Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jan 2022: AKS-Series 2 [Video]: Introduction to AKS by Thomas Hafermalz

Jan 2022: AKS-Series 2 [Video]: Introduction to AKS by Thomas Hafermalz

Stream Link: https://www.youtube.com/watch?v=cjnISnphE_s

Meetup Link: https://www.meetup.com/de-DE/Microsoft-Azure-Zurich-User-Group/events/282028307/

Kubernetes (K8s) has long been established as an orchestration platform for a container-based system landscape. However, setting up and administering a cluster can be quite time-consuming. This session is an introductory overview of how Azure Kubernetes Service (AKS) can support these tasks and how the interaction between K8s resources and Azure resources works. I will show where AKS can simplify cluster management, such as scaling or upgrading and how the K8s resources are mapped to Azure resources for storage mounting or load balancing. AKS is not another K8s (or container orchestrations system), its based on K8s and helps to combine the worlds of Azure and K8s - running in the Azure Cloud.

About Thomas:
Thomas works as an Azure Solution Architect and Trainer at Trivadis AG in Zurich. Coming from application development with .NET & Angular, his focus is now on cloud-native development and architecture for Azure. Other areas he is interested in are serverless apps, monitoring, IaC and container workloads. He regularly speaks in user groups or at conferences and is an author for tech magazines.

You can find him at:
https://linkedin.com/in/thomashafermalz
https://thomashafermalz.net/

Azure Zurich User Group
PRO

January 19, 2022
Tweet

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. 18.01.2022 AKS-Series: Introduction to Azure Kubernetes Service (AKS) by Thomas Hafermalz

    View Slide

  2. THOMAS HAFERMALZ
     Azure Solution Architect & Trainer
    @Trivadis AG (Zurich, )
     Industrial Environmental Informatics
     Outdoor activities, Soccer, Tennis
     Meetup: Azure Zurich User Group
    www.thomashafermalz.net
    www.linkedin.com/in/thomashafermalz

    View Slide

  3. AGENDA
    1. AKS Facts
    2. Security support
    3. Scaling & Monitoring
    4. Integration topics
    5. Demo
    19.01.2022
    3

    View Slide

  4. INTRO
     Kubernetes (K8S)
     THE container orchestration Tool
     no downtime updates
     Scalability & self-healing
     Azure Kubernetes Services (AKS)
     Managed K8S Service on Azure.
    19.01.2022
    4

    View Slide

  5. AKS FACTS

    View Slide

  6. AZURE KUBERNETES SERVICE AKS
     Master Nodes (Controll Plane) free of charge,
     only pay for: Worker node VMs / Storage / Networking resources
     Managed by Azure
     Full power of Azure compute options for Workloads
     Linux / Windows
     GPU
     Security, scaling
     Updates, Monitoring
    19.01.2022
    6

    View Slide

  7. AKS K8S TERMS
    19.01.2022
    7
    Init
    Container
    (App)
    Sidecar
    Network
    Deployment
    Pod
    Replica Set
    Kubectl
    apply
    deploy.yaml
    Node
    Node Pool

    View Slide

  8. AKS CLUSTERS AND NODES
    19.01.2022
    8
    Source: docs.microsoft.com

    View Slide

  9. WORKER NODES
     Host applications
     VM Options for Workloads
     Scale sets
     Single VM
     Virtual Nodes
     Compute isolation
     No manual setup of K8s processes
    19.01.2022
    9

    View Slide

  10. HIGH AVAILABILITY
     Availability Zones for cluster
     Node Auto-Repair
     SLA Option:
     More replicas for control plane & financially backed
     99.95% availability of K8s API server endpoint for clusters that use Availability
    Zones (99.9% if no AZ)
     Disaster recovery
     Multi region clusters
     Az Container Registry replication
    19.01.2022
    10

