Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jan 2022: AKS-Series 2 [Video]: Introduction to AKS by Thomas Hafermalz

Azure Zurich User Group
PRO
January 19, 2022
Technology
0
180

Jan 2022: AKS-Series 2 [Video]: Introduction to AKS by Thomas Hafermalz

Stream Link: https://www.youtube.com/watch?v=cjnISnphE_s

Meetup Link: https://www.meetup.com/de-DE/Microsoft-Azure-Zurich-User-Group/events/282028307/

Kubernetes (K8s) has long been established as an orchestration platform for a container-based system landscape. However, setting up and administering a cluster can be quite time-consuming. This session is an introductory overview of how Azure Kubernetes Service (AKS) can support these tasks and how the interaction between K8s resources and Azure resources works. I will show where AKS can simplify cluster management, such as scaling or upgrading and how the K8s resources are mapped to Azure resources for storage mounting or load balancing. AKS is not another K8s (or container orchestrations system), its based on K8s and helps to combine the worlds of Azure and K8s - running in the Azure Cloud.

About Thomas:
Thomas works as an Azure Solution Architect and Trainer at Trivadis AG in Zurich. Coming from application development with .NET & Angular, his focus is now on cloud-native development and architecture for Azure. Other areas he is interested in are serverless apps, monitoring, IaC and container workloads. He regularly speaks in user groups or at conferences and is an author for tech magazines.

You can find him at:
https://linkedin.com/in/thomashafermalz
https://thomashafermalz.net/

Azure Zurich User Group
PRO

January 19, 2022
Tweet

More Decks by Azure Zurich User Group

See All by Azure Zurich User Group
Synapse Real-Time Analytics in Fabric by Alvaro Videla
azurezurich
PRO
0
5
Data Engineering in the Large Language Models era by Ismaël Mejía
azurezurich
PRO
0
3
Aug23 [Slides]: HPC on Azure in the Financial Services Industry by Darko Mocelj
azurezurich
PRO
0
11
Container App Service Deep Dive by Mohammad Nofal
azurezurich
PRO
0
52
KEDA - Mastering Scale to Zero by Daniel Hasselwander
azurezurich
PRO
0
17
AzureBootcamp2023: Data Clean Rooms & Confidential Computing by David Sturzenegger & Primo Amrein
azurezurich
PRO
0
21
AzureBootcamp2023: Virtual Network Manager by Marcel Zehner
azurezurich
PRO
0
10
AzureBootcamp2023: Azure PaaS, but as private as possible by Stephan Graber
azurezurich
PRO
0
9
AzureBootcamp2023: Azure API Management by Michael Rüefli
azurezurich
PRO
0
7

Other Decks in Technology

See All in Technology
Runbookに何を書き、どのようにアラートを振り分けるか?
egmc
0
740
如何在 Elasticsearch 實現敏捷的資料建模與管理 @ DevOpsDays Taipei 2023
unclejoe
0
210
よりよいペアローテーションを求めて
nakasho
0
370
3 Flink Mistakes We Made So You Won’t Have To
rmetzger
0
110
Java 21 Overview
line_developers
PRO
5
460
プロダクトオーナーとしてSLOに向き合う 〜Mackerelチームの事例〜 / SRE NEXT 2023
tatsuru
PRO
0
300
Autify Company Deck
autifyhq
1
25k
私が経験したアジャイルテスト
culvert
3
510
230928 watsonx.ai 利用準備とデモアプリ紹介(前編:環境構築編)
teruterubohz_ibm
0
100
1,800万人が利用する『家族アルバム みてね』におけるK8s基盤のアップグレード戦略と継続的改善 / FamilyAlbum's upgrade strategy and continuous improvement for K8s infrastructure
kohbis
2
1.1k
信頼性目標とシステムアーキテクチャー / Reliability Objective and System Architecture
ymotongpoo
12
3.9k
生活感のあるアーキテクチャ
pharma_x_tech
0
540

Featured

See All Featured
We Have a Design System, Now What?
morganepeng
40
6.3k
How STYLIGHT went responsive
nonsquared
89
4.4k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k
A better future with KSS
kneath
230
16k
[RailsConf 2023] Rails as a piece of cake
palkan
15
2.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
49
16k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
10
1.2k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6.1k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
112
17k

Transcript

  1. 18.01.2022 AKS-Series: Introduction to Azure Kubernetes Service (AKS) by Thomas Hafermalz

    View Slide

  2. THOMAS HAFERMALZ
     Azure Solution Architect & Trainer
    @Trivadis AG (Zurich, )
     Industrial Environmental Informatics
     Outdoor activities, Soccer, Tennis
     Meetup: Azure Zurich User Group
    www.thomashafermalz.net
    www.linkedin.com/in/thomashafermalz

    View Slide

  3. AGENDA
    1. AKS Facts
    2. Security support
    3. Scaling & Monitoring
    4. Integration topics
    5. Demo
    19.01.2022
    3

