioning and control one wants to achieve. Either one or multiple Istio can be implemented to control all the Kubernetes cluster across multiple clouds and RBAC and multi tenancy can be implemented accordingly. Note: For large teams with different projects or products, separate Istio can be implemented. Let there be separate owners for each Istio infra. In this way, there will be siloes of authorization policies based on the product requirements.
In the beginning, there was the Kubernetes Dashboard. This dashboard is the default option for anyone who wants to monitor a Kubernetes cluster, but over the years a number of alternatives have been developed that are worth looking into. In this post, I take a look at some of these alternative Kubernetes dashboards. The Sample Kubernetes Cluster For this post, I ran minikube locally, populated with the Bookinfo application provided by Istio. K8dash K8Dash homepage K8Dash is the easiest way to manage your Kubernetes cluster. K8Dash has a clean, modern interface that should be familiar to anyone who has used the official Kubernetes Dashboard. A K8Dash’s selling point is that the interface is automatically updated, so you don't need to manually refresh the page to see the current state of the cluster. Installation was painless with the following commands: Shell kubectl apply -f https://raw.githubusercontent.com/herbrandson/k8dash/master/kubernetes-k8dash.yaml kubectl port-forward service/k8dash 9999:80 -n kube-system Constellate Visualize Kubernetes Application Constellate is not so much a Kubernetes dashboard as a tool for creating, linking, and visualizing Kubernetes resources. The main canvas lets you add new Kubernetes resources like Deployments, Services, and Ingresses. A dynamic user interface lets you build up the YAML description of these resources, exposing the available child properties with an associated description. Two related entities can then be connected, with Konstellate displaying the associated properties that link them together. One challenge I found editing YAML by hand is that I'm forever Googling the exact property names and their relationships. The context-aware Konstellate editor is a great way to explore the various properties available for a given entity. It would be great if you could visualize the resources in an existing cluster, but this has yet to be implemented. Constellate is built from a source and doesn't provide any pre-built Docker images or binaries that I could see. All you need is Clojure and a single command to build and run the app, but it can take a few minutes for all the dependencies to download. The GitHub page links to a demo, but it was down when I tried it. Overall, though, this is a useful app, and definitely a project to keep an eye on. Kubernator Kubernator homepage In contrast to high-level Kubernetes Dashboard, Kubernator provides low-level control and clean view on all objects in a cluster with the ability to create new ones, edit, and resolve conflicts. Kubernator is a capable YAML editor linked directly to a Kubernetes cluster. The navigation tree displays a filesystem-like view of the cluster, while the editor provides features like tabs, keyboard shortcuts, and different views. In addition to editing raw YAML, Kubernator visualizes the Role Based Access Control (RBAC) resources showing the relationships between users, groups, service accounts, roles, and cluster roles. Installation is quick, with Docker images ready to be deployed into an existing Kubernetes cluster: Shell kubectl create ns kubernator kubectl -n kubernator run --image=smpio/kubernator --port=80 kubernator kubectl -n kubernator expose deploy kubernator kubectl proxy Next, just open the service proxy URL in your browser. Kubernetes Operational View Kubernetes Operational View homepage Read-only system dashboard for multiple K8s clusters Have you ever wanted to manage your Kubernetes cluster like an ubergeek from the movies? Then KOV is for you. Built on WebGL, KOV visualizes your Kubernetes dashboard as a series of nested boxes showing the cluster, nodes, and pods. Additional graphs are nested directly into these elements, and tool tips provide additional details. The visualization can be zoomed and panned to drill down into individual pods. KOV is a read-only dashboard, so you can’t manage a cluster with it or set alerts. However, I used KOV to demonstrate how a Kubernetes cluster works as pods and nodes are added and removed, with people saying that this particular visualization was the first time they understood what Kubernetes was. KOV provides a collection of YAML files that can be deployed as a group to an existing cluster, making installation easy: Shell kubectl apply -f deploy kubectl port-forward service/kube-ops-view 8080:80 Octant Octant homepage A web-based, highly extensible platform for developers to better understand the complexity of Kubernetes clusters. Octant is a locally installed application that exposes a web-based dashboard. Octant has an intuitive interface for navigating, inspecting, and editing Kubernetes resources, with the ability to visualize related resources. It also has a light and dark mode. I particularly liked the ability to configure port forwarding directly from the interface. Installation was easy with packages available from Brew and Chocolatey and compiled RPM and DEB packages for Linux. Weave Scope Weave