Sensitivity: Regular
EXPERT TEAM PAAS & SERVERLESS
Sensitivity: Regular
Work: InSpark – Principal Consultant
Twitter: @Johanbiere
Blog: talkingazure.com
Work: InSpark – Consultant
Twitter: @vworlddotnl
Blog: vWorld.nl
Sensitivity: Regular
AKS FROM ZERO TO HERO
03-10-2019
INSPARK
Sensitivity: Regular
https://aksworkshop.io/
Sensitivity: Regular
Overview
Architecture
Technical / Security
Use case / Demo
01
02
03
04
Sensitivity: Regular
CONTAINER?
Containers = operating system virtualization Traditional virtual machines = hardware virtualization
Windows Server containers: maximum speed and density Hyper-V containers: isolation plus performance
OS
Kernel
Applications
Container Container Container
Hardware
Hardware
Container Container Container
Hyper-V
Container
Kernel
Container
Kernel
Container
Kernel
Hardware
OS
Application
VM VM VM
App
OS
App
OS
App
OS
Sensitivity: Regular
Wat doen we niet met containers
Voorzien van Security updates (patchen)
Maken van back-up
Wat doen we wel met container images
Voorzien van Security updates (patchen)
Sensitivity: Regular
Developers
• ‘write-once, run-anywhere’ apps
• Microservice architectures
• Veel flexibeler dan Virtual Machines
• Consistentie
Operations
• Portability, Portability, Portability
• Standarisatie development, QA, and
prod environments
• Veel schaalbaarder
• Beheerbaar op grote schaal
DevOps
Sensitivity: Regular
• Applicatie modernisering
• Scaling van applicatie op grote schaal
(Search engines, social media websites, e-commerce
websites
Sensitivity: Regular
❖ Open source container runtime
❖ De Foundation voor containers ( AKS, ARO)
❖ Format (image) om containers te maken
❖ Mac, Windows & Linux support
❖ Portability
Sensitivity: Regular
Sensitivity: Regular
SUMMARY
IaaSPaaS
Azure services
SQL Database
Redis Cache
CosmosDB
And more!
Partner services
OpenShift
Pivotal Cloud
Foundry
Docker Enterprise
Edition
Mesosphere
DC/OS
Azure
Azure
Container
Registry
(ACR)
Service Broker
Azure Kubernetes
Service (AKS)
ACS
Engine
Batch
Azure Container
Instances (ACI)
Azure Virtual
Machines
Virtual Machine
Scale Sets
(VMSS)
Service Fabric
Virtual kubelet
App Service
Sensitivity: Regular
CONTAINERS AS THE APP PACKAGING FORMAT
…
Sensitivity: Regular
• docker login --username cr20demo100ta --password
password cr20demo100ta.azurecr.io
• docker build --build-arg BUILD_PATH= . -t
cr20demo100ta.azurecr.io
• docker tag demo-inspark
cr20demo100ta.azurecr.io/demo:v1
• docker push cr20demo100ta.azurecr.io/demo:v1
• docker system prune --all
Sensitivity: Regular
DEMO + BUILD IMAGE DEVOPS
Sensitivity: Regular
AZURE AKS
Containers
101
Azure
container
technology
Container
orchestration
Azure
Kubernetes
Service (AKS)
App service
Azure
Container
Registry
Open Service
Broker for
Azure (OSBA)
Release
automation
tools
Open source
community
Customer
success
stories
Getting
started
Azure
Container
Instances
(ACI)
Sensitivity: Regular
Copyright InSpark
• Kubernetes is an open-source (orchestration) framework for automating deployment and
management of containerized workloads (microservices).
– Orchestration:
• Scheduling
• Failover
• Scaling
• Networking
• Service discovery
• Health monitoring
Sensitivity: Regular
Copyright InSpark
• 2003/2004 - Designed by Google (Borg)
• 2014 - Introduced as Kubernetes as open-source version of Borg
• 2015 – Kubernetes v1.0
• 2016 – Kubernetes goes mainstream
• 2017 – Enterprise adoption & support (Azure, AWS)
Sensitivity: Regular
Copyright InSpark
• AKS is a Azure Managed Kubernetes Platform
– Hosted environment
– Eliminates the burden of maintenance & operations
– Master nodes are fully managed
– Worker nodes are almost fully managed
• “Have” to scale yourself
• “Have” to reboot yourself (after updates)
– “Quick” and easy deployment of a cluster
• az cli, terraform, ansible, arm, pws
Sensitivity: Regular
Copyright InSpark
– Integration with other Microsoft/ Azure Services, e.g.
• Azure Container Registry
• Azure Monitor (Log Analytics, Application Insights)
– Monitoring cluster and/ or application
• Key Vault
– Secrets
• PaaS Database solutions
• Storage
– Azure Disks
– Azure Files
• Azure DevOps integration
Sensitivity: Regular
Copyright InSpark
Responsibilities DIY with Kubernetes Managed Kubernetes on Azure
Containerization
Application iteration,
debugging
CI/CD
Cluster hosting
Cluster upgrade
Patching
Scaling
Monitoring and logging
Customer
Microsoft
Managed Kubernetes
empowers you to do more
Focus on your containers
and code, not the plumbing
of them
Sensitivity: Regular
Sensitivity: Regular
Sensitivity: Regular
Sensitivity: Regular
Sensitivity: Regular
Sensitivity: Regular
Copyright InSpark
Kubernetes
control
API server
replication, namespace,
serviceaccounts, etc.