    View Slide

  4. INTRO
     Kubernetes (K8S)
     THE container orchestration Tool
     no downtime updates
     Scalability & self-healing
     Azure Kubernetes Services (AKS)
     Managed K8S Service on Azure.
    19.01.2022
    4

    View Slide

  5. AKS FACTS

    View Slide

  6. AZURE KUBERNETES SERVICE AKS
     Master Nodes (Controll Plane) free of charge,
     only pay for: Worker node VMs / Storage / Networking resources
     Managed by Azure
     Full power of Azure compute options for Workloads
     Linux / Windows
     GPU
     Security, scaling
     Updates, Monitoring
    19.01.2022
    6

    View Slide

  7. AKS K8S TERMS
    19.01.2022
    7
    Init
    Container
    (App)
    Sidecar
    Network
    Deployment
    Pod
    Replica Set
    Kubectl
    apply
    deploy.yaml
    Node
    Node Pool

    View Slide

  8. AKS CLUSTERS AND NODES
    19.01.2022
    8
    Source: docs.microsoft.com

    View Slide

  9. WORKER NODES
     Host applications
     VM Options for Workloads
     Scale sets
     Single VM
     Virtual Nodes
     Compute isolation
     No manual setup of K8s processes
    19.01.2022
    9

    View Slide

  10. HIGH AVAILABILITY
     Availability Zones for cluster
     Node Auto-Repair
     SLA Option:
     More replicas for control plane & financially backed
     99.95% availability of K8s API server endpoint for clusters that use Availability
    Zones (99.9% if no AZ)
     Disaster recovery
     Multi region clusters
     Az Container Registry replication
    19.01.2022
    10

    View Slide

  11. NETWORK TYPES
     2 Different types of networks: Kubenet & CNI
    19.01.2022
    11
    kubenet CNI
    POD IP’s are abstracted, NAT on
    Nodes
    Every Pod get it own IP adress
    Limit of 400 Nodes / Cluster Needed for:
    - Network policies
    - Application Gateway as Ingress
    No windows nodes Requires bigger IP address space &
    planning

    View Slide

  12. AKS - TANDEM
     K8s command (kubectl) = Azure resource = magic?
     Cluster interaction “as usual”
     kubectl apply -f deployment.yaml
     Different Extensions to do the extra work
     CSI driver for volumes
     cloud-provider-azure for e.g. Loadbalancer
    19.01.2022
    12

    View Slide

  13. STORAGE
     Local storage on the node often not sufficient for workloads
     Auto provisioning /delete of Azure Disk / Fileshare with kubectl order
     Defined by storage class in Persistent Volume Claim (PVC)
     K8s build-in or CSI Driver
    19.01.2022
    13
    Source: docs.microsoft.com

    View Slide

  14. AKS STORAGE (MANAGED PREMIUM DISKS)
    19.01.2022
    14
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
    name: azure-premium-disk
    spec:
    accessModes:
    - ReadWriteOnce
    storageClassName: managed-premium
    resources:
    requests:
    storage: 2Gi
    kubectl apply -f volume_claim.yaml
    1. Create PersistentVolumeClaim 2. Use PersistentVolumeClaim
    apiVersion: v1
    kind: Pod
    metadata:
    name: nginx
    spec:
    volumes:
    - name: "appdata"
    persistentVolumeClaim:
    claimName: "azure-premium-disk"
    containers:
    - image: nginx:latest
    name: nginx
    volumeMounts:
    - mountPath: "/data"
    name: "appdata"
    ports:
    - containerPort: 8080
    name: http
    protocol: TCP
    kubectl apply -f deploy.yaml

    View Slide

  15. SECURITY

    View Slide

  16. SECURITY NETWORK
     Control Plane: Default public endpoint
     Define IP-Ranges
     Private cluster:
     Private Link from API Server to (internal) Subnet
     Traffic stays in Subnet / Vnet
     PaaS Service Access via Private Link
     Storage, Azure Container Registry
     NSG
     Traffic filter between Nodes -> Managed by AKS
     E.g. external K8s services
    19.01.2022
    16

    View Slide

  17. SECURITY – DEFENDER & KEY VAULT
     Microsoft Defender for Cloud
     ACR Image scanning with Qualys Engine
     Finds vulnerabilities (e.g. missing security updates)
     Defender for Kubernetes
     Digital currency mining container detected
     K8S API requests from proxy IP address detected
     Results to Azure Security Center
     Key Vault Integration
     Mounts of secrets / keys / certificates as volume into Pods (CSI Driver)
     Addon -> pods running on nodes
    19.01.2022
    17

    View Slide

  18. SECURITY - AZURE POLICIES
     Cluster Add-on, simply switch on
     Use Az policy build-in Initiative or custom policies
     audit / deny
     Compliance checks
     Allowed regions
     VM, Storage SKUs
     Security checks
     Pod privileges
     Allowed ports or limits for pods
    19.01.2022
    18