Scope homepage Monitoring, visualization & management for Docker & Kubernetes Weave Scope provides a visualization of the Kubernetes nodes, pods, and containers showing details about memory and CPU usage. Of more interest is Weave Scope’s ability to capture how the pods are communicating with each other. This insight is not provided by other dashboards I tested here. Weave Scope is very process-oriented though, ignoring static resources like config maps, secrets, etc. Installation is simple, with a YAML file that can be deployed directly into the Kubernetes cluster. Shell kubectl apply -f "https://cloud.weave.works/k8s/scope.yaml?k8s-version=$(kubectl version | base64 | tr -d '\n')" kubectl port-forward -n weave "$(kubectl get -n weave pod --selector=weave-scope-component=app -o jsonpath='{.items..metadata.name}')" 4040 Conclusion If the official Kubernetes dashboard isn’t meeting your needs, there's a huge range of high-quality, free, and open-source alternatives to choose from. Overall, I was impressed at how easy these dashboards were to install, and it’s clear that a great deal of work has gone into their design, with most offering at least one compelling reason to switch. Happy deployments!
Kubernetes enables orchestration for deploying, scaling, and managing containerized applications. However, it can be challenging to manage Kubernetes clusters effectively without proper deployment practices. Kubernetes operates on a distributed architecture involving multiple interconnected components such as the control plane, worker nodes, networking, storage, and more. Configuring and managing this infrastructure can be complex, especially for organizations with limited experience managing large-scale systems. Similarly, there are many other challenges to Kubernetes deployment, which you can solve by using best practices like horizontal pod autoscaler (HPA), implementing security policies, and more. In this blog post, we will explore proven Kubernetes deployment practices that will help you optimize the performance and security of your Kubernetes deployments. But first, let’s understand the underlying architecture for Kubernetes deployment. Understanding the Kubernetes Architecture The Kubernetes architecture involves several key components. The control plane includes the API server, scheduler, and controller-manager, which handle cluster management. Nodes host pods and are managed by Kubelet, while etcd is the distributed key-value store for cluster data. The API server acts as the single source of truth for cluster state and management. Lastly, kube-proxy enables communication between pods and services, ensuring seamless connectivity within the Kubernetes environment. Advantages of Using Kubernetes for Deployment Kubernetes allows for efficient resource utilization through intelligent scheduling and horizontal scaling, providing scalability and automatic workload distribution. It also simplifies the management of complex microservices architectures by supporting self-healing capabilities that monitor and replace unhealthy pods. Organizations can use Kubernetes' support for rolling updates and version control, making application deployment seamless. By using Kubernetes for deployment, organizations can streamline their application management process. Key Factors To Consider Before Deploying Kubernetes When deploying Kubernetes, it's essential to consider several key factors. You need to evaluate the resource requirements of your workloads to determine the appropriate cluster size. This will ensure that you have enough resources to handle the workload efficiently. It is also crucial to define resource limits and requests to ensure fair allocation of resources among different workloads. Consider network connectivity and firewall requirements for inter-pod communication. Planning for storage requirements and exploring the different storage options that Kubernetes supports is also essential. Understanding the impact of the Kubernetes deployment on existing infrastructure and processes is essential for a smooth transition. Now that we have discussed the benefits of effective Kubernetes deployment and critical factors to consider, let’s discuss some of the best practices. 1. Best Practices for Using Kubernetes Namespaces When using Kubernetes namespaces, it is important to separate different environments or teams within a cluster logically. By doing so, you can effectively manage resource consumption by defining resource quotas for each namespace. Implement role-based access control (RBAC) to enforce access permissions within namespaces. Additionally, apply network policies to restrict communication between pods in different namespaces. Regularly reviewing and cleaning up unused namespaces optimizes cluster resources. By following these best practices, you can ensure efficient and secure namespace management in Kubernetes deployments. 