10.2. Azure Kubernetes Service.md

Azure Kubernetes Service

• Managed Kubernetes platform
• You can manually scale nodes using az aks scale --resource-group myResourceGroup --name myAKSCluster --node-count 3
• To scale out run: kubectl scale --replicas=3 deployment/test-app

Creating a cluster

• Creates all infrastructure NSG, route table, VNET, VMs, NICs., Availability set, storage account..
  • See Microsoft walkthrough for more information
• Configurations
  • Select a DNS name
  • Choose node VM size
  • Select amount of initial nodes
  • Authorization
    • Create / select a service principal
      • Service principals are used to ensure that the cluster can work with other Azure services
    • RBAC: Use Azure AD to limit access to cluster resources based a user's identity or group membership.
  • Network: Use existing VNet or create new
  • Monitoring: Collected from containers to Log Analytics Workspace through Azure Monitor.

Using CLI

• Create a resource group az group create --name test-rg --location eastus

• Create cluster: az aks create --resource-group test-rg --name testcluster --node-count 1 --enable-addons monitoring --generate-ssh-keys

• Install kubectl CLI: to manage the cluster: az aks install-cli --install-location=./kubectl

• Connect: To configure kubectl to connect to your Kubernetes cluster, use az aks get-credentials --resource-group test-rg --name testcluster

• To verify connection use kubectl get nodes

• To deploy apache server you need a deployment yaml:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
    name: test-apache-app
    spec:
    replicas: 1
    selector:
        matchLabels:
        app: test-app
    template:
        metadata:
        labels:
            apsps: test-app
    spec:
        containers:
        - name: testappserver
            image: httpd
            ports:
            - containerPort: 80
    ---
    apiVersion: v1
    kind: Service # To expose the container to outside world
    metadata:
      name: test-app
    spec:
    type: LoadBalancer
    ports:
        - port: 80
    selector:
        app: test-app

• Two ways to deploy the specs:

  1. Declarative management: kubectl apply -f app.yaml
  2. Imperative management: kubectl create

• Run kubectl get all to see status of containers, services, replicas & deployment

  • Can also run kubectl get deployments, kubectl get pods
  • Pod = group of containers that are deployed together on the same host.
    • If you deploy single containers, pod = container

• Get external IP: kubectl get service test-app --watch (--watch flag to wait until it's exposed to internet)

Using ARM

• Create a key ssh-keygen -t rsa -b 2048
  • Copy your public key
• Create a service principal for AKS so it can work with other Azure services
  • az ad sp create-for-rbac --skip--asignment
    • Copy appId and password
• Select AKS template, e.g. quickstart 101-aks
  • Paste RSA public key
  • Past appId and password as service principal client id and service principal client secret
• See Microsoft walkthrough for more information

Interacting with Azure Services

• Needed to dynamically create and manage other Azure resources such as an Azure load balancer or container registry (ACR).
• To interact with Azure APIs, an AKS cluster requires either:
  • Azure Active Directory (AD) service principal
  • managed identity
• az create creates a service principal automatically.
  • Credentials will be saved in $HOME/.azure/aksServicePrincipal.json on machine that run the command
• Or you can create it manually using az ad sp create-for-rbac --skip-assignment --name myAKSClusterServicePrincipal
  • You can then assign it to AKS when creating it:
  • az aks create --resource-group myResourceGroup --name myAKSCluster --service-principal <appId> --client-secret <password>
  • Delegate access to other resources as Azure Container Registry, Networking, Storage, Azure Container Instances.
    • az role assignment create --assignee <appId> --scope <resourceScope> --role Contributor

Running serverless containers in AKS

• Virtual Kubelet allows to add virtual serverless nodes (e.g. AWS Fargate, Azure Container Instances) to a Kubernetes cluster.
  • You can add e.g. Azure Container Instance using az aks install-connector command
    • Creates service principal
    • ❗ Depends on helm (requires helm init)
    • Will be deprecated shortly
• Ensure trust between service principle of AKS and Azure resources with az role assignment create
  • E.g. allow AKS to connect to Azure Container Registry
• Create a yaml file for deployment
• Run kubectl command to deploy the file.

Deploy helm to cluster

• Helm
  • Open-source package manager for Kubernetes clusters (like APT or Yum for Linux)
  • Applications are deployed with the help of helm charts
    • Helm charts = packages of preconfigured Kubernetes clusters
• It's used for a Tiller service
  • Tiller is a server service that resides in Kubernetes
  • It's used along with helm for deploying the application
• Using v3
  1. helm repo add to add a repo
  2. helm repo update to update charts
  3. helm install to run charts
• 📝Using v2

  1. kubectl apply

     • Deploy a yaml file to create a service account using kubectl apply -f helm-rbac.yaml:

        apiVersion: v1
        kind: ServiceAccount
        metadata:
        name: tiller
        namespace: kube-system
        ---
        apiVersion: rbac.authorization.k8s.io/v1
        kind: ClusterRoleBinding
        metadata:
        name: tiller
        roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
        subjects:
        - kind: ServiceAccount
            name: tiller
            namespace: kube-system

  2. helm init

     • Initialize service account: helm init --service-account tiller --node-selectors "beta.kubernetes.io/os=linux"

  3. helm install

     • E.g. install an nginx container with helm:
     • helm install stable/nginx-ingress --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux"

Access and identity options

• Accounts in Kubernetes
  • Service account: one of the primary user types in Kubernetes.
    • credentials for service accounts are stored as Kubernetes secrets
    • allows to be authorized by pods to communicate with API Server
  • Normal user accounts: human administrators/developers.
    • No identity solution in Kubernetes, in AKS integrated identity solution is Azure Active Directory
  • Credentials for service accounts are stored as Kubernetes secrets
  • To obtain a kubectl configuration context, a user can run the az aks get-credentials command
• Azure RBAC can be used to access Azure resources.
• Kubernetes RBAC
  • A role is defined as set of granted permissions.
    • Two types:
      • Role: within a namespace
      • ClusterRoles: within
        • an entire set of cluster
        • or cluster resources outside a given namespace
  • Once roles are defined, you assign those using:
    • RoleBinding to assign roles for a given namespace
    • ClusterRoleBindings to assign across entire cluster or to cluster resources outside a given namespace.
    • You use bindings to grant Azure AD users to perform actions within the cluster.