The Vercel-sponsored Next.js conference was on last week, and DevClass caught up with Kelsey Hightower, a Google Distinguished Engineer, and co-author (with Brendan Burns and Joe Beda) of Kubernetes Up and Running, now in its third edition. He is currently working on Cloud Run at Google, among other things. “My goal is to make serverless have the optionality of doing everything a VM can do, but all the benefits of serverless,” he tells us.
What was a Kubernetes guy doing at a front-end conference?
The concept is powerful, but also gives developers potentially difficult choices about how to design and secure their applications. What guides the decision about what code belongs in the browser, what to put in middleware, what to put in the back end?
“The thing that you can’t do in the back end is experience,” Hightower says. “It’s just not fast enough. When I log into that site, I want recommendation, I want personalizations, I want my profile, I want my color scheme to be respected. I can’t go all the way to the server and have it render another page. So now that logic has to be split.
The back end though is still necessary for business-critical functions. “You want to buy something from an ecommerce site? We’re not doing that on the edge. I need to go back to my system of record, consult my inventory, make a decision. But maybe we push the order history to the edge,” says Hightower.
In this new web stack, what is the role of WebAssembly (Wasm) and V8 Isolates, V8 instances which have some of the characteristics of lightweight containers?
“I remember browsers before we had tabs,” Hightower tells Dev Class. “Browsers were dangerous because one browser session can mess with another and people started to exploit that and steal data. Chrome comes along and now we get V8 that creates a strong sandbox, and more important, rules for engagement. You can still do arbitrary things on your website, but these are the things we think are unsafe.
“So if you take that logic, and if the web is becoming the computer, and most of this stuff is just HTTP interactions, then we don’t need a whole computer to do that any more. You can take V8 out of Chrome and stick it in the CDN, and take that web request, and let people run Wasm instances in a shared context without them violating each other. It’s a natural progression.
“I think V8 is not going to take over containers, because containers are containing something different. Things that can talk generically to kernels and custom hardware like TPUs [Tensor Processing Unit] for machine learning. But for 90% of the stuff we’re doing, let’s be honest. We don’t need a whole computer to do it. This is why people are excited about Wasm. It solves some of the security concerns, it’s had about 20 years of proving safety in the browser context, and now we’re about to experience it on the server side.”
Security is another issue. “Most developers have no idea how to create credentials, manage credentials, rotate those credentials, so we end up carrying ticking time bombs throughout our systems … we are trying to move to new identity standards, where identity is part of the application deployment,” he says.
It is early days for this new style of multi-tier application, and developers can expect some bumps along the way.