2. Kubernetes Deployment Security Practices To ensure the security of your Kubernetes deployment, there are several best practices you should follow. Enable Role-Based Access Control (RBAC) to control access and permissions within the cluster. Implement network policies to restrict communication and enforce security boundaries. Regularly scan for vulnerabilities and apply patches to Kubernetes components. Enable audit logging to track and monitor cluster activity. Follow security best practices for container images and only use trusted sources. By implementing these practices, you can enhance the security of your Kubernetes deployment. Setting up Role-Based Access Control (RBAC) In Kubernetes To ensure fine-grained access permissions in Kubernetes, it is crucial to create custom roles and role bindings. You can effectively manage access for applications running within pods by utilizing service accounts. Implementing role inheritance simplifies RBAC management across multiple namespaces. Regularly reviewing and updating RBAC policies is essential to align with evolving security requirements. Following RBAC's best practices, such as the least privilege principle, minimizes security risks. Emphasizing these practices enables secure configuration and automation of Kubernetes deployments. 3. Best Practices for Securing Kubernetes API Server To ensure the security of your Kubernetes API server, it is essential to implement several best practices. Enable access control using RBAC to ensure only authorized users can access the API server. Implement network policies to restrict access to the server, preventing unauthorized access. Regularly update and patch the API server to avoid any vulnerabilities. Enable audit logs to monitor and track activity on the API server. Lastly, use role-based access control (RBAC) to manage user permissions effectively. Implementing Kubernetes Network Policies for Security To enhance security in Kubernetes deployments, implementing network policies is crucial. These policies allow you to control inbound and outbound traffic between pods, ensuring only authorized communication. Network segmentation with different namespaces adds an extra layer of security by isolating resources. Applying firewall rules further restricts communication, preventing unauthorized access. You can utilize network plugins like Calico or Cilium to manage network policies effectively, which provide advanced policy management capabilities. Monitoring network traffic and implementing IP whitelisting/blacklisting adds additional security against potential threats. 4. Scaling Kubernetes Deployments Implementing automatic scaling is a proven Kubernetes deployment best practice. You can optimize resource utilization using the Kubernetes horizontal pod autoscaler (HPA). It allows you to scale up or down based on CPU metrics, ensuring efficient allocation of resources. Another helpful tool is kube-state-metrics, which helps monitor the status of your Kubernetes deployments. Additionally, implementing cluster autoscaler enables automatically adjusting the number of nodes in your Kubernetes cluster. Continuously monitoring resource consumption and adjusting resource requests and limits is essential for smooth scaling. Automatic Scaling With Kubernetes Horizontal Pod Autoscaler (HPA) Configure the Kubernetes horizontal pod autoscaler (HPA) to automatically scale the number of pods based on CPU or custom metrics. Set the target CPU utilization for HPA to trigger scaling and enable the metrics server to monitor CPU utilization accurately. HPA can also be used with custom metrics to scale based on application-specific requirements. It's essential to monitor HPA events and adjust the HPA settings to ensure optimal performance and resource utilization. 5. Optimizing Resource Utilization With Kubernetes Resource Requests and Limits To optimize resource utilization in Kubernetes, it's essential to set resource requests specifying the minimum CPU and memory requirements for a pod. Additionally, resource limits should be used to prevent pods from exceeding allocated resources. Monitoring resource utilization through metrics like CPU and memory allows for adjustments to resource requests and limits based on observed consumption. Furthermore, optimizing container images helps reduce resource usage and improves overall performance. Implementing these practices can effectively optimize resource utilization in your Kubernetes deployments. 6. Monitoring and Logging Kubernetes Deployments Monitoring and logging Kubernetes deployments is vital for smooth operation. Prometheus and Grafana provide real-time metrics and alerts for critical events. The ELK stack centralizes logging, making troubleshooting and identifying bottlenecks easier. Custom metrics exporters monitor application-specific metrics. Optimize performance and troubleshoot effectively with monitoring and logging. Monitoring Kubernetes Clusters With Prometheus and Grafana Configure Prometheus to collect metrics from the Kubernetes API server and Kubelet. Utilize Grafana dashboards to visualize Prometheus metrics for comprehensive monitoring. Establish alerting rules in Prometheus to receive notifications for critical events. Monitor cluster components such as etcd, kube-proxy, and kube-dns using Prometheus exporters. Customize Grafana dashboards to track specific resource and application metrics. Conclusion To achieve successful Kubernetes deployments, follow best practices. Understanding architecture and benefits, considering resource requirements and security, setting up clusters and configuring networking, Implementing role-based access control and network policies, scaling efficiently, monitoring and logging for health, and troubleshooting common issues are some of the best practices to follow. However, which one to use depends on specific project requirements.
