Azure

In a recent analysis, I explored two notable solutions for synchronizing secrets from Azure Key Vaults to AKS (Azure Kubernetes Service) clusters: akv2k8s and the Azure Key Vault Provider for the Secret Store CSI Driver. Here, I present my findings and recommendations based on the functionality, maintenance requirements, and integration capabilities of these tools. Akv2k8s, maintained by Sparebanken, is an open-source tool designed for the synchronization of secrets. Being dependent on an external tool for Kubernetes secrets synchronization is an undesirable situation and poses several challenges. Notably, the latest version of akv2k8s has been problematic, especially concerning the deployment of Postgres databases on our AKS clusters using the EDB operator. Akv2k8s alters the SecurityContext of pods in a way that causes them to fail. ...

This document is the result of my research into the Gateway API. It aims to briefly describe the Gateway API for Kubernetes, a typical implementation of ingress traffic using NGINX in AKS and how this setup could benefit from implementing the Gateway API. Introduction Gateway API is an official Kubernetes project focused on L4 and L7 routing in Kubernetes. This project represents the next generation of Kubernetes Ingress, Load Balancing, and Service Mesh APIs. From the outset, it has been designed to be generic, expressive, and role-oriented. ...

I always thought that Persistent Volume Claims where deleted when you delete the pod which they are associated with. I was wrong. The lifecycle of PVCs is independent of Pods, and their behavior is largely governed by the Reclaim Policy set on the PVs. Here’s what you need to know: PVCs: These are requests for storage, akin to how Pods request resources like CPU and memory. They exist independently and can be bound to Pods when needed. PVs: Provisioned by administrators or dynamically through Storage Classes, PVs provide the actual storage resources. Their lifecycle is not tied to any specific Pod. Understanding Reclaim Policies The Reclaim Policy on a PV dictates its fate after a PVC is released. There are three policies to be aware of: ...

App Gateway It has App Gateway in the name, but it is an entirely new solution. The App Gateway is the only thing it has in common with Azure Application Gateway. Resources Two types of resources. Azure resources and k8s resources. The App Gateway for Container is an azure resource which listens to changes in k8s resources through the ALB controller. AGWFC is the control plane. ...

In this blog post, I want to share with you how I set up secrets management for my home lab. I use my home lab to explore new technologies, but I also try to keep it in line with the practices I would use when setting up environments for clients. I focus on Microsoft Azure and the ecosystem they provide for cloud native applications. Secrets management is an important aspect of any cloud-native application, as it allows you to securely store and access sensitive information such as passwords, tokens and certificates. ...

Watched this very insightful talk on microservice architecture. Some things I learned: microservices should be autonomous: they should have minimal dependencies on other microservices if they have dependencies they should only be 1 layer deep a microservice should not be calling another microservice which calls another microservice dependencies can be reversed by pushing data towards the service for example: a pricing database can be dumped and pushed to a catalog service once a day data duplication is not a sin Another powerful point he made is that the architecture is a reflection from the organization’s structure. He explained that the company was organized in teams and that managers of teams were promoted based on the amount of people they managed. This meant that managers were making up services which needed people to build them, which led to a proliferation of services and dependencies. ...

Are you currently working with containerizing older Java or .NET applications? From Kubernetes 1.29, the default cgroups implementation on Azure Linux AKS nodes will be cgroupsv2. Older versions of Java, .NET and NodeJS do not support memory querying v2 memory constraints and this will lead to out of memory (OOM) issues for workloads. Please make sure that your older containerized applications are compatible with cgroupsv2 or you might be in quite some pain in the future. ...

Grafana has developed a Helm chart which greatly simplifies the deployment of a monitoring stack to your Kubernetes clusters. It contains: kube-state-metrics, which gathers metrics about Kubernetes objects Node exporter, which gathers metrics about Kubernetes nodes OpenCost, which interprets the above to create cost metrics for the cluster, and Grafana Agent, which scrapes the above services to forward metrics to Prometheus and logs to Loki The Prometheus and Loki services may be hosted on the same cluster, or remotely (e.g. on Grafana Cloud). ...

Been working on a nice project lately. My current client has chosen to run Grafana Cloud and the instance was running in West US, which was leading to slower performance. I took up the project of provisioning a new instance in West Europe. Although I would have preferred to host Grafana ourselves or use Azure Managed Grafana, this is what the client has chosen so I that is what I’ll have to work with. ...

Great news! KEDA finally went GA for AKS. https://learn.microsoft.com/en-us/azure/aks/keda-about Links: 202311081711