Aks pimarox from zero to hero

Sensitivity: Regular
EXPERT TEAM PAAS & SERVERLESS

Work: InSpark – Principal Consultant
Twitter: @Johanbiere
Blog: talkingazure.com
Work: InSpark – Consultant
Twitter: @vworlddotnl
Blog: vWorld.nl

AKS FROM ZERO TO HERO
03-10-2019
INSPARK

https://aksworkshop.io/

Overview
Architecture
Technical / Security
Use case / Demo
01
02
03
04

CONTAINER?
Containers = operating system virtualization Traditional virtual machines = hardware virtualization
Windows Server containers: maximum speed and density Hyper-V containers: isolation plus performance
OS
Kernel
Applications
Container Container Container
Hardware
Hardware
Container Container Container
Hyper-V
Container
Kernel
Container
Kernel
Container
Kernel
Hardware
OS
Application
VM VM VM
App
OS
App
OS
App
OS

Wat doen we niet met containers
Voorzien van Security updates (patchen)
Maken van back-up
Wat doen we wel met container images
Voorzien van Security updates (patchen)

Developers
• ‘write-once, run-anywhere’ apps
• Microservice architectures
• Veel flexibeler dan Virtual Machines
• Consistentie
Operations
• Portability, Portability, Portability
• Standarisatie development, QA, and
prod environments
• Veel schaalbaarder
• Beheerbaar op grote schaal
DevOps

• Applicatie modernisering
• Scaling van applicatie op grote schaal
(Search engines, social media websites, e-commerce
websites

❖ Open source container runtime
❖ De Foundation voor containers ( AKS, ARO)
❖ Format (image) om containers te maken
❖ Mac, Windows & Linux support
❖ Portability

SUMMARY
IaaSPaaS
Azure services
SQL Database
Redis Cache
CosmosDB
And more!
Partner services
OpenShift
Pivotal Cloud
Foundry
Docker Enterprise
Edition
Mesosphere
DC/OS
Azure
Azure
Container
Registry
(ACR)
Service Broker
Azure Kubernetes
Service (AKS)
ACS
Engine
Batch
Azure Container
Instances (ACI)
Azure Virtual
Machines
Virtual Machine
Scale Sets
(VMSS)
Service Fabric
Virtual kubelet
App Service

CONTAINERS AS THE APP PACKAGING FORMAT
…

• docker login --username cr20demo100ta --password
password cr20demo100ta.azurecr.io
• docker build --build-arg BUILD_PATH= . -t
cr20demo100ta.azurecr.io
• docker tag demo-inspark
cr20demo100ta.azurecr.io/demo:v1
• docker push cr20demo100ta.azurecr.io/demo:v1
• docker system prune --all

DEMO + BUILD IMAGE DEVOPS

AZURE AKS
Containers
101
Azure
container
technology
Container
orchestration
Azure
Kubernetes
Service (AKS)
App service
Azure
Container
Registry
Open Service
Broker for
Azure (OSBA)
Release
automation
tools
Open source
community
Customer
success
stories
Getting
started
Azure
Container
Instances
(ACI)

Copyright InSpark
• Kubernetes is an open-source (orchestration) framework for automating deployment and
management of containerized workloads (microservices).
– Orchestration:
• Scheduling
• Failover
• Scaling
• Networking
• Service discovery
• Health monitoring

Copyright InSpark
• 2003/2004 - Designed by Google (Borg)
• 2014 - Introduced as Kubernetes as open-source version of Borg
• 2015 – Kubernetes v1.0
• 2016 – Kubernetes goes mainstream
• 2017 – Enterprise adoption & support (Azure, AWS)

Copyright InSpark
• AKS is a Azure Managed Kubernetes Platform
– Hosted environment
– Eliminates the burden of maintenance & operations
– Master nodes are fully managed
– Worker nodes are almost fully managed
• “Have” to scale yourself
• “Have” to reboot yourself (after updates)
– “Quick” and easy deployment of a cluster
• az cli, terraform, ansible, arm, pws

Copyright InSpark
– Integration with other Microsoft/ Azure Services, e.g.
• Azure Container Registry
• Azure Monitor (Log Analytics, Application Insights)
– Monitoring cluster and/ or application
• Key Vault
– Secrets
• PaaS Database solutions
• Storage
– Azure Disks
– Azure Files
• Azure DevOps integration

Copyright InSpark
Responsibilities DIY with Kubernetes Managed Kubernetes on Azure
Containerization
Application iteration,
debugging
CI/CD
Cluster hosting
Cluster upgrade
Patching
Scaling
Monitoring and logging
Customer
Microsoft
Managed Kubernetes
empowers you to do more
Focus on your containers
and code, not the plumbing
of them

Copyright InSpark
Kubernetes
control
API server
replication, namespace,
serviceaccounts, etc.
-controller-
manager -scheduler
etcd
Master node
Worker node
kubelet kube-proxy
Docker
Prod Prod
Containers Containers
Worker node
kubelet kube-proxy
Docker
Prod Prod
Containers Containers
Internet