This is an article from DZone's 2023 Database Systems Trend Report.For more: Read the Report In today's rapidly evolving digital landscape, businesses across the globe are embracing cloud computing to streamline operations, reduce costs, and drive innovation. At the heart of this digital transformation lies the critical role of cloud databases — the backbone of modern data management. With the ever-growing volume of data generated for business, education, and technology, the importance of scalability, security, and cloud services has become paramount in choosing the right cloud vendor. In this article, we will delve into the world of primary cloud vendors, taking an in-depth look at their offerings and analyzing the crucial factors that set them apart: scalability, security, and cloud services for cloud databases. Armed with this knowledge, businesses can make informed decisions as they navigate the vast skies of cloud computing and select the optimal vendor to support their unique data management requirements. Scaling in the Cloud One of the fundamental advantages of cloud databases is their ability to scale in response to increasing demands for storage and processing power. Scalability can be achieved in two primary ways: horizontally and vertically. Horizontal scaling, also known as scale-out, involves adding more servers to a system, distributing the load across multiple nodes. Vertical scaling, or scale-up, refers to increasing the capacity of existing servers by adding more resources such as CPU, memory, and storage. Benefits of Scalability By distributing workloads across multiple servers or increasing the resources available on a single server, cloud databases can optimize performance and prevent bottlenecks, ensuring smooth operation even during peak times. Scalability allows organizations to adapt to sudden spikes in demand or changing requirements without interrupting services. By expanding or contracting resources as needed, businesses can maintain uptime and avoid costly outages. By scaling resources on-demand, organizations can optimize infrastructure costs, paying only for what they use. This flexible approach allows for more efficient resource allocation and cost savings compared to traditional on-premises infrastructure. Examples of Cloud Databases With Scalability Several primary cloud vendors offer scalable cloud databases designed to meet the diverse needs of organizations. The most popular releases encompass database platforms from licensed versions to open source, such as MySQL and PostgreSQL. In public clouds, there are three major players in the arena: Amazon, Microsoft Azure, and Google. The major cloud vendors offer managed cloud databases in various flavors of both licensed and open-source database platforms. These databases are easily scalable in storage and compute resources, but all controlled through service offerings. Scalability is about more power in the cloud, although some cloud databases are able to scale out, too. Figure 1: Scaling up behind the scenes in the cloud Each cloud vendor provides various high availability and scalability options with minimal manual intervention, allowing organizations to scale instances up or down and add replicas for read-heavy workloads or maintenance offloading. Securing Data in the Cloud As organizations increasingly embrace cloud databases to store and manage their sensitive data, ensuring robust security has become a top priority. While cloud databases offer numerous advantages, they also come with potential risks, such as data breaches, unauthorized access, and insider threats. In this section, we will explore the security features that cloud databases provide and discuss how they help mitigate these risks. Common Security Risks Data breaches aren't a question of if, but a question of when. Unauthorized access to sensitive data can lead to data access by those who shouldn't, potentially resulting in reputational damage, financial losses, and regulatory penalties. It shouldn't surprise anyone that cloud databases can be targeted by cybercriminals attempting to gain unauthorized access to data. This risk makes it essential to implement strict access controls at all levels — cloud, network, application, and database. As much as we don't like to think about it, disgruntled employees or other insiders can pose a significant threat to organizations' data security, as they may have legitimate access to the system but misuse it for malicious or unintentional abuse. Security Features in Cloud Databases One of the largest benefits of a public cloud vendor is the numerous first-party and partner security offerings, which can offer better security for cloud databases. Cloud databases offer robust access control mechanisms, such as role-based access control (RBAC) and multi-factor authentication (MFA), to ensure that