Jan 2022: AKS-Series 2 [Video]: Introduction to AKS by Thomas Hafermalz

Transcript

1. 18.01.2022 AKS-Series: Introduction to Azure Kubernetes Service (AKS) by Thomas

   Hafermalz

2. THOMAS HAFERMALZ  Azure Solution Architect & Trainer @Trivadis AG

   (Zurich, )  Industrial Environmental Informatics  Outdoor activities, Soccer, Tennis  Meetup: Azure Zurich User Group www.thomashafermalz.net www.linkedin.com/in/thomashafermalz

3. AGENDA 1. AKS Facts 2. Security support 3. Scaling &

   Monitoring 4. Integration topics 5. Demo 19.01.2022 3

4. INTRO  Kubernetes (K8S)  THE container orchestration Tool 

   no downtime updates  Scalability & self-healing  Azure Kubernetes Services (AKS)  Managed K8S Service on Azure. 19.01.2022 4

5. AKS FACTS

6. AZURE KUBERNETES SERVICE AKS  Master Nodes (Controll Plane) free

   of charge,  only pay for: Worker node VMs / Storage / Networking resources  Managed by Azure  Full power of Azure compute options for Workloads  Linux / Windows  GPU  Security, scaling  Updates, Monitoring 19.01.2022 6

7. AKS K8S TERMS 19.01.2022 7 Init Container (App) Sidecar Network

   Deployment Pod Replica Set Kubectl apply deploy.yaml Node Node Pool

8. AKS CLUSTERS AND NODES 19.01.2022 8 Source: docs.microsoft.com

9. WORKER NODES  Host applications  VM Options for Workloads

    Scale sets  Single VM  Virtual Nodes  Compute isolation  No manual setup of K8s processes 19.01.2022 9

10. HIGH AVAILABILITY  Availability Zones for cluster  Node Auto-Repair

     SLA Option:  More replicas for control plane & financially backed  99.95% availability of K8s API server endpoint for clusters that use Availability Zones (99.9% if no AZ)  Disaster recovery  Multi region clusters  Az Container Registry replication 19.01.2022 10

11. NETWORK TYPES  2 Different types of networks: Kubenet &

    CNI 19.01.2022 11 kubenet CNI POD IP’s are abstracted, NAT on Nodes Every Pod get it own IP adress Limit of 400 Nodes / Cluster Needed for: - Network policies - Application Gateway as Ingress No windows nodes Requires bigger IP address space & planning

12. AKS - TANDEM  K8s command (kubectl) = Azure resource

    = magic?  Cluster interaction “as usual”  kubectl apply -f deployment.yaml  Different Extensions to do the extra work  CSI driver for volumes  cloud-provider-azure for e.g. Loadbalancer 19.01.2022 12

13. STORAGE  Local storage on the node often not sufficient

    for workloads  Auto provisioning /delete of Azure Disk / Fileshare with kubectl order  Defined by storage class in Persistent Volume Claim (PVC)  K8s build-in or CSI Driver 19.01.2022 13 Source: docs.microsoft.com

14. AKS STORAGE (MANAGED PREMIUM DISKS) 19.01.2022 14 apiVersion: v1 kind:

    PersistentVolumeClaim metadata: name: azure-premium-disk spec: accessModes: - ReadWriteOnce storageClassName: managed-premium resources: requests: storage: 2Gi kubectl apply -f volume_claim.yaml 1. Create PersistentVolumeClaim 2. Use PersistentVolumeClaim apiVersion: v1 kind: Pod metadata: name: nginx spec: volumes: - name: "appdata" persistentVolumeClaim: claimName: "azure-premium-disk" containers: - image: nginx:latest name: nginx volumeMounts: - mountPath: "/data" name: "appdata" ports: - containerPort: 8080 name: http protocol: TCP kubectl apply -f deploy.yaml

15. SECURITY

16. SECURITY NETWORK  Control Plane: Default public endpoint  Define

    IP-Ranges  Private cluster:  Private Link from API Server to (internal) Subnet  Traffic stays in Subnet / Vnet  PaaS Service Access via Private Link  Storage, Azure Container Registry  NSG  Traffic filter between Nodes -> Managed by AKS  E.g. external K8s services 19.01.2022 16

17. SECURITY – DEFENDER & KEY VAULT  Microsoft Defender for

    Cloud  ACR Image scanning with Qualys Engine  Finds vulnerabilities (e.g. missing security updates)  Defender for Kubernetes  Digital currency mining container detected  K8S API requests from proxy IP address detected  Results to Azure Security Center  Key Vault Integration  Mounts of secrets / keys / certificates as volume into Pods (CSI Driver)  Addon -> pods running on nodes 19.01.2022 17