Copyright InSpark
API server
Controller
ManagerScheduler
etcd
Store
Cloud
Controller
Self-managed master node(s)
• Automated upgrades, patches
• High reliability, availability
• Easy, secure cluster scaling
• Self-healing
• API server monitoring
• At no charge
Customer VMs
App/
workload
definitionUser
Docker
Pods
Docker
Pods
Docker
Pods
Docker
Pods
Docker
Pods
Schedule pods over
private tunnel
Kubernetes
API endpoint
Azure managed control plane

Copyright InSpark
Built-in
auto scaling
Global
data center
Geo-replicated
container registry
Elastically burst
using ACI
Browser
Traffic
manager
Geo-replicated
container registry
AKS clusters
Azure Container Instances
Pod Pod
Pod Pod
Pod Pod

Copyright InSpark
Do It Yourself acs-engine Azure Kubernetes
Service
Description Create your VMs,
deploy k8s
acs-engine generates
ARM templates to
deploy k8s
Managed K8S
Possibility to modify
the cluster
Highest Highest Medium
You pay for Master+Node VMs Master+Node VMs Node VMs

Copyright InSpark

Namespaces objects is the Logical Isolation boundy
Provide a scope for names
Not all objects can be
namespaced i.e. nodes

Maintain at least N-1 fot minor releases for production workloads
Recommend 3 Month upgrade cycle for minor verions
Enable functional add ons to cluster minimal cluster redeployment
Recommend automating nodes reboot for security patches
Recommend blue/green cluster upgrades for customer production
workloads

DEMO – AZURE MONITOR

Copyright InSpark
1. Kubernetes Developer authenticates with AAD
2. The AAD token issuance endpoint issues the access
token
3. Developer performs action w/ AAD token.
Eg.kubectlcreate pod
4. Kubernetes validates token with AAD and fetches the
Developer’s AAD Groups Eg.Dev Team A, App Group B
5. Kubernetes RBAC and cluster policies are applied
6. Request is successful or not based on the previous
validation

Copyright InSpark
$ az aks get-credentials --resource-group myAKSCluster --name myAKSCluster
$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BUJHWDGNL to authenticate.
Or
Error from server (Forbidden): nodes is forbidden: User baduser@contoso.com cannot list nodes at
the cluster scope

Copyright InSpark
o Use namespaces, do not deploy to default
o Namespaces Object is the logical Isolation boundary
o Provide a scope for names
o Not all objects can be namespaced i.e. nodes
o Optionally, use different clusters for different apps/environments (remember, you
do not pay for the master nodes!)
o Use resource quotas
o Use at least 3 nodes, that will give you enough capacity during upgrades (especially
if using disks as persistent volumes)

Copyright InSpark
• You can use AAD-based access to Azure Files
• Managed Disks encrypted with Storage Service
Encryption
More information:
https://docs.microsoft.com/mt-mt/azure/aks/concepts-storage

Copyright InSpark
o Dynamic disk
o Static Azure disks
o Dynamic Azure files
o Static Azure files
Notes:
o Disks are ReadWriteOnce, Files are ReadWriteMany
o Only Disks support Premium storage

Copyright InSpark
o Service Type LoadBalancer
o Basic Layer4 Load Balancing
(TCP/UDP)
o Each service as assigned an IP on
the ALB (Azure Load Balancer)

Copyright InSpark
o Used for internal services that should be
accessed by other VNETs or OnPremise only

Copyright InSpark
o Ingress is a Kubernetes API that manages external access to the services in the
cluster
o Supports HTTP and HTTPs
o Path and Subdomain based routing
o SSL Termination
o Save on public IP-addresses
o Ingress controller is a daemon, deployed as a Kubernetes Pod, that watches the Ingress
Endpoint for updates. Its job is to satisfy requests for ingresses.

Copyright InSpark
o Scales nodes based on pending pods
o Scale up and scale down
o Reduces dependency on monitoring
o Removes need for users to manage
nodes and monitor service usage
manually

Copyright InSpark
o Step1:
az group create -–name aksrg
o Step2:
az aks create -n myakscluster -g aksrg --node-count 2 -k 1.11.3 -s Standard_DS2_v2
o Step3
az aks get-credentials –myakscluster -g aksrg

DEMO + HOMEWORK AKS
HTTPS://AKSWORKSHOP.IO/

AZURE ACI
Containers
101
Azure
container
technology
Container
orchestration
Azure
Container
Service (AKS)
App service
Azure
Container
Registry
Open Service
Broker for
Azure (OSBA)
Release
automation
tools
Open source
community
Customer
success
stories
Getting
started
Azure
Container
Instances
(ACI)

Easily run serverless containers
Containers as a primitive
billed per second
Secure applications with
hypervisor isolation
Run containers
without managing
servers

Elastic Bursting (AKS)Event Driven AppsModular apps

KUBERNETES - SCALABILITY

BEDANKT!
Copyright InSpark

Aks pimarox from zero to hero

More Related Content

What's hot

Similar to Aks pimarox from zero to hero

Recently uploaded

Aks pimarox from zero to hero