only authorized users can access data. These features help prevent unauthorized access and reduce the risk of insider threats. Figure 2: Database security in the public cloud The second most implemented protection method is encryption and data level protection. To protect data from unauthorized access, cloud databases provide various encryption methods. These different levels and layers of encryption help secure data throughout its lifecycle. Encryption comes in three main methods: Encryption at rest protects data stored on a disk by encrypting it using strong encryption algorithms. Encryption in transit safeguards data as it travels between the client and the server or between different components within the database service. Encryption in use encrypts data while it is being processed or used by the database, ensuring that data remains secure even when in memory. Compliance and Regulations Cloud database providers often adhere to strict compliance standards and regulations, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS). Compliance with these regulations helps ensure that organizations meet their legal and regulatory obligations, further enhancing data security. Integrating cloud databases with identity and access management (IAM) services, such as AWS Identity and Access Management, Azure Active Directory, and Google Cloud Identity, helps enforce strict security and access control policies. This integration ensures that only authorized users can access and interact with the cloud database, enhancing overall security. Cloud Services and Databases Cloud databases not only provide efficient storage and management of data but can also be seamlessly integrated with various other cloud services to enhance their capabilities. By leveraging these integrations, organizations can access powerful tools for insights, analytics, security, and quality. In this section, we will explore some popular cloud services that can be integrated with cloud databases and discuss their benefits. Cloud Machine Learning Services Machine learning services in the cloud enable organizations to develop, train, and deploy machine learning models using their cloud databases as data sources. These services can help derive valuable insights and predictions from stored data, allowing businesses to make data-driven decisions and optimize processes. With today's heavy investment in artificial intelligence (AI), no one should be surprised that Cloud Services for AI are at the top of the services list. AI services in the cloud, such as natural language processing, computer vision, and speech recognition, can be integrated with cloud databases to unlock new capabilities. These integrations enable organizations to analyze unstructured data, automate decision-making, and improve user experiences. Cloud Databases and Integration Integrating cloud databases with data warehouse solutions, such as Amazon Redshift, Google BigQuery, Azure Synapse Analytics, and Snowflake, allows organizations to perform large-scale data analytics and reporting. This combination provides a unified platform for data storage, management, and analysis, enabling businesses to gain deeper insights from their data. Along with AI and machine learning, cloud databases can be integrated with business intelligence (BI) tools like Tableau, Power BI, and Looker to create visualizations and dashboards. By connecting BI tools to cloud databases, organizations can easily analyze and explore data, empowering them to make informed decisions based on real-time insights. Data streaming and integrating cloud databases with services like Amazon Kinesis, Azure Stream Analytics, and Google Cloud Pub/Sub enable organizations to process and analyze data in real time, providing timely insights and improving decision-making. By integrating cloud databases with monitoring and alerting services, such as Amazon CloudWatch, Azure Monitor, and Google Cloud Monitoring, organizations can gain insights into the health and performance of their databases. These services allow businesses to set up alerts, monitor key performance indicators (KPIs), and troubleshoot issues in real time. Data Pipelines and ETL Services Data pipelines and ETL services are the final services from the category of integration, such as AWS Glue, Azure Data Factory, and Google Cloud Data Fusion, that can be integrated with relational cloud databases to automate data ingestion, transformation, and loading processes, ensuring seamless data flow between systems. Conclusion The scalability of cloud databases is an essential factor for organizations looking to manage their growing data needs effectively. Along with scalability, security plays a critical aspect of cloud databases, and it is crucial for organizations to understand the features and protections offered by their chosen provider. By leveraging robust access control, encryption, and compliance measures, businesses can significantly reduce the risks associated with data breaches, unauthorized access, and insider threats, ensuring that their sensitive data remains secure and protected in the cloud. Finally, to offer the highest return on investment, integrating cloud databases with other services unlocks the powerful analytics and insights available in the public cloud. By leveraging these integrations, organizations can enhance the capabilities of their cloud databases and optimize their data management processes, driving innovation and growth in the digital age. This is an article from DZone's 2023 Database Systems Trend Report.For more: Read the Report