    View Slide

  11. NETWORK TYPES
     2 Different types of networks: Kubenet & CNI
    19.01.2022
    11
    kubenet CNI
    POD IP’s are abstracted, NAT on
    Nodes
    Every Pod get it own IP adress
    Limit of 400 Nodes / Cluster Needed for:
    - Network policies
    - Application Gateway as Ingress
    No windows nodes Requires bigger IP address space &
    planning

    View Slide

  12. AKS - TANDEM
     K8s command (kubectl) = Azure resource = magic?
     Cluster interaction “as usual”
     kubectl apply -f deployment.yaml
     Different Extensions to do the extra work
     CSI driver for volumes
     cloud-provider-azure for e.g. Loadbalancer
    19.01.2022
    12

    View Slide

  13. STORAGE
     Local storage on the node often not sufficient for workloads
     Auto provisioning /delete of Azure Disk / Fileshare with kubectl order
     Defined by storage class in Persistent Volume Claim (PVC)
     K8s build-in or CSI Driver
    19.01.2022
    13
    Source: docs.microsoft.com

    View Slide

  14. AKS STORAGE (MANAGED PREMIUM DISKS)
    19.01.2022
    14
    apiVersion: v1
    kind: PersistentVolumeClaim
    metadata:
    name: azure-premium-disk
    spec:
    accessModes:
    - ReadWriteOnce
    storageClassName: managed-premium
    resources:
    requests:
    storage: 2Gi
    kubectl apply -f volume_claim.yaml
    1. Create PersistentVolumeClaim 2. Use PersistentVolumeClaim
    apiVersion: v1
    kind: Pod
    metadata:
    name: nginx
    spec:
    volumes:
    - name: "appdata"
    persistentVolumeClaim:
    claimName: "azure-premium-disk"
    containers:
    - image: nginx:latest
    name: nginx
    volumeMounts:
    - mountPath: "/data"
    name: "appdata"
    ports:
    - containerPort: 8080
    name: http
    protocol: TCP
    kubectl apply -f deploy.yaml

    View Slide

  15. SECURITY

    View Slide

  16. SECURITY NETWORK
     Control Plane: Default public endpoint
     Define IP-Ranges
     Private cluster:
     Private Link from API Server to (internal) Subnet
     Traffic stays in Subnet / Vnet
     PaaS Service Access via Private Link
     Storage, Azure Container Registry
     NSG
     Traffic filter between Nodes -> Managed by AKS
     E.g. external K8s services
    19.01.2022
    16

    View Slide

  17. SECURITY – DEFENDER & KEY VAULT
     Microsoft Defender for Cloud
     ACR Image scanning with Qualys Engine
     Finds vulnerabilities (e.g. missing security updates)
     Defender for Kubernetes
     Digital currency mining container detected
     K8S API requests from proxy IP address detected
     Results to Azure Security Center
     Key Vault Integration
     Mounts of secrets / keys / certificates as volume into Pods (CSI Driver)
     Addon -> pods running on nodes
    19.01.2022
    17

    View Slide

  18. SECURITY - AZURE POLICIES
     Cluster Add-on, simply switch on
     Use Az policy build-in Initiative or custom policies
     audit / deny
     Compliance checks
     Allowed regions
     VM, Storage SKUs
     Security checks
     Pod privileges
     Allowed ports or limits for pods
    19.01.2022
    18

    View Slide

  19. SECURITY- AAD INTEGRATION
     Mange cluster access with AAD roles & groups
     AKS feature to enable
     Combines Kubernetes RBAC and Azure RBAC
     Conditional access & PIM
    19.01.2022
    19
    Source: docs.microsoft.com

    View Slide

  20. SECURITY- NODE PATCHES
     Controll plane is managed
     Linux Worker Nodes
     Automatic nightly updates
     Kured extension for rebooting
     Windows Worker Nodes
     No daily updates
     AKS upgrade for latest image
    19.01.2022
    20
    Source: docs.microsoft.com

    View Slide

  21. SECURITY- CLUSTER K8S UPGRADES
     K8s version upgrade with CLI
     Update with Cordon & Drain
     Auto-upgrade channel in preview
     az aks update --resource-group $RG --name $AKSCluster --auto-upgrade-
    channel stable
    19.01.2022
    21

