AKS-Series 4 [Video]: AKS - More than just a Managed Kubernetes by Nico Meisenzahl

Transcript

1. Azure Kubernetes Service – more than just a managed Kubernetes

   Microsoft Azure Zürich User Group, March 2022

2. Nico Meisenzahl • Cloud Solution Architect at white duck •

   Microsoft MVP, GitLab Hero • Cloud Native, Kubernetes & Azure © white duck GmbH 2022 Phone: +49 8031 230159 0 Email: [email protected] Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org

3. Agenda • Azure Kubernetes Service – a managed K8s •

   AKS features (my picks) • AKS add-ons & extensions • further resources © white duck GmbH 2022

4. AKS – A MANAGED K8S © white duck GmbH 2022

5. Azure Kubernetes Service “Deploy and scale containers on managed Kubernetes”

   “Deploy and manage containerized applications more easily with a fully managed Kubernetes service” “Build on an enterprise-grade, more secure foundation” © white duck GmbH 2022 https://azure.microsoft.com/services/kubernetes-service

6. A managed K8s, but … • what you will get

   out of the box • Kubernetes à great flexibility also introduces complexity! • a fully managed control plane • worker nodes you need to care about • fully managed Kubernetes is possible • not enabled by • can cause issues (you must be ahead of all changes) • addons / integrations required © white duck GmbH 2022

7. Fast changing world • AKS/Kubernetes is a fast changing world

   • integrations/features evolve quickly and need to be implemented on an ongoing basis • fire and forget is not an option • you will need a team to operate your clusters • if you are not able to provide this, AKS/Kubernetes is not an option for you à Azure Container Apps (preview) might help © white duck GmbH 2022

8. That said, AKS … • is the best choice if

   you require Kubernetes • can help you a lot and make your life much easier • perfectly integrated with other Azure services • provides you with useful open-source integrations © white duck GmbH 2022

9. AKS FEATURES (MY PICKS) © white duck GmbH 2022

10. Private AKS • expose API Server via Private Link into

    an internal subnet • expose services into an internal subnet using internal Load Balancer • access Azure PaaS services via Private Link endpoints • Container Registry • Storage services (Storage Account, Databases, …) • can introduce some complexity due to networking and DNS • there will be an updated version (v2) in the future which reduces the complexity © white duck GmbH 2022

11. Azure AD integration • assign IAM to Azure AD user's

    identity or directory group membership • integrated with the Azure Portal and CLI • allows to disable local cluster-admin account • can be assigned via Azure Roles or Kubernetes Roles/RoleBindings • support for Group Managed Service Accounts (GMSA) for your Windows nodes (preview) • https://docs.microsoft.com/azure/aks/managed-aad © white duck GmbH 2022

12. Azure AD Pod Identity (preview) • assigns Azure AD identities

    to Pods to leverage Azure resource that depends on AAD as an identity provider • e.g., securely talk with databases or Storage Accounts without injecting secrets and connection strings • no code changes required (relies on the default credentials) • will not leave preview! • the successor will be Azure AD Workload Identity • same outcome, new implementation © white duck GmbH 2022

13. Azure AD Workload Identity (preview) • successor of Azure AD

    Pod Identity • implements known-issues and learnings • removes scale and performance issues • supports Kubernetes clusters hosted in any cloud or on- premises • supports both Linux and Windows workloads • removes the need for CRDs and pods that intercept Instance Metadata Service (IMDS) traffic © white duck GmbH 2022

14. Azure AD Workload Identity © white duck GmbH 2022

15. Auto-upgrade & node upgrade • AKS can automatically upgrade clusters

    and nodes • there are different upgrade channels • none, patch, stable, rapid, node-image • https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade- channel • manifests & API calls need to stay up-to-date for stable/rapid • do not miss to define a maintenance windows (preview, currently best-effort only) • node auto-repair • AKS automatically try to fix node issues if node is “NotReady” • steps are reboot, reimage, recreate • https://docs.microsoft.com/azure/aks/node-auto-repair © white duck GmbH 2022

16. Autoscaling & Spot instances • Cluster Autoscaler allows node scalling

    (on a node pool level) • support for Azure Spot VMs (on a node pool level) • take advantage of unused capacity at a significant cost savings • Virtual Node interation via ACI © white duck GmbH 2022

17. Integrated Storage • AKS integrates with Azure Disk (incl. Ultra

    Disk) and Azure Files • REST and network based storage should be prefered where possible • stateless workload will make your life much easier • Azure HPC Cache and NFS (Storage Account) can be integrated via Kubernetes-native NFS • Azure Backup for AKS PVs (private preview) © white duck GmbH 2022

