Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jan 2022: AKS-Series 2 [Video]: Introduction to AKS by Thomas Hafermalz

Jan 2022: AKS-Series 2 [Video]: Introduction to AKS by Thomas Hafermalz

Stream Link: https://www.youtube.com/watch?v=cjnISnphE_s

Meetup Link: https://www.meetup.com/de-DE/Microsoft-Azure-Zurich-User-Group/events/282028307/

Kubernetes (K8s) has long been established as an orchestration platform for a container-based system landscape. However, setting up and administering a cluster can be quite time-consuming. This session is an introductory overview of how Azure Kubernetes Service (AKS) can support these tasks and how the interaction between K8s resources and Azure resources works. I will show where AKS can simplify cluster management, such as scaling or upgrading and how the K8s resources are mapped to Azure resources for storage mounting or load balancing. AKS is not another K8s (or container orchestrations system), its based on K8s and helps to combine the worlds of Azure and K8s - running in the Azure Cloud.

About Thomas:
Thomas works as an Azure Solution Architect and Trainer at Trivadis AG in Zurich. Coming from application development with .NET & Angular, his focus is now on cloud-native development and architecture for Azure. Other areas he is interested in are serverless apps, monitoring, IaC and container workloads. He regularly speaks in user groups or at conferences and is an author for tech magazines.

You can find him at:
https://linkedin.com/in/thomashafermalz
https://thomashafermalz.net/

Azure Zurich User Group
PRO

January 19, 2022
Tweet

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. 18.01.2022 AKS-Series: Introduction to Azure Kubernetes Service (AKS) by Thomas

    Hafermalz
  2. THOMAS HAFERMALZ  Azure Solution Architect & Trainer @Trivadis AG

    (Zurich, )  Industrial Environmental Informatics  Outdoor activities, Soccer, Tennis  Meetup: Azure Zurich User Group www.thomashafermalz.net www.linkedin.com/in/thomashafermalz
  3. AGENDA 1. AKS Facts 2. Security support 3. Scaling &

    Monitoring 4. Integration topics 5. Demo 19.01.2022 3
  4. INTRO  Kubernetes (K8S)  THE container orchestration Tool 

    no downtime updates  Scalability & self-healing  Azure Kubernetes Services (AKS)  Managed K8S Service on Azure. 19.01.2022 4
  5. AKS FACTS

  6. AZURE KUBERNETES SERVICE AKS  Master Nodes (Controll Plane) free

    of charge,  only pay for: Worker node VMs / Storage / Networking resources  Managed by Azure  Full power of Azure compute options for Workloads  Linux / Windows  GPU  Security, scaling  Updates, Monitoring 19.01.2022 6
  7. AKS K8S TERMS 19.01.2022 7 Init Container (App) Sidecar Network

    Deployment Pod Replica Set Kubectl apply deploy.yaml Node Node Pool
  8. AKS CLUSTERS AND NODES 19.01.2022 8 Source: docs.microsoft.com

  9. WORKER NODES  Host applications  VM Options for Workloads

     Scale sets  Single VM  Virtual Nodes  Compute isolation  No manual setup of K8s processes 19.01.2022 9
  10. HIGH AVAILABILITY  Availability Zones for cluster  Node Auto-Repair

     SLA Option:  More replicas for control plane & financially backed  99.95% availability of K8s API server endpoint for clusters that use Availability Zones (99.9% if no AZ)  Disaster recovery  Multi region clusters  Az Container Registry replication 19.01.2022 10
  11. NETWORK TYPES  2 Different types of networks: Kubenet &

    CNI 19.01.2022 11 kubenet CNI POD IP’s are abstracted, NAT on Nodes Every Pod get it own IP adress Limit of 400 Nodes / Cluster Needed for: - Network policies - Application Gateway as Ingress No windows nodes Requires bigger IP address space & planning
  12. AKS - TANDEM  K8s command (kubectl) = Azure resource

    = magic?  Cluster interaction “as usual”  kubectl apply -f deployment.yaml  Different Extensions to do the extra work  CSI driver for volumes  cloud-provider-azure for e.g. Loadbalancer 19.01.2022 12
  13. STORAGE  Local storage on the node often not sufficient

    for workloads  Auto provisioning /delete of Azure Disk / Fileshare with kubectl order  Defined by storage class in Persistent Volume Claim (PVC)  K8s build-in or CSI Driver 19.01.2022 13 Source: docs.microsoft.com
  14. AKS STORAGE (MANAGED PREMIUM DISKS) 19.01.2022 14 apiVersion: v1 kind:

    PersistentVolumeClaim metadata: name: azure-premium-disk spec: accessModes: - ReadWriteOnce storageClassName: managed-premium resources: requests: storage: 2Gi kubectl apply -f volume_claim.yaml 1. Create PersistentVolumeClaim 2. Use PersistentVolumeClaim apiVersion: v1 kind: Pod metadata: name: nginx spec: volumes: - name: "appdata" persistentVolumeClaim: claimName: "azure-premium-disk" containers: - image: nginx:latest name: nginx volumeMounts: - mountPath: "/data" name: "appdata" ports: - containerPort: 8080 name: http protocol: TCP kubectl apply -f deploy.yaml
  15. SECURITY