    View Slide

  19. SECURITY- AAD INTEGRATION
     Mange cluster access with AAD roles & groups
     AKS feature to enable
     Combines Kubernetes RBAC and Azure RBAC
     Conditional access & PIM
    19.01.2022
    19
    Source: docs.microsoft.com

    View Slide

  20. SECURITY- NODE PATCHES
     Controll plane is managed
     Linux Worker Nodes
     Automatic nightly updates
     Kured extension for rebooting
     Windows Worker Nodes
     No daily updates
     AKS upgrade for latest image
    19.01.2022
    20
    Source: docs.microsoft.com

    View Slide

  21. SECURITY- CLUSTER K8S UPGRADES
     K8s version upgrade with CLI
     Update with Cordon & Drain
     Auto-upgrade channel in preview
     az aks update --resource-group $RG --name $AKSCluster --auto-upgrade-
    channel stable
    19.01.2022
    21

    View Slide

  22. SCALING &
    MONITORING

    View Slide

  23. SCALING
     Horizontal pod autoscaler (HPA)
     scales based on pod metrics
     Cluster autoscaler
     scales based on node
    resources
     Scaling with KEDA
    19.01.2022
    23
    Source: docs.microsoft.com

    View Slide

  24. SCALING
     Node simulation with Virtual kubelets
     open-source K8s implementation
     kubelet registers itself as a node
    19.01.2022
    24 Source: docs.microsoft.com

    View Slide

  25. SCALING
     Node scaling sometimes too slow for demand
     Deploy new pods in Azure Container Instances
     More expensive but much faster that normal scale
    19.01.2022
    25
    Source: docs.microsoft.com

    View Slide

  26. AZURE MONITOR
     Cluster Metrics
     CPU/Discs
     Network
     Control Plane
    Logs
     Visualizing
     Alerting
    19.01.2022
    26
    Source: docs.microsoft.com

    View Slide

  27. CONTAINER INSIGHTS
     Prepared metrics
    charts & Workbooks
     Container Live logs
     Needs a log analytics
    workspace
    19.01.2022
    27

    View Slide

  28. AZ MONITOR KQL
     Log Analytic section
     Query Workspace data
     Tables / Charts form queries
    19.01.2022
    28

    View Slide

  29. INTEGRATION

    View Slide

  30. INTEGRATION WITH AZ SERVICES
     Ingress with ApplicationGateway
     AppGateway: L7 Loadbalancer, integrated Firewall
     AGIC add-on, deployed as a pod in cluster
     K8s Ingress resource, Service and Pods
     CI / CD
     Azure DevOps
     GitHub Actions
    19.01.2022
    30

    View Slide

  31. INTEGRATION WITH AZ SERVICES
     Azure Functions with KEDA
     KEDA Container in cluster
     Listening on events from Azure resources
     Az Function runtime in container (scaled by KEDA)
     AAD Pod Identity
     Add-on (CNI)
     Maps Pods with Azure Managed Identities for Resource access
    19.01.2022
    31

    View Slide

  32. Load
    Balancer
    Docker
    push
    Pipelines
    CI/CD
    Container
    Registry
    Docker
    pull
    CNCF Helm
    Helm
    upgrade
    Active
    Directory Monitor Key Vault
    Azure Kubernetes Service (AKS)
    NGINX
    Controller
    Frontend Ingress
    Kubernetes
    Client apps
    Microservices
    Virtual
    network
    Azure
    Cosmos DB
    External data
    sources
    RBAC
    ARCHITECTURE
    Source: docs.microsoft.com

    View Slide

  33. TIPS & TRICKS
     CNI network: don’t underestimate IP address planning
     Have a cluster admin / AKS Team
     AKS Service & used resources in different Resource Groups
     MC_rgAKSDemo_Democluster0815_northeurope
    19.01.2022
    34

    View Slide

  34. TIPS & TRICKS
     Cluster stop
     az aks stop --name
    $aksClusterName --resource-group
    $rgName
    19.01.2022
    35

    View Slide

  35. HANDS ON (YOURSELF)
     https://docs.microsoft.com/en-us/learn/modules/aks-workshop/01-
    introduction
    19.01.2022
    37

    View Slide

  36. DEMO

    View Slide

  37. DEMO CONTENT
    19.01.2022
    39
    Recap CLI Code for
    • AKS service
    • Container Registry
    • Monitoring
    Connect to cluster & deploy sample
    Scale & updating the cluster

    View Slide

  38. THANK YOU!

    View Slide

  39. TOOLS
     Azure Portal / CLI
     Cluster Administration
     Monitoring
     Kubectl.exe
     Management of Kubernetes
     Integrated in Azure Cloud Shell
     Visual Studio Code / Octant
    19.01.2022
    42

    View Slide