Windows Server applications, welcome to Google Kubernetes Engine

Google Kubernetes Engine (GKE) now supports Windows Server Containers, available in beta.

By running Windows Server apps as containers on Kubernetes, you get many of the benefits that Linux applications offer, and running your Windows Server containers on GKE can save you on licensing costs by packing multiple Windows Server containers on each Windows node. With GKE support, Windows and Linux containers can run side-by-side in the same cluster.

Other highlights include:

• Private clusters: a security and privacy feature that allows you to restrict access to a cluster’s nodes and the master from the public internet.
• Node Auto Upgrades: a feature that reduces the management overhead, provides ease of use and better security by automatically upgrading GKE nodes on your behalf.
• Regional clusters: an availability and reliability feature that allows you to create a multi-master, highly-available Kubernetes cluster that spreads both the control plane and the nodes across multiple zones in the same region.
• Support for Group Managed Service Accounts (gMSA): gMSAs are supported by Google Cloud’s Managed Microsoft Active Directory Service for easier administration.
• Choice of Microsoft Long-Term Servicing Channel (LTSC) or Semi-Annual Channel (SAC) servicing channels, allowing you to choose the version that best fits your support and feature requirements.

Introducing Batch on GKE—modernizing HPC with Kubernetes in the cloud

We’re announcing the preview of Batch on Google Kubernetes Engine (GKE), a cloud-native solution for running batch workloads at scale in an optimized manner.

Batch on GKE brings the functionality and familiarity of a traditional batch job scheduler into a cloud-first world. It frees your applications from the limitations of fixed-sized compute clusters by dynamically allocating resources to meet the needs of your application.

We built Batch on GKE to bring the benefits of GKE to batch workloads such as media rendering, genomics sequencing, silicon design verification, and financial portfolio risk analysis.

The preview release of Batch on GKE includes the following capabilities:

• Autoscaling and just-in-time provisioning to ensure you pay for just what you need
• Rightsizing of virtual machines to tailor fit CPU and memory for the job at hand
• Smart reuse of virtual machines and smart packing of jobs to reduce waste and the time jobs spend waiting in a queue
• Resource budgets to allocate the maximum spend per team
• Graphics Processing Unit (GPU) support
• Job submission tool that high performance computing practitioners will find familiar

Google Cloud Functions support for Virtual Private Cloud Service Controls is now available in beta

Google Cloud Functions now supports Virtual Private Cloud Service Controls (VPC SC) in beta. VPC SC is a data exfiltration prevention feature that helps enforce network controls, form a secure perimeter around managed Google Cloud Platform services, and guard against data exfiltration by malicious insiders.

With VPC SC support, large enterprises can keep their sensitive data private while employing Cloud Functions to build cost-efficient, scalable serverless services at the level of a single function. VPC SC support by Cloud Functions also helps enterprises maintain security compliance while safely unblocking  engineering teams to take advantage of Google Cloud Platform’s fully managed storage and data processing capabilities.

Cloud Functions’ VPC SC exfiltration prevention feature includes:

• Ingress and egress settings that allow users to put network-based access restrictions on ingress and egress.
• A restricted VIP (virtual IP) to distinguish between Cloud Functions traffic and external traffic to routing systems.

Bringing Hibernate ORM to Cloud Spanner for database adoption

We’ve developed our new open source Cloud Spanner Dialect for Hibernate ORM to make it easier to adopt Cloud Spanner. You can now get the benefits of Cloud Spanner—scalability and relational semantics—with the idiomatic persistence afforded by Hibernate.

This can help you migrate existing applications to the cloud or write new ones using the familiar APIs of Hibernate-compatible environments such as JPA, Spring Data JPA, Microprofile, and Quarkus.

Exploring container security: Navigate the security seas with ease in GKE v1.15

GKE v1.15 comes with improved behind-the-scenes platform security and stronger defaults, as well as additional advice added to the GKE hardening guide.

Improvements include:

• Rebased GKE master and daemonset containers on top of distroless base images, which reduces signal-to-noise ratio in vulnerability scanning and simplifies Kubernetes component maintenance.
• A new discovery role system:public-info-viewer explicitly meant for unauthenticated users. We also removed system:unauthenticated access to other API server information.
• Updated defaults for new clusters in GKE for more secure options, which allows newer clusters to easily adopt best practices, including:
  • enabling node auto-upgrade by default for security patches, bug fixes, etc.
  • removing the Kubernetes dashboard add-on
  • removing basic authentication and client certs
  • removing access to legacy node metadata endpoints.

These changes apply to any new GKE clusters you create, and you can still opt to use other options.

• An updated GKE hardening guide with new recommendations, including using Workload Identity to replace metadata concealment use and protect sensitive node metadata, and enabling secure boot to validate components on your nodes and get enhanced rootkit and bootkit protections.