18. AKS and CSI • Azure Disk and Azure Files are

    supported by CSI since AKS 1.21 • CSI (Container Storage Interface) is the future of storage integration and will replace the in-tree implementation soon • CSI brings you many advantages • ZRS and ReadWriteMany support for Azure Disk • Kubernetes-native integrations for Volume snapshots, resizing and cloning • https://medium.com/01001101/azure-kubernetes-service-next-level-persistent- storage-with-azure-disk-csi-driver-c5a04ac775c1 • you will have to migrate existing clusters to use CSI • https://docs.microsoft.com/azure/aks/csi-storage-drivers#migrating- custom-in-tree-storage-classes-to-csi © white duck GmbH 2022

19. Azure Event Grid integration (preview) • Azure Events Grid now

    supports AKS as a source • allows to subscribing to AKS events for further integration • preview, and early stage • so far following events are supported • new Kubernetes version upgrade availability • new Node image version upgrade availability • https://docs.microsoft.com/azure/aks/quickstart-event-grid © white duck GmbH 2022

20. Microsoft Defender for Containers • environment hardening • provides visibility

    into misconfigurations and guidelines • vulnerability assessment • vulnerability assessment images after build, when stored in ACR and running in AKS • runtime protection • threat protection for clusters and Linux nodes generates security alerts for suspicious activities • why? • https://github.com/nmeisenzahl/hijack-kubernetes © white duck GmbH 2022

21. Microsoft Defender for Containers © white duck GmbH 2022

22. Microsoft Defender for Containers • upgrade Defender if you previously

    used it to get the latest features • Microsoft Defender for Kubernetes • Microsoft Defender for Containers Registries • also supports non-Azure environments (via Azure Arc) • Amazon Elastic Kubernetes Service (EKS) • Google Kubernetes Engine (GKE) • self-hosted CNCF-certified Kubernetes © white duck GmbH 2022

23. Confidential computing • allows you to protect your sensitive data

    while it's in use • allow user-level as well as OS code to define/use private regions of memory • based on Intel SGX (Software Guard Extensions) • requires DCsv2 VMs • supporting confidential containers out of the box • application is loaded in the trusted boundary (enclave) • https://docs.microsoft.com/azure/defender-for- cloud/defender-for-containers-introduction © white duck GmbH 2022

24. Enclave aware containers • are supported via the Open Enclave

    SDK • container development involves untrusted and trusted parts to the container application © white duck GmbH 2022

25. Uptime SLA • AKS is available with two tiers •

    free tier (default) • fewer replicas and limited resources for the control plane • paid tier packed by SLA • guaranteeing 99.95% (99.9% for non-AZ) • why? • I have seen issues with free tier in “smaller” regions due to lower prioritization of requests © white duck GmbH 2022

26. AKS ADD-ONS & EXTENSIONS © white duck GmbH 2022

27. Add-ons and Extenions • add-ons and extensions allowing to extend/integrate

    AKS with Azure services and open-source projects • are integrated with the Azure Resource Manager • easy to use © white duck GmbH 2022

28. AKS Add-ons • fully managed and supported by Azure •

    fixes are applied automatically on a weekly basis • minor/major changes are implemented via AKS updates • part of the Azure RM AKS resource provider • limited configuration options • https://docs.microsoft.com/azure/aks/integrations#add- ons © white duck GmbH 2022

29. AKS Extenions • relatively new with AKS • still on

    preview • already know concept from Azure Arc • easy integration • installation and lifecycle management via Azure tooling (API, CLI, …) • build on top of Helm Charts (but abstracted) • not managed nor automatically updated • separate resource provider within the Azure RM • therefore not yet supported in all IaC Tools (e.g. Terraform) • https://docs.microsoft.com/azure/aks/cluster-extensions © white duck GmbH 2022

30. Add-On: Container Insights • entry point for logs and metrics

    & diagnostic data • integrates with Azure Portal • provides out-of-the-box workbooks and KQL queries • supports Prometheus endpoint scrapping • Azure Managed Grafana (currently private preview) • integrates via AKS data source • https://docs.microsoft.com/azure/azure- monitor/containers/container-insights-overview © white duck GmbH 2022

31. Add-On: Container Insights © white duck GmbH 2022

32. Add-On: Virtual Node • rapidly scale container workloads • no

    cluster autoscaler / node provisioning required • can also be useful for batch/job workload with special requirements (e.g., GPU) • https://docs.microsoft.com/azure/a ks/virtual-nodes © white duck GmbH 2022

