Alibaba Cloud’s Container Service Upgraded: Cloud-Native Just Got a Bit More Powerful
By Tang Zhimin, director of research and development at Alibaba Cloud Container Service.
Relive the best moments of the Apsara Conference 2019 at https://www.alibabacloud.com/apsara-conference-2019.
Kubernetes, in short, both functions as a major operating system on the cloud and is also an extremely important infrastructure when it comes to everything cloud native. Alibaba Cloud has been an important player in bringing Kubernetes to customers in China, providing the most popular containerization service in China.
Director of research and development at Alibaba Cloud’s Container Service, Tang Zhimin (pictured above), in his keynote speech during this year’s Apsara Conference, reiterated this point. “Alibaba Cloud Container Service is easily China’s largest container cluster among public cloud service providers. And, according to the rankings put out by several major international evaluation agencies, the service has occupied the largest market share of any service of its kind in the Chinese market, with its performance and capabilities consistently ranking as number one.”
The latest release of Alibaba Cloud Container Service for Kubernetes (ACK), version 2.0, makes for a major upgrade in terms of capacity, performance, and elasticity, and should make Kubernetes even more accessible to even more customers and businesses alike. In this new version, each cluster can contain up to 10,000 nodes, retain up to 90% of the performance of native sandboxed containers, and scale to 1,000 nodes in a few minutes.
So far, Alibaba Cloud Container Service has been deployed in 20 regions around the globe. Moreover, Alibaba Cloud has also launched the cloud-native hybrid cloud 2.0 architecture and ACK@Edge to provide secure, intelligent, and cloud computing services.
Kubernetes: The Underlying Force behind Cloud Native
In the early days, most of the applications running in Kubernetes were stateless. However, nowadays, an increasing number of enterprises are migrating their core business systems, data intelligence workloads, and innovation-related workloads to Kubernetes. Currently, at Alibaba, cloud services like Enterprise Distributed Application Service (EDAS), Microservice Engine (MSE), Dataphin, and Data Lake Analytics are all deployed on Alibaba Cloud’s Container Service for Kubernetes.
Alibaba Cloud’s Realtime Compute has launched a cloud native-based version of Apache Flink that allows users to deploy Flink on their Kubernetes clusters. This change in many ways can also help to streamline the workflows of several enterprises with online businesses and stream computing services being able to be deployed on the same Kubernetes cluster. As such, these enterprises can reduce related operation and maintenance costs while also taking advantage of the elasticity brought by the Kubernetes cloud-native infrastructure.
Again, this is the power of this all-new upgrade. And this also shows how Kubernetes and cloud native is changing the cloud computing landscape of today. Kubernetes can help many enterprises turn multiple platforms into one single, unified platform, making cloud that much more agile, elastic, accessible and flexible.
But, you may ask, then why is this particular time a defining moment for cloud native? Well, consider these points noted in the biennial statement issued by the Cloud Native Computing Foundation (CNCF) from back in August:
- Production usage of cloud-native applications and projects have increased by more than 200% on average since December 2017. (You can check out more about this here.)
- According to the annual Developer Survey provided by Stack Overflow this year, Containers and Kubernetes have become the most popular tech after Linux.
- According to the prediction made by Gartner in this year’s container best practices: “By year 2022, 75% of the global companies will be running containerized apps in production environments-three times today’s rate.”
So, as you can see from current trends, cloud native and Kubernetes is clearly on the horizon and is clearly part of the future landscape of cloud computing.
Now let’s look back at the development of Alibaba Cloud’s own Container Service. In 2011, Alibaba Cloud became the first cloud service provider in China to offer container technologies. And at the end of 2015, Container became available for public beta testing. Then, over the past four years, Container Service eventually became fully serviceable in 20 regions around the world, including Asia Pacific, North America, and Europe.
So far, this service has served tens of thousands of customers and enterprises alike, being in several different industries, including the Internet, finance, public service, and manufacturing industries. Container Service occupies the largest market share of any service of its kind in the China. In fact, Alibaba Cloud Container Service has witnessed a growth of more than 400% for three consecutive years. And, as of August this year, the number of image downloads monthly has exceeded 300 million. Container Service has slowly become the first choice for enterprises deploying cloud-native applications.
Alibaba Cloud’s Container Service has received approval from some of the most influential research and advisory agencies. Alibaba Cloud was also the only cloud vendor in China to be listed in a report on the public cloud container services released by Gartner in June, 2019. According to the container report issued by Forrester in July 2019, Alibaba Cloud is one of the strongest competitors among cloud service providers in the global market and it ranks first in the Chinese market for having both the largest market share and boast some of the best performance.