In today's rapidly evolving world of software development and deployment, containerization has emerged as a transformative technology. It has revolutionized the way applications are built, packaged, and deployed, providing agility, scalability, and consistency to development and operations teams alike. Two of the most popular containerization tools, Docker and Kubernetes, play pivotal roles in this paradigm shift. In this blog, we'll dive deep into containerization technologies, explore how Docker and Kubernetes work together, and understand their significance in modern application deployment. Understanding Containerization A containerization is a lightweight form of virtualization that allows you to package an application and its dependencies into a single, portable unit called a container. Containers are isolated, ensuring that an application runs consistently across different environments, from development to production. Unlike traditional virtual machines (VMs), containers share the host OS kernel, which makes them extremely efficient in terms of resource utilization and startup times. Example: Containerizing a Python Web Application Let's consider a Python web application using Flask, a microweb framework. We'll containerize this application using Docker, a popular containerization tool. Step 1: Create the Python Web Application Python # app.py from flask import Flask app = Flask(__name__) @app.route('/') def hello(): return "Hello, Containerization!" if __name__ == '__main__': app.run(debug=True, host='0.0.0.0') Step 2: Create a Dockerfile Dockerfile # Use an official Python runtime as a parent image FROM python:3.9-slim # Set the working directory to /app WORKDIR /app # Copy the current directory contents into the container at /app COPY . /app # Install any needed packages specified in requirements.txt RUN pip install -r requirements.txt # Make port 80 available to the world outside this container EXPOSE 80 # Define environment variable ENV NAME World # Run app.py when the container launches CMD ["python", "app.py"] Step 3: Build and Run the Docker Container Shell # Build the Docker image docker build -t flask-app . # Run the Docker container, mapping host port 4000 to container port 80 docker run -p 4000:80 flask-app This demonstrates containerization by encapsulating the Python web application and its dependencies within a Docker container. The containerized app can be run consistently on various environments, promoting portability and ease of deployment. Containerization simplifies application deployment, ensures consistency, and optimizes resource utilization, making it a crucial technology in modern software development and deployment pipelines. Docker: The Containerization Pioneer Docker, developed in 2013, is widely regarded as the pioneer of containerization technology. It introduced a simple yet powerful way to create, manage, and deploy containers. Here are some key Docker components: Docker Engine The Docker Engine is the core component responsible for running containers. It includes the Docker daemon, which manages containers, and the Docker CLI (Command Line Interface), which allows users to interact with Docker. Docker Images Docker images are lightweight, stand-alone, and executable packages that contain all the necessary code and dependencies to run an application. They serve as the blueprints for containers. Docker Containers Containers are instances of Docker images. They are isolated environments where applications run. Containers are highly portable and can be executed consistently across various environments. Docker's simplicity and ease of use made it a go-to choice for developers and operators. However, managing a large number of containers at scale and ensuring high availability required a more sophisticated solution, which led to the rise of Kubernetes. Kubernetes: Orchestrating Containers at Scale Kubernetes, often abbreviated as K8s, is an open-source container orchestration platform originally developed by Google. It provides a framework for automating the deployment, scaling, and management of containerized applications. Here's