AKS

In a recent analysis, I explored two notable solutions for synchronizing secrets from Azure Key Vaults to AKS (Azure Kubernetes Service) clusters: akv2k8s and the Azure Key Vault Provider for the Secret Store CSI Driver. Here, I present my findings and recommendations based on the functionality, maintenance requirements, and integration capabilities of these tools. Akv2k8s, maintained by Sparebanken, is an open-source tool designed for the synchronization of secrets. Being dependent on an external tool for Kubernetes secrets synchronization is an undesirable situation and poses several challenges. Notably, the latest version of akv2k8s has been problematic, especially concerning the deployment of Postgres databases on our AKS clusters using the EDB operator. Akv2k8s alters the SecurityContext of pods in a way that causes them to fail. ...

I always thought that Persistent Volume Claims where deleted when you delete the pod which they are associated with. I was wrong. The lifecycle of PVCs is independent of Pods, and their behavior is largely governed by the Reclaim Policy set on the PVs. Here’s what you need to know: PVCs: These are requests for storage, akin to how Pods request resources like CPU and memory. They exist independently and can be bound to Pods when needed. PVs: Provisioned by administrators or dynamically through Storage Classes, PVs provide the actual storage resources. Their lifecycle is not tied to any specific Pod. Understanding Reclaim Policies The Reclaim Policy on a PV dictates its fate after a PVC is released. There are three policies to be aware of: ...

In this blog post, I want to share with you how I set up secrets management for my home lab. I use my home lab to explore new technologies, but I also try to keep it in line with the practices I would use when setting up environments for clients. I focus on Microsoft Azure and the ecosystem they provide for cloud native applications. Secrets management is an important aspect of any cloud-native application, as it allows you to securely store and access sensitive information such as passwords, tokens and certificates. ...

When I was doing the first round of AKS cluster upgrades at my current client, I noticed we were running a lot of pods with only 1 replica. I always try to lift my clients to the next level by leveraging Cloud Native technologies as much as possible. I’m therefore starting a project to always run applications with multiple replicas. However, running multiple replicas is not the only necessary improvement here. Even though a pod is running with multiple replicas, that does not mean that Kubernetes will always keep them alive. When you do an AKS cluster upgrade, nodes are drained one by one and the pods are moved to a node with the higher k8s version. Technically, when draining a node, Kubernetes could kill both of the pods at the same time if they are running on the same node. ...

Great news! KEDA finally went GA for AKS. https://learn.microsoft.com/en-us/azure/aks/keda-about Links: 202311081711

You can back up your AKS clusters using Azure Backup in preview! Preferably you have your clusters stateless and you can redeploy everything from code when sh*t hits the fan. However, I can think of a few enterprise use cases that will be relevant for this new feature. https://learn.microsoft.com/en-us/azure/backup/azure-kubernetes-service-cluster-backup Links: 202310130610 [[AKS]] [[Kubernetes]] [[Azure]]

Yesterday a few interesting AKS related features became Generally Available on Azure. KEDA add-on makes it easier to scale your applications on AKS cluster. https://azure.microsoft.com/en-us/updates/generally-available-keda-addon-for-aks/ You can have a flexible and customized strategy for node-level OS security updates. https://azure.microsoft.com/en-us/updates/ga-node-os-patching-nodeimage-feature-in-aks/ Use Vertical Pod Autoscaling add-on for AKS to improve cost-efficiency, and cluster utilization for your workloads https://azure.microsoft.com/en-us/updates/ga-vertical-pod-autoscaling-addon-for-aks/ Preview Public preview: AKS support for Kubernetes version 1.28 https://azure.microsoft.com/en-us/updates/public-preview-aks-support-for-kubernetes-version-128/ Links: 202309281009 [[Azure]] [[Kubernetes]] ...

Past week we’ve been struggling a bit with poorly configured pod disruption budgets. When you do an AKS upgrade, a new node is created and one of the old nodes is drained. If a deployment has a pod disruption budget which is incorrectly configured, it might show up as ALLOWED DISRUPTIONS: 0. When this happens, the node cannot be drained and you will get an error message in your events. ...

In this video, I will show you how to use Bicep to deploy a Kubernetes cluster with custom network settings using the Azure CNI. Azure CNI allows pods to be assigned IP addresses from Azure VNets which allows them to communicate with Azure resources directly through peered networks. ...

Finish deploying keyvault using pipeline Get the random name generation to work Lessons Learned Subscriptions need to be registered with resource providers, apparently https://learn.microsoft.com/en-us/azure/azure-resource-manager/troubleshooting/error-register-resource-provider?tabs=azure-cli acccesPolicies are mandatory on KeyVaults, but not when RBAC is enabled Assign contributor role to Azure DevOps service connection to be able to create resource groups from pipeline Achieved Setting up connection between pipeline and Azure subscription Assign correct rights to the service connection so it is allowed to deploy new resource groups (and other resources) Learned about provider registrations Made progress on creating unique names for resources Successfully deployed new resource group and key vault from the pipeline Next time: Look into random string creation with utcNow ...