An increasing number of enterprises, both in China and abroad, are benefiting from the advantages and capabilities of cloud-native technologies. Sanweijia, a home furnishing design company based in Guangdong, used Alibaba Cloud’s Container Service to achieve a quick and seamless cloud migration process. China-based Minsheng Bank, also a customer of Alibaba Cloud, optimized its architecture for core applications based on Kubernetes to accelerate its business iterations. Major Microblogging platform, Weibo used Kubernetes to manage heterogeneous resources, accelerate AI-powered computing operations, and enhance application data intelligence. While Siemens deployed its open IoT operating system, named MindSphere, they nevertheless also went for a multi-cloud strategy and chose Alibaba Cloud’s Container Service for Kubernetes as a platform for connect all of the different underlying infrastructure together.
Sanweijia (三维家, literally “3D home”) is a home furnishing design company located in Guangdong, China. The company, as their name implies, provide 3D panoramic view technology that allows the customer to see the full effect of the interior designs they offer. In many ways, they are leading a new evolution of home furnishing and interior design in the Internet age. Sanweijia used to use on-premises datacenters. The O&M team had to do all the work, which was a time-consuming effort. The team was weighed down with workloads and could barely keep up with the growing demands for computing capabilities.
In 2018, Sanweijia migrated a part of their workloads to the cloud, and started balancing the load of their home furnishing visualization rendering computing operations between Alibaba Cloud’s Container Service for Kubernetes and about 1,000 ECS Bare Metal instances. Sanweijia used containerization technologies to quickly migrate their workloads to the cloud in batches, which allowed them to complete the migration process in only three days flat. If they used traditional migration methods, the time needed for their resource scaling efforts could have easily multiplied. The auto scaling feature of Container Service can start 100 Bare Metal ECS instances in three minutes to handle workload bursts. In addition, with the canary release feature of Kubernetes, rendering technologies and services can be iterated based on customer levels and billing methods.
Weibo is a social media giant in China, similar to Twitter, with several major influencers in China posting regularly on the platform. As of now, Weibo has more than 200 million daily active users. To deliver tailored content to users with vastly different interests, Weibo used algorithms powered by machine learning. Alibaba Cloud’s Machine Learning Platform for AI can apply real-time computing and online learning capabilities to many different scenarios.
The entire online learning pipeline that Weibo deployed was both long and complex, having sky-high requirements on the validity and stability of both offline and online services. Weibo adopted Alibaba Cloud’s all-on-Kubernetes solution to maximize the benefits of offline-online hybrid deployment, improve the efficiency and stability of service operation management, and allow them to be able to dynamically scale resources.
- For the aggregation of sample data, Alibaba Cloud’s Blink solution that can be deployed on Alibaba Cloud’s Container Service for Kubernetes was used. The performance of real-time computing is 2.4 times higher than open-source alternatives.
- The Real-time machine training of Alibaba’s offerings supports up to 10 billion samples retrieved in real time and trillions of super large sparse models.
- Last, the inference part of Weibo’s machine leaning model adopted Alibaba Cloud’s Container Service for Kubernetes inference framework, which can synchronously schedule heterogeneous cluster resources. This solution makes it possible to handle up to 500,000 queries per second.
ACK 2.0: Make Kubernetes Easy-to-Use
When it comes to applying Kubernetes on a large scale, there are many challenges to overcome. For example, how can one ensure the security and compliance of Kubernetes and its applications? How can one manage online and offline Kubernetes clusters in a unified manner? And how can one make full use of the top and underlying Kubernetes ecosystems? Well, in this latest upgrade to the service, Alibaba Cloud’s Container Service team has worked hard to make sure that any and all customers can easily handle these issues.
To handle these issues, the Alibaba Cloud Container Service team has introduced a fleet of several powerful features. These features were developed based on several years of working in enterprise-level production environments and can assist users and enterprises alike to apply Kubernetes to their businesses with ease.
Provide End-to-end Security Capabilities for Enterprises
First, let’s discuss security and see how you can guarantee end-to-end security in the cloud-native era.
Compared with traditional security solutions, what are the new challenges for Container Service in the cloud-native era?
- High elasticity and high density. Unlike, in the past, when only a few applications could run on a server, now hundreds of applications can run on a single server, which makes these servers over ten times more efficient than traditional servers. Given the automatic recovery of containers and other features, a container running on server A may run on server B the next minute.