a glimpse of Kubernetes' core components: Master Node The Kubernetes master node is responsible for controlling the cluster. It manages container orchestration, scaling, and load balancing. Worker Nodes Worker nodes, also known as Minions, host containers and run the tasks assigned by the master node. They provide the computing resources needed to run containers. Pods Pods are the smallest deployable units in Kubernetes. They can contain one or more containers that share the same network namespace, storage, and IP address. Services Kubernetes services enable network communication between different sets of pods. They abstract the network and ensure that applications can discover and communicate with each other reliably. Deployments Deployments in Kubernetes allow you to declaratively define the desired state of your application and ensure that the current state matches it. This enables rolling updates and automatic rollbacks in case of failures. The Docker-Kubernetes Synergy Docker and Kubernetes are often used together to create a comprehensive containerization and orchestration solution. Docker simplifies the packaging and distribution of containerized applications, while Kubernetes takes care of their deployment and management at scale. Here's how Docker and Kubernetes work together: Building Docker Images: Developers use Docker to build and package their applications into Docker images. These images are then pushed to a container registry, such as Docker Hub or Google Container Registry. Kubernetes Deployments: Kubernetes takes the Docker images and orchestrates the deployment of containers across a cluster of nodes. Developers define the desired state of their application using Kubernetes YAML manifests, including the number of replicas, resource requirements, and networking settings. Scaling and Load Balancing: Kubernetes can automatically scale the number of container replicas based on resource utilization or traffic load. It also manages load balancing to ensure high availability and efficient resource utilization. Service Discovery: Kubernetes services enable easy discovery and communication between different parts of an application. Services can be exposed internally or externally, depending on the use case. Rolling Updates: Kubernetes supports rolling updates and rollbacks, allowing applications to be updated with minimal downtime and the ability to revert to a previous version in case of issues. The Significance in Modern Application Deployment The adoption of Docker and Kubernetes has had a profound impact on modern application deployment practices. Here's why they are crucial: Portability: Containers encapsulate everything an application needs, making it highly portable. Developers can build once and run anywhere, from their local development environment to a public cloud or on-premises data center. Efficiency: Containers are lightweight and start quickly, making them efficient in terms of resource utilization and time to deployment. Scalability: Kubernetes allows applications to scale up or down automatically based on demand, ensuring optimal resource allocation and high availability. Consistency: Containers provide consistency across different environments, reducing the "it works on my machine" problem and streamlining the development and operations pipeline. DevOps Enablement: Docker and Kubernetes promote DevOps practices by enabling developers and operators to collaborate seamlessly, automate repetitive tasks, and accelerate the software delivery lifecycle. Conclusion In conclusion, Docker and Kubernetes are at the forefront of containerization and container orchestration technologies. They have reshaped the way applications are developed, deployed, and managed in the modern era. By combining the simplicity of Docker with the power of Kubernetes, organizations can achieve agility, scalability, and reliability in their application deployment processes. Embracing these technologies is not just a trend but a strategic move for staying competitive in the ever-evolving world of software development. As you embark on your containerization journey with Docker and Kubernetes, remember that continuous learning and best practices are key to success. Stay curious, explore new features, and leverage the vibrant communities surrounding these technologies to unlock their full potential in your organization's quest for innovation and efficiency. Containerization is not just a technology; it's a mindset that empowers you to build, ship, and run your applications with confidence in a rapidly changing digital landscape.
Boris Zaikin
Lead Solution Architect,
CloudAstro GmBH
Ranga Karanam
Best Selling Instructor on Udemy with 1 MILLION Students,
in28Minutes.com
Samir Behara
Senior Cloud Infrastructure Architect,
AWS
Pratik Prakash
Master Software Engineer (SDE-IV),
Capital One