    View Slide

  22. SCALING &
    MONITORING

    View Slide

  23. SCALING
     Horizontal pod autoscaler (HPA)
     scales based on pod metrics
     Cluster autoscaler
     scales based on node
    resources
     Scaling with KEDA
    19.01.2022
    23
    Source: docs.microsoft.com

    View Slide

  24. SCALING
     Node simulation with Virtual kubelets
     open-source K8s implementation
     kubelet registers itself as a node
    19.01.2022
    24 Source: docs.microsoft.com

    View Slide

  25. SCALING
     Node scaling sometimes too slow for demand
     Deploy new pods in Azure Container Instances
     More expensive but much faster that normal scale
    19.01.2022
    25
    Source: docs.microsoft.com

    View Slide

  26. AZURE MONITOR
     Cluster Metrics
     CPU/Discs
     Network
     Control Plane
    Logs
     Visualizing
     Alerting
    19.01.2022
    26
    Source: docs.microsoft.com

    View Slide

  27. CONTAINER INSIGHTS
     Prepared metrics
    charts & Workbooks
     Container Live logs
     Needs a log analytics
    workspace
    19.01.2022
    27

    View Slide

  28. AZ MONITOR KQL
     Log Analytic section
     Query Workspace data
     Tables / Charts form queries
    19.01.2022
    28

    View Slide

  29. INTEGRATION

    View Slide

  30. INTEGRATION WITH AZ SERVICES
     Ingress with ApplicationGateway
     AppGateway: L7 Loadbalancer, integrated Firewall
     AGIC add-on, deployed as a pod in cluster
     K8s Ingress resource, Service and Pods
     CI / CD
     Azure DevOps
     GitHub Actions
    19.01.2022
    30

    View Slide

  31. INTEGRATION WITH AZ SERVICES
     Azure Functions with KEDA
     KEDA Container in cluster
     Listening on events from Azure resources
     Az Function runtime in container (scaled by KEDA)
     AAD Pod Identity
     Add-on (CNI)
     Maps Pods with Azure Managed Identities for Resource access
    19.01.2022
    31

    View Slide

  32. Load
    Balancer
    Docker
    push
    Pipelines
    CI/CD
    Container
    Registry
    Docker
    pull
    CNCF Helm
    Helm
    upgrade
    Active
    Directory Monitor Key Vault
    Azure Kubernetes Service (AKS)
    NGINX
    Controller
    Frontend Ingress
    Kubernetes
    Client apps
    Microservices
    Virtual
    network
    Azure
    Cosmos DB
    External data
    sources
    RBAC
    ARCHITECTURE
    Source: docs.microsoft.com

    View Slide

  33. TIPS & TRICKS
     CNI network: don’t underestimate IP address planning
     Have a cluster admin / AKS Team
     AKS Service & used resources in different Resource Groups
     MC_rgAKSDemo_Democluster0815_northeurope
    19.01.2022
    34

    View Slide

  34. TIPS & TRICKS
     Cluster stop
     az aks stop --name
    $aksClusterName --resource-group
    $rgName
    19.01.2022
    35

    View Slide

  35. HANDS ON (YOURSELF)
     https://docs.microsoft.com/en-us/learn/modules/aks-workshop/01-
    introduction
    19.01.2022
    37

    View Slide

  36. DEMO

    View Slide

  37. DEMO CONTENT
    19.01.2022
    39
    Recap CLI Code for
    • AKS service
    • Container Registry
    • Monitoring
    Connect to cluster & deploy sample
    Scale & updating the cluster

    View Slide

  38. THANK YOU!

    View Slide

  39. TOOLS
     Azure Portal / CLI
     Cluster Administration
     Monitoring
     Kubectl.exe
     Management of Kubernetes
     Integrated in Azure Cloud Shell
     Visual Studio Code / Octant
    19.01.2022
    42

    View Slide