- Agility and fast iteration. With the help of containers and DevOps, applications are iterated several times faster than they used to be.
- High security standards. Due to the adoption of open standards and the organized production of the software industry, increasingly third party open-source software is being used. However, this poses more security risks. Based on these facts, the features of containers will have higher standards on cloud-native security.
To handle these security risks, Container Service has implemented an end-to-end upgrade to enhance the security of the native-cloud architecture in the three following ways:
- The security of the underlying infrastructure. Container Service supports network isolation and end-to-end data encryption. Alibaba Cloud primary and Resource Access Management (RAM) accounts are associated with the Kubernetes Role-Based Access Control (RBAC) system to support fine-grained permission management and auditing.
- The security of the intermediate software supply chain. Technologies such as image scan and BYOK-based disk encryption are adopted to achieve DevSecOps, which means that everyone is responsible for security.
- The security of the top runtime environment. Technologies such as runtime scans, multi-tenant management, and the key management service (KMS) are used to provide a higher level of security.
Now that we have discussed these security features, let’s focus on secure application supply chains and sandboxed-containers.
With the quick iteration rates of applications and new applications continuously being launched, at Alibaba we have higher standards for the security of the entire application development procedure. We understand the importance of predicting potential security risks and eliminate them at the beginning of the development lifecycle. The cloud-native secure software supply chain developed based on Alibaba Cloud’s Container Registry enables you to secure the entire application development lifecycle and guarantee the security of application releases. The secure software supply chain has the following benefits:
- Supports container runtime scanning. In Alibaba Cloud Security Center, you can view monitoring data and blocked threats for both container and non-container runtimes. This achieves static and dynamic management of application development lifecycles.
- Provides an end-to-end application release chain. This chain is observable, traceable, configurable, and highly intelligent, and can be used to optimize your delivery efficiency. Moreover, the release will be interrupted when a vulnerability is detected and the release of applications is completely manageable.
- Supports global application distribution. Images can be distributed to servers across all regions over the world to improve the efficiency of application releases or updates by up to seven times.
With the DevSecOps solution, we also aim to eliminate potential risks at the beginning of the entire application development lifecycle.
If you have an open-source or untrusted third-party application deployed in a Kubernetes cluster, you can use our sandboxed-Container Service. Unlike normal pods, each sandboxed-container has a kernel for security isolation. This is a step to ensure that you achieve security, compatibility, and performance at the same time-something not easy to do by yourself.
Sandboxed-containers have been thoroughly optimized by Alibaba Cloud, with a performance close to 90% of that provided by a native runC. You can deploy normal pods and sandboxed-pods on the same cloud server to achieve hybrid deployment. This allows you to choose between these two types of pods as needed. We also provide features such as logging to enhance the performance of sandboxed-containers.
Expand the Boundaries of Cloud Computing
Let’s go back to the second question now: how can you manage on-premises Kubernetes clusters and cloud-based Kubernetes clusters at the same time. Well, our ACK provides a cloud computing solution without borders to resolve this issue.
Considering the ownership and security compliance requirements of data, many companies will migrate only some of their workloads to the cloud. For example, when there are large online activities on Weibo and Bilibili, the applications will be migrated from on-premises data centers to the cloud to cope with traffic spikes. Some bank and government institutions have also chosen Alibaba Cloud given its cost-effective solutions for cloud-based disaster recovery and active geo-redundancy. Hybrid deployment has become a common choice for enterprises to migrate their workloads to the cloud. However, the adoption of hybrid cloud brings to mind a new challenge: There is a huge margin in terms of capabilities and security requirements between on-premises and cloud-based infrastructures. And so we arrive at the question: how can you manage both of them effectively at the same time?
To address this issue, Alibaba Cloud’s Container Service for Kubernetes has provided the application-centric hybrid cloud 2.0 architecture.
With this all-new architecture, you can install an agent on a Kubernetes cluster running in an on-premises data center to enable Container Service to manage the cluster on the cloud. Of course, in the case that you do not want to use Container Service to manage on-premises Kubernetes clusters, you can alternatively choose to use the Agility Edition of Container Service. With this Edition, after all your clusters have been registered, you can use the federation feature of Alibaba Cloud’s Container Service for Kubernetes to implement unified application deployment, security governance, and monitoring.
If you want to customize your load balancing, network traffic distribution, and application release policy configurations for your Kubernetes clusters, you can use the grid feature of Alibaba Cloud Container Service.
