What is Google Kubernetes?

Overview of open-source cluster management project by Google
10 August 2017   1672

What is Kubernetes?

Kubernetes is an open source project designed to manage a cluster of Linux containers as a single system. Kubernetes manages and runs Docker containers on a large number of hosts, and also provides the co-location and replication of a large number of containers. The project was launched by Google and is now supported by many companies, including Microsoft, RedHat, IBM and Docker. It is written in Golang and is lightweight, modular, portable and extensible.

Google has been using container technology for more than a decade. It started with the launch of more than 2 billion containers in one week. With the help of the Kubernetes project, the company shares its experience in creating an open platform designed for scalable container launch.

The project has two goals. If you use Docker containers, the following question arises - how to scale and launch containers directly on a large number of Docker hosts, and how to balance them? The project proposes a high-level API that defines the logical grouping of containers, which allows you to define container pools, load balances, and specify their allocation.

Kubernetes concepts

  • pods — a way to group containers together
  • replication controllers — a way to handle the lifecycle of containers
  • labels — a way to find and query containers, and
  • services — a set of containers performing a common function.
  • volumes (volumes.md):  a directory, possibly with data in it, which is available in the container.
  • labels (labels.md): key / value pairs that are attached to objects, for example pods. Labels can be used to create and select sets of objects.
  • kubectl Command Line Interface (kubectl.md): kubectl command line interface for managing Kubernetes.

Kubernetes architecture

The working Kubernetes cluster includes the agent running on the nodes (kubelet) and the wizard components (APIs, scheduler, etc), over the distributed storage solution.

Kubernetes Architecture
Kubernetes architecture

The above scheme shows the desired state, in the final analysis, although some work is still under way, for example: how to make the kubelet (all components, in fact) run independently in the container, which will make the scheduler 100% pluggable.

Learn how Kubernetes works in real life situations.

Google to Introduce Tink Cryptographic Library

Google already uses Tink in projects like AdMob, Google Pay, Google Assistant, Firebase and the Android Search App
31 August 2018   394

Google introduced the open cryptographic library called Tink with support for Java, C ++ and Objective-C, as well as experimental support for Go and JavaScript. Product primitives use the BoringSSL and the Java Cryptography Architecture framework.

Even small errors in the use of cryptographic methods can have serious consequences, and they are carefully study for decades. Many developers do not have so much time, so when creating a new tool, the company tried to reduce the number of potential errors with cryptographic APIs. Google already uses Tink in projects like AdMob, Google Pay, Google Assistant, Firebase and the Android Search App.

These primitives are used in the core of the library:

  • AEAD (Authenticated Encryption with Associated Data) for symmetric encryption of blocks and data streams over a fixed key. The tool does not require the definition of specific algorithms and their parameters. With it, you can quickly perform encryption and decryption operations:
    import com.google.crypto.tink.Aead;
     import com.google.crypto.tink.KeysetHandle;
     import com.google.crypto.tink.aead.AeadFactory;
     import com.google.crypto.tink.aead.AeadKeyTemplates;
     // 1. Generate the key material.
     KeysetHandle keysetHandle = KeysetHandle.generateNew(
     AeadKeyTemplates.AES256_EAX);
     // 2. Get the primitive.
     Aead aead = AeadFactory.getPrimitive(keysetHandle);
     // 3. Use the primitive.
     byte[] plaintext = ...;
     byte[] additionalData = ...;
     byte[] ciphertext = aead.(plaintext, additionalData);
  • The MAC (Message Authentication Codes) provides message authentication codes.

In Tink, there are functions for creating a digital signature and its verification, as well as the functions of fast hybrid encryption.

Features of work
Each primitive supports stateless mode operation, secure copy operations and the use of keys with a length of 128 bits. The library automatically blocks potentially unsafe operations, for example, downloading keys from unencrypted files on the disk. Tink provides an API for rotating keys and interacting with external key management systems: Google Cloud KMS, Amazon KMS, Android Keystore and Apple iOS KeyChain.

The library has a modular architecture, allows you to connect custom primitives and replace them with existing code files without changing the final applications. From Tink, you can exclude part of the tools. For example, if the program only uses digital signature verification, you can remove symmetric encryption components to reduce the application code size.

In August 2018, the creators of the VPN protocol, WireGuard, announced the creation of the Zinc cryptographic library, which, upon introduction into the core Linux kernel, will accelerate the process of data encryption through a simplified set of crypto algorithms.