  16. SECURITY NETWORK  Control Plane: Default public endpoint  Define

    IP-Ranges  Private cluster:  Private Link from API Server to (internal) Subnet  Traffic stays in Subnet / Vnet  PaaS Service Access via Private Link  Storage, Azure Container Registry  NSG  Traffic filter between Nodes -> Managed by AKS  E.g. external K8s services 19.01.2022 16
  17. SECURITY – DEFENDER & KEY VAULT  Microsoft Defender for

    Cloud  ACR Image scanning with Qualys Engine  Finds vulnerabilities (e.g. missing security updates)  Defender for Kubernetes  Digital currency mining container detected  K8S API requests from proxy IP address detected  Results to Azure Security Center  Key Vault Integration  Mounts of secrets / keys / certificates as volume into Pods (CSI Driver)  Addon -> pods running on nodes 19.01.2022 17
  18. SECURITY - AZURE POLICIES  Cluster Add-on, simply switch on

     Use Az policy build-in Initiative or custom policies  audit / deny  Compliance checks  Allowed regions  VM, Storage SKUs  Security checks  Pod privileges  Allowed ports or limits for pods 19.01.2022 18
  19. SECURITY- AAD INTEGRATION  Mange cluster access with AAD roles

    & groups  AKS feature to enable  Combines Kubernetes RBAC and Azure RBAC  Conditional access & PIM 19.01.2022 19 Source: docs.microsoft.com
  20. SECURITY- NODE PATCHES  Controll plane is managed  Linux

    Worker Nodes  Automatic nightly updates  Kured extension for rebooting  Windows Worker Nodes  No daily updates  AKS upgrade for latest image 19.01.2022 20 Source: docs.microsoft.com
  21. SECURITY- CLUSTER K8S UPGRADES  K8s version upgrade with CLI

     Update with Cordon & Drain  Auto-upgrade channel in preview  az aks update --resource-group $RG --name $AKSCluster --auto-upgrade- channel stable 19.01.2022 21
  22. SCALING & MONITORING

  23. SCALING  Horizontal pod autoscaler (HPA)  scales based on

    pod metrics  Cluster autoscaler  scales based on node resources  Scaling with KEDA 19.01.2022 23 Source: docs.microsoft.com
  24. SCALING  Node simulation with Virtual kubelets  open-source K8s

    implementation  kubelet registers itself as a node 19.01.2022 24 Source: docs.microsoft.com
  25. SCALING  Node scaling sometimes too slow for demand 

    Deploy new pods in Azure Container Instances  More expensive but much faster that normal scale 19.01.2022 25 Source: docs.microsoft.com
  26. AZURE MONITOR  Cluster Metrics  CPU/Discs  Network 

    Control Plane Logs  Visualizing  Alerting 19.01.2022 26 Source: docs.microsoft.com
  27. CONTAINER INSIGHTS  Prepared metrics charts & Workbooks  Container

    Live logs  Needs a log analytics workspace 19.01.2022 27
  28. AZ MONITOR KQL  Log Analytic section  Query Workspace

    data  Tables / Charts form queries 19.01.2022 28
  29. INTEGRATION

  30. INTEGRATION WITH AZ SERVICES  Ingress with ApplicationGateway  AppGateway:

    L7 Loadbalancer, integrated Firewall  AGIC add-on, deployed as a pod in cluster  K8s Ingress resource, Service and Pods  CI / CD  Azure DevOps  GitHub Actions 19.01.2022 30
  31. INTEGRATION WITH AZ SERVICES  Azure Functions with KEDA 

    KEDA Container in cluster  Listening on events from Azure resources  Az Function runtime in container (scaled by KEDA)  AAD Pod Identity  Add-on (CNI)  Maps Pods with Azure Managed Identities for Resource access 19.01.2022 31
  32. Load Balancer Docker push Pipelines CI/CD Container Registry Docker pull

    CNCF Helm Helm upgrade Active Directory Monitor Key Vault Azure Kubernetes Service (AKS) NGINX Controller Frontend Ingress Kubernetes Client apps Microservices Virtual network Azure Cosmos DB External data sources RBAC ARCHITECTURE Source: docs.microsoft.com
  33. TIPS & TRICKS  CNI network: don’t underestimate IP address

    planning  Have a cluster admin / AKS Team  AKS Service & used resources in different Resource Groups  MC_rgAKSDemo_Democluster0815_northeurope 19.01.2022 34
  34. TIPS & TRICKS  Cluster stop  az aks stop

    --name $aksClusterName --resource-group $rgName 19.01.2022 35
  35. HANDS ON (YOURSELF)  https://docs.microsoft.com/en-us/learn/modules/aks-workshop/01- introduction 19.01.2022 37

  36. DEMO

  37. DEMO CONTENT 19.01.2022 39 Recap CLI Code for • AKS

    service • Container Registry • Monitoring Connect to cluster & deploy sample Scale & updating the cluster
  38. THANK YOU!

  39. TOOLS  Azure Portal / CLI  Cluster Administration 

    Monitoring  Kubectl.exe  Management of Kubernetes  Integrated in Azure Cloud Shell  Visual Studio Code / Octant 19.01.2022 42