The cloud-native hybrid cloud architecture provided by Container Service also has the following advantages:
- Unified cluster management, unified security governance, application management, and observability, and elastic scaling across different cloud infrastructure.
- Cloud-native hybrid cloud uses Alibaba Cloud’s Cloud Enterprise Network to connect both VPC networks and on-premises networks deployed in different regions as a ring network. This helps you achieve network-wide interconnection, nearby access, and fast response.
- Cloud-native hybrid cloud uses smart network traffic management to optimize service access strategies based on regions, improving business continuity.
If you want to use our cloud-native hybrid cloud but have not migrated your workloads to the cloud, at Alibaba we can offer you a set of cloud-native migration tools to ensure smooth migration and reduce the migration costs. These migration tools simplify your migration work in three ways: application images, application configurations, and application status and data. You can use Packer to create custom ECS images from your OS images. With the Docker image migration tool, container images can be automatically migrated to container image repositories on Alibaba Cloud. With the help of Velero, your Kubernetes application configurations can be seamlessly migrated to Alibaba Cloud Container Service for Kubernetes. In addition, Data Transmission Service (DTS) can help you transfer data seamlessly.
With the advancement of 5G and IoT technologies, using traditional cloud and on-premises data centers for centralized storage and computing can no longer meet current demands for validity, capacity, and computing power. Cloud-native technologies, however, can meet these demands, and deliver cloud computing capabilities to user clients and edges, and implement unified release, O&M, and management from a governance center. This is next step in the evolution of cloud computing.
To achieve all of this, Container Service launched ACK@Edge to support the unified management of clouds and edges. This product also supports unified application releases, which can help improve the release efficiency by up to 300%. Moreover, edge deployment can efficiently shorten network latency by 75%. ACK@Edge supports unitized isolation and automatic reconnection. It also provides sandboxed-containers for you to deploy untrusted third-party applications on edges.
Now let’s learn how Youku completed its architecture evolution based on ACK@Edge. Youku is one of biggest online video hubs in China. As Youku expanded its businesses to hundreds of cities, the centralized architecture in its original on-premises data center could no longer keep pace with the fast growth of its business. Youku needed to upgrade its centralized architecture to an edge architecture to be able to cope.
Youku needed to find a new approach to manage on-premises data centers deployed in tens of Alibaba Cloud regions and near 1,000 edge nodes. Youku chose ACK@Edge to centrally manage ECS instances and edge nodes, release applications, and perform auto scaling. Elastic scaling has reduced the server costs by 50%. Moreover, after the new architecture was adopted, the video playback chain was removed from the public network. A new chain from the backbone network, through edge nodes, and to clients was created. This reduced network delay by 75%.
Now let’s go back to the third question: how can you manage work of upgrading and maintaining large amounts of nodes in Kubernetes clusters. At Alibaba Cloud, we think that the serverless architecture can be used to resolve this issue and help enterprise reduce operations and maintenance costs.
In 2018, Container Service released Serverless Kubernetes version 1.0. Users no longer needed to manage Kubernetes workers. Nor did they need to focus on the environment configuration of nodes, server management, maintenance, or upgrades. This change meant that customers could drastically simplify the operations and maintenance of Kubernetes clusters, while also improving their overall application development efficiency. In this way, no capacity management is required and no security risk is involved in the process either.
Today, Alibaba Cloud’s Container Service has already launched Serverless Kubernetes version 2.0, which means that the public preview of Container Service is already over with and the service is now a paid service. Serverless Kubernetes 2.0 provide major upgrades in terms of the compatibility, security, and elasticity of Kubernetes. In terms of security, solutions such as multi-namespace, role-based access control security models, and frameworks such as Istio and Knative are supported. Serverless Kubernetes 2.0 can be defined as being a serverless architecture that can provide the best compatibilities that you can achieve with a Kubernetes deployment in the industry. And, in terms of elasticity, Serverless Kubernetes 2.0 supports GPU instances and can start 500 pods within less than 50 seconds.
Currently, Serverless Kubernetes is widely used in several different scenarios across a variety of industries, such as job management and online scalability to help users embrace the application-centric nature of the cloud-native architecture.
What’s more? We have built a Serverless Framework based on Serverless Kubernetes. This Serverless Framework simplifies the work of handling events, compiling code, and deploying services. It also seamlessly integrates with other Alibaba Cloud application services, such as Message Service and Log Service, and provides improved observability. Enterprises can build their own serverless products for a variety of workflows including application, container, and function development. All of this aims to help enterprises build the next-generation serverless applications.