18. SECURITY - AZURE POLICIES  Cluster Add-on, simply switch on

     Use Az policy build-in Initiative or custom policies  audit / deny  Compliance checks  Allowed regions  VM, Storage SKUs  Security checks  Pod privileges  Allowed ports or limits for pods 19.01.2022 18

19. SECURITY- AAD INTEGRATION  Mange cluster access with AAD roles

    & groups  AKS feature to enable  Combines Kubernetes RBAC and Azure RBAC  Conditional access & PIM 19.01.2022 19 Source: docs.microsoft.com

20. SECURITY- NODE PATCHES  Controll plane is managed  Linux

    Worker Nodes  Automatic nightly updates  Kured extension for rebooting  Windows Worker Nodes  No daily updates  AKS upgrade for latest image 19.01.2022 20 Source: docs.microsoft.com

21. SECURITY- CLUSTER K8S UPGRADES  K8s version upgrade with CLI

     Update with Cordon & Drain  Auto-upgrade channel in preview  az aks update --resource-group $RG --name $AKSCluster --auto-upgrade- channel stable 19.01.2022 21

22. SCALING & MONITORING

23. SCALING  Horizontal pod autoscaler (HPA)  scales based on

    pod metrics  Cluster autoscaler  scales based on node resources  Scaling with KEDA 19.01.2022 23 Source: docs.microsoft.com

24. SCALING  Node simulation with Virtual kubelets  open-source K8s

    implementation  kubelet registers itself as a node 19.01.2022 24 Source: docs.microsoft.com

25. SCALING  Node scaling sometimes too slow for demand 

    Deploy new pods in Azure Container Instances  More expensive but much faster that normal scale 19.01.2022 25 Source: docs.microsoft.com

26. AZURE MONITOR  Cluster Metrics  CPU/Discs  Network 

    Control Plane Logs  Visualizing  Alerting 19.01.2022 26 Source: docs.microsoft.com

27. CONTAINER INSIGHTS  Prepared metrics charts & Workbooks  Container

    Live logs  Needs a log analytics workspace 19.01.2022 27

28. AZ MONITOR KQL  Log Analytic section  Query Workspace

    data  Tables / Charts form queries 19.01.2022 28

29. INTEGRATION

30. INTEGRATION WITH AZ SERVICES  Ingress with ApplicationGateway  AppGateway:

    L7 Loadbalancer, integrated Firewall  AGIC add-on, deployed as a pod in cluster  K8s Ingress resource, Service and Pods  CI / CD  Azure DevOps  GitHub Actions 19.01.2022 30

31. INTEGRATION WITH AZ SERVICES  Azure Functions with KEDA 

    KEDA Container in cluster  Listening on events from Azure resources  Az Function runtime in container (scaled by KEDA)  AAD Pod Identity  Add-on (CNI)  Maps Pods with Azure Managed Identities for Resource access 19.01.2022 31

32. Load Balancer Docker push Pipelines CI/CD Container Registry Docker pull

    CNCF Helm Helm upgrade Active Directory Monitor Key Vault Azure Kubernetes Service (AKS) NGINX Controller Frontend Ingress Kubernetes Client apps Microservices Virtual network Azure Cosmos DB External data sources RBAC ARCHITECTURE Source: docs.microsoft.com

33. TIPS & TRICKS  CNI network: don’t underestimate IP address

    planning  Have a cluster admin / AKS Team  AKS Service & used resources in different Resource Groups  MC_rgAKSDemo_Democluster0815_northeurope 19.01.2022 34

34. TIPS & TRICKS  Cluster stop  az aks stop

    --name $aksClusterName --resource-group $rgName 19.01.2022 35

35. HANDS ON (YOURSELF)  https://docs.microsoft.com/en-us/learn/modules/aks-workshop/01- introduction 19.01.2022 37

36. DEMO

37. DEMO CONTENT 19.01.2022 39 Recap CLI Code for • AKS

    service • Container Registry • Monitoring Connect to cluster & deploy sample Scale & updating the cluster

38. THANK YOU!

39. TOOLS  Azure Portal / CLI  Cluster Administration 

    Monitoring  Kubectl.exe  Management of Kubernetes  Integrated in Azure Cloud Shell  Visual Studio Code / Octant 19.01.2022 42