Google Cloud GKE Autopilot for improve security at reduced cost
Recently Google released Google Kubernetes Engine Autopilot so we took a little time to do a quick review of how it differs to GKE Standard. Here's the summary and the Google blog.
- Basic service reliability practices (SRE) setup for worker node pools (provisioning, maintenance, and lifecycle management, scalability) without any extra configuration. Standard only does this for cluster managers.
- Our view: Generally, nothing really changes for app developers but it will free up overall company time. Whomever is responsible for the platform will need to spend less time understanding some new concepts and managing the clusters. Even PaaS Kubernetes eats hours to deploy safely and reliably, so it offers a really deployment for most requirements
- Pay per workload model (I.e. EKS+Fargate on AWS)
- Our view: This is great for overall spend and cost projection. It's far simpler to implement GKE Autopilot than deploying AWS EKS with Fargate, so the CFO and Ops will both benefit.
- Enforces a basic set of security features. Basic authentication and legacy authorisation are disabled, and shielded nodes (boot and kernel level protection) and workload identity (fine grained access control) are turned on. Other features are apparently coming soon
- Our view: This also is great. Some of the coming soon features will be really good to have when they land but if you're just starting out or don't have a full understanding of all the features, this is a quick win. Remember though, with security, there's always something extra you can do. So don't think this solves your security concerns.
GKE Autopilot is a super nice addition to Google Cloud's catalogue in the container workload space. We have some deployment code modules which we test against GKE clusters, so we enabled it immediately on those automated test jobs. A little surprisingly we didn't really notice any difference in costs. Arguably it actually looks like we are spending a little more. However, the additional security on a minimal set-up is still beneficial and we'll continue to assess on bigger deployments because our test clusters only cost around £0.30p per time, so it's such a small amount it probably gets lost in rounding. :)
Check out the Google Blog introducing it
Getting more done in your DevOps team sprints
A few years back I wrote an article on a great way to manage work for DevOps/SRE teams in a Scrum/Sprint way of working, and using Jira and Confluence to assist in planning and reporting.
As a result of implementing it at different clients, we've learned some things about the process since then, so I thought it worth writing a review on what we discovered and some changes we made at a large financial client. Some really positive improvements from a qualitative and quantitive perspective.
We now get even more done. Check it out!