Stay Open: Container Application Market Launched
As cloud-native architecture continues mature, at Alibaba we are hoping to partner with other enterprises and service providers to help contribute towards building an open cloud-native ecosystem.
In the past, the team at Container Service has actively participated in and contributed to several cloud-native communities, and it still does today. Contributions include Moby and Kubernetes. Container Service has become a platinum member of Cloud Native Computing Foundation (CNCF). Alibaba engineer, Li Xiang is the only Chinese member of the CNCF Technical Oversight Committee. Alibaba Cloud Container Service is a member of Open Container Initiative (OCI) and a board member of Cloud Native Industry Alliance (CNIA). Alibaba Cloud Container Service is qualified by Certified Kubernetes Conformance Program, and also certified as Kubernetes Certified Service Provider (KCSP).
In addition to the open-source and cloud-native communities, we are also committed to building an ecosystem for global partnership. In 2019, some new members joined this ecosystem. Based on the open-source project Gardener, SAP Cloud Platform now supports Alibaba Cloud Container Service for Kubernetes and empowers enterprises by enabling them to manage a large number of clusters in hybrid cloud.
As running AI applications on Container Services becomes increasingly popular, Seldon, an open-source machine learning service provider from the UK, has also started to provide cloud-native AI model inference services. Container Service for Kubernetes is now supported in Cloud Brain, a technology developed by Click2Cloud in India. Their service provides a complete solution for enterprises to transfer traditional applications to cloud-native applications. Banzai Cloud, a container platform vendor from Europe, has a set of hybrid cloud and Istio products. Their pipeline products already support Container Service, enabling customers to create and manage container clusters from different cloud service providers with the lowest costs.
This year, we launched our level-1 container applications in the Alibaba Cloud market. We hope that we can empower enterprises with cloud-native technologies. Developers of cloud-native products can easily find Alibaba Cloud-certified and standard container ecosystem products, including open-source and free-of-charge container products and also for-purchase container products. These products can be quickly used on clusters to meet the business requirements of several different industries. For our independent software vendors, they can use standardized transaction procedure and a myriad of customer resources to simplify the pre-sales, transactions, delivery, and after-sales processes.
The following vendors and enterprises will join the container application market as Alibaba Cloud’s partners:
- Intel, the largest manufacturer of personal computer parts and CPUs in the global market. Its product Clear Linux can create optimized base images for applications based on Aliyun Linux 2, and then release these images to the Alibaba Cloud container application market as container images. All of this means that more customers can run containers in a secure, lightweight, and efficient manner.
- Aozhe (奥哲) Network Technology Co., Ltd. is the leading business process management (BPM) supplier in China. Their BPM product Yunshu (云枢, literally “cloud hub”) will be available in the container application market to help enterprises perform digitalized online operations.
- Fortinet is an industry-leading network security and malware protection company headquartered in Silicon Valley. It provides high-security and high-performance solutions for communications with low costs. Fortinet will release container security suites in the container application market to help enterprises and customers guarantee container runtime security.
New Foundation, New Computing Capability, and New Ecosystem
Last but not least, let’s review the evolution of cloud-native Container Service for Kubernetes version 2.0 and its future. At Alibaba Cloud, it is our vision to work together to build the new foundation, new computing compatibility, and new ecosystem in this cloud-native era.
To build the new foundation, Container Service will serve as an infrastructure in all scenarios to provide an end-to-end security architecture and support global deployment. A single cluster can support up to 10,000 nodes. ACK 2.0 also launched the application-centric hybrid cloud 2.0 architecture. It can reduce network latency by 75% and improve the release efficiency by three times.
To forge the new computing capability, ACK 2.0 supports extremely fast elastic scaling, which can expand a cluster to 1,000 nodes within several minutes. It also supports heterogeneous computing. And with enhancements to task scheduling, your utilization of resources can increase by 500%. Sanboxed-containers will be used to enhance application and container isolation. Meanwhile, ACK 2.0 can still maintain a performance equivalent to 90% of that by using RunC.
To build a new ecosystem, we intend to have the Container Service team work with cloud-native developers and other enterprise partners to continue to explore more of the future of cloud native technologies.
Of course, we would also like to thank our customers and various enterprise-level partners. We couldn’t have achieved what we have already without your help.
The defining moment has come. Let’s make cloud native technologies lead us to a new generation of digital transformation.