33. Add-On: Azure Policy • integrates AKS with Azure Policies •

    based on Open Policy Agent Gatekeeper • can be enforced or audited • compliance across clusters © white duck GmbH 2022

34. Add-On: Azure Policy • use built-in definitions to base-level security

    • pod security baseline standards for Linux-based workloads • pod security restricted standards for Linux-based workloads • apply custom policies for your use-cases (preview) • https://docs.microsoft.com/azure/governance/policy/conce pts/policy-for-kubernetes © white duck GmbH 2022

35. Add-On: Application Gateway Ingress Controller • integrates Azure Application Gateway

    as an ingress controller (managed Ingress) © white duck GmbH 2022

36. Add-On: Application Gateway Ingress Controller • supports URL-based routing, cookie-based

    affinity, WAF, end-to-end TLS, … • TLS certificates can be served by Kubernetes secrets (Cert-Manager) • add-on is more limited than Helm deployment • https://docs.microsoft.com/azure/application- gateway/ingress-controller-overview © white duck GmbH 2022

37. Add-On: HTTP Application Routing • quick development option to spin

    up an Ingress Controller • not intended for production • spins up • Nginx Ingress Controller • External-DNS Controller (watching Ingress resources) • Azure DNS Zone • https://docs.microsoft.com/azure/aks/http-application- routing © white duck GmbH 2022

38. Add-On: Open Service Mesh • managed service mesh based on

    Open Service Mesh • lightweight service mesh implementing Service Mesh Interface • helps you with • service to service mTLS • traffic shifting (A/B, canary) • access control policies • monitoring and instrumentation • https://docs.microsoft.com/azure/aks/open-service-mesh- about © white duck GmbH 2022

39. Add-On: Azure Keyvault Secrets Provider • inject secret, certificates and

    keys into container workload without storing them outside of Azure Key Vault • based on Container Storage Interface • injection is done via volumes • can also be synced with Kubernetes secrets (and then inject via env) • https://docs.microsoft.com/azure/aks/csi- secrets-store-driver © white duck GmbH 2022

40. Extension: GitOps (preview) • abstracted GitOps setup based on Flux

    • already known from Azure Arc • integrated via ARM à no need to ”talk” to K8s directly • GitOps? • check out Azure Rosenheim Meetup for further details • https://github.com/whiteducksoftware/azure-meetup-rosenheim • https://docs.microsoft.com/azure/azure- arc/kubernetes/conceptual-gitops-flux2 © white duck GmbH 2022

41. Extension: Dapr (preview) • a portable, event-driven, runtime for building

    distributed applications across cloud and edge • https://docs.microsoft.com/azure/aks/dapr © white duck GmbH 2022

42. Extension: Azure ML (preview) • use AKS to train, inference,

    and manage machine learning models in Azure Machine Learning • Azure ML extension will deploy an Azure Machine Learning agent • https://docs.microsoft.com/azure/machine-learning/how- to-attach-arc-kubernetes © white duck GmbH 2022

43. Extension: KEDA (preview soon) • not yet available as extension

    • Kubernetes event-driven autoscaling • scale to zero • scale based on various events • scale-based on events from • Application Insights, Azure Monitor • Azure Blob, Azure Storage Queue • Azure Event Hub, Azure Service Bus • and many more © white duck GmbH 2022

44. FURTHER RESOURCES © white duck GmbH 2022

45. Get involved • AKS office hours (bi-weekly call) • https://github.com/Azure/aks-gbb-officehours

    • AKS release notes • https://github.com/Azure/AKS/releases • AKS Roadmap • https://github.com/Azure/AKS/projects/1 • Stack Overflow AKS tag • https://stackoverflow.com/questions/tagged/azure-aks © white duck GmbH 2022

46. More details • AKS docs • https://docs.microsoft.com/azure/aks • AKS Reference

    Architecture • https://docs.microsoft.com/azure/architecture/reference- architectures/containers/aks-start-here • AKS checklist • https://www.the-aks-checklist.com © white duck GmbH 2022

47. Questions? • Slides: https://www.slideshare.net/nmeisenzahl © white duck GmbH 2022 Phone:

    +49 8031 230159 0 Email: [email protected] Twitter: @nmeisenzahl LinkedIn: https://www.linkedin.com/in/nicomeisenzahl Blog: https://meisenzahl.org