-controller-
manager -scheduler
etcd
Master node
Worker node
kubelet kube-proxy
Docker
Prod Prod
Containers Containers
Worker node
kubelet kube-proxy
Docker
Prod Prod
Containers Containers
Internet
Sensitivity: Regular
Copyright InSpark
API server
Controller
ManagerScheduler
etcd
Store
Cloud
Controller
Self-managed master node(s)
• Automated upgrades, patches
• High reliability, availability
• Easy, secure cluster scaling
• Self-healing
• API server monitoring
• At no charge
Customer VMs
App/
workload
definitionUser
Docker
Pods
Docker
Pods
Docker
Pods
Docker
Pods
Docker
Pods
Schedule pods over
private tunnel
Kubernetes
API endpoint
Azure managed control plane
Sensitivity: Regular
Copyright InSpark
Built-in
auto scaling
Global
data center
Geo-replicated
container registry
Elastically burst
using ACI
Browser
Traffic
manager
Geo-replicated
container registry
AKS clusters
Azure Container Instances
Pod Pod
Pod Pod
Pod Pod
Sensitivity: Regular
Copyright InSpark
Do It Yourself acs-engine Azure Kubernetes
Service
Description Create your VMs,
deploy k8s
acs-engine generates
ARM templates to
deploy k8s
Managed K8S
Possibility to modify
the cluster
Highest Highest Medium
You pay for Master+Node VMs Master+Node VMs Node VMs
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Namespaces objects is the Logical Isolation boundy
Provide a scope for names
Not all objects can be
namespaced i.e. nodes
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Sensitivity: Regular
Sensitivity: Regular
Sensitivity: Regular
Maintain at least N-1 fot minor releases for production workloads
Recommend 3 Month upgrade cycle for minor verions
Enable functional add ons to cluster minimal cluster redeployment
Recommend automating nodes reboot for security patches
Recommend blue/green cluster upgrades for customer production
workloads
Sensitivity: Regular
Sensitivity: Regular
Sensitivity: Regular
DEMO – AZURE MONITOR
Sensitivity: Regular
Sensitivity: Regular
Copyright InSpark
1. Kubernetes Developer authenticates with AAD
2. The AAD token issuance endpoint issues the access
token
3. Developer performs action w/ AAD token.
Eg.kubectlcreate pod
4. Kubernetes validates token with AAD and fetches the
Developer’s AAD Groups Eg.Dev Team A, App Group B
5. Kubernetes RBAC and cluster policies are applied
6. Request is successful or not based on the previous
validation
Sensitivity: Regular
Copyright InSpark
$ az aks get-credentials --resource-group myAKSCluster --name myAKSCluster
$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BUJHWDGNL to authenticate.
Or
Error from server (Forbidden): nodes is forbidden: User baduser@contoso.com cannot list nodes at
the cluster scope
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
o Use namespaces, do not deploy to default
o Namespaces Object is the logical Isolation boundary
o Provide a scope for names
o Not all objects can be namespaced i.e. nodes
o Optionally, use different clusters for different apps/environments (remember, you
do not pay for the master nodes!)
o Use resource quotas
o Use at least 3 nodes, that will give you enough capacity during upgrades (especially
if using disks as persistent volumes)
Sensitivity: Regular
Copyright InSpark
• You can use AAD-based access to Azure Files
• Managed Disks encrypted with Storage Service
Encryption
More information:
https://docs.microsoft.com/mt-mt/azure/aks/concepts-storage
Sensitivity: Regular
Copyright InSpark
o Dynamic disk
o Static Azure disks
o Dynamic Azure files
o Static Azure files
Notes:
o Disks are ReadWriteOnce, Files are ReadWriteMany
o Only Disks support Premium storage
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
o Service Type LoadBalancer
o Basic Layer4 Load Balancing
(TCP/UDP)
o Each service as assigned an IP on
the ALB (Azure Load Balancer)
Sensitivity: Regular
Copyright InSpark
o Used for internal services that should be
accessed by other VNETs or OnPremise only
Sensitivity: Regular
Copyright InSpark
o Ingress is a Kubernetes API that manages external access to the services in the
cluster
o Supports HTTP and HTTPs
o Path and Subdomain based routing
o SSL Termination
o Save on public IP-addresses
o Ingress controller is a daemon, deployed as a Kubernetes Pod, that watches the Ingress
Endpoint for updates. Its job is to satisfy requests for ingresses.
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
o Scales nodes based on pending pods
o Scale up and scale down
o Reduces dependency on monitoring
o Removes need for users to manage
nodes and monitor service usage
manually
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
Copyright InSpark
o Step1:
az group create -–name aksrg
o Step2:
az aks create -n myakscluster -g aksrg --node-count 2 -k 1.11.3 -s Standard_DS2_v2
o Step3
az aks get-credentials –myakscluster -g aksrg
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
DEMO + HOMEWORK AKS
HTTPS://AKSWORKSHOP.IO/
Sensitivity: Regular
AZURE ACI
Containers
101
Azure
container
technology
Container
orchestration
Azure
Container
Service (AKS)
App service
Azure
Container
Registry
Open Service
Broker for
Azure (OSBA)
Release
automation
tools
Open source
community
Customer
success
stories
Getting
started
Azure
Container
Instances
(ACI)
Sensitivity: Regular
Easily run serverless containers
Containers as a primitive
billed per second
Secure applications with
hypervisor isolation
Run containers
without managing
servers
Sensitivity: Regular
Elastic Bursting (AKS)Event Driven AppsModular apps
Sensitivity: Regular
Copyright InSpark
Sensitivity: Regular
KUBERNETES - SCALABILITY
Sensitivity: Regular
BEDANKT!
Copyright InSpark

Aks pimarox from zero to hero