Azure Kubernetes Service (AKS)

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

14 hours 28 minutes
Video Transcription
Hello, Siberians. Welcome to lessen 5.4 Off Model five off Discuss stated. Is that Reserva one. Microsoft Azure Hock Tech design
Here. The objectives that will cover in this video.
We'll start by introducing a joke kubernetes, Siri's and where exactly, the service ease and wait for rights. Well, then, this cause briefly the architecture off the service, particularly the control plane on the Walker notes
we'll cover a key is from a security perspective.
We'll cover a cares from a novel ability. Perspective with the best practices for this
finally will conclude with the integration that exists between a K S and a C I, and how we can boast of our workloads into a C hi when deploying them to a chaos.
Let's get into this has Yaqoob Anita's service Issa Managed Communities Orchestration Service What does this mean? What this means is that a ks makes it simple to deploy and managed. A community is close to him. Hajer
It does this by allowing us to offload a lot off the provisioning and management responsibilities to mike yourselves. Why we focus on the application.
That case also offers multiple communities visions on as new visions become available in a ks Ah cluster can be upgraded using the azure poto are using a just cli and during the upgrade process, not a carefully Condoned and drained
to minimize destruction to run in applications.
Also native communities as a rich ecosystem of development and management tools such as him on draft on even the community's extension for visuals to dear Court.
This tools that we currently used to work with native communities work seamlessly with a chaos. Also,
let's get into a decent bit. More details.
There is a diagram of the community's architecture.
Now. Communities is an open source solution that provides a P eyes that controls how and where containerized applications will run. In other words, it allows us to be ableto orchestrate a cluster off VEGETA machines and should do continues to run on those VEGETA missions
based on available computer sauces
on the resource requirement for each container
to achieve these communities as a control plane, which consists of the master note
on Di, includes communities components like the happy I sever, which provide interaction from management tools like Cube City Air or Cuba Cotto. However, you pronounce that
it as the etc de component, which is what maintains the state off our communities, close than con figuration on it has the cubes Schadler, which the term is what notes can run our workload and then starts the parts.
It also has the notes, which are the actual veteran machines that run a continent sized applications and services.
And this is where a K a Shyne shoe
has a managed service. A cares greatly reduces the complexity for deploying a Cuban. It is cluster on the core management tasks.
So, for example, when we deploy Aniki s cluster, the Cabinet is master on. All the notes are deployed and confident for house. We don't need to configure components like a highly available at city stop. That's all taken care half by the azure platform.
Also the control plane, which is the community's master that we talked about earlier. That's completely managed by the other platform
as your handles critical tasks like elf monitoring on maintenance for house.
We only manage and maintained agents notes,
which is what loans our actual continents
on disses waited and get better the manage communities master or the control plane. It's completely free. You hear that right? Completely free,
and we only pay for the agents notes within our cluster. We do not pay for the master on. We do not pay for the management of that. That's all taking care half
now Here's some of the head lament off orchestration that a key s supports on that day care is provided to us so shadowing, for example. What that means is that it automatically finds a suitable machine
with sufficient resources to run our continents affinity or anti affinity, which means that we can specify a set off containers that should run nearby to each other, maybe for performance reasons. Or we can say they set off containers niche to run sufficiently far apart from each other, maybe for Havel. Ability of reasons
and the enforcement of that conflagration be managed for us.
Also, health monitoring, which means that watches out for container failures and automatically we should do, is containers that fills
fail over, which means I'd constantly keeps track off. One is what is running on each note on It's the shadows. Containers from filled notes toe held the notes
scaling, which means that it can had or remove container instances to match the demand on this can happen either manually or automatically
networking, which means I'd provide an overlay network for coordinating containers to communicate across multiple host on machines.
Service Discovery, which enables continues to look it each order automatically as they move around between host machines on as their high P addresses changes.
Also called native application upgrades which manages container hope, grades tow, avoid application Downtime on also enables Row back if something goes wrong. There hold the different features and functionality is that a key s provides for us.
Here's some of the security best proxies for a key s
number one, we need to manage well as access to a ks from the platform level
on. We can do these with existing as your 80 identities on the principle that we want to follow the principle off this privilege. So remember, this is talking about from the platform level.
The other aspect I want to take your half. It's from the cluster level,
so want to control and limit tow us permissions to a K s. Also the Cuban. It is a P. I serve itself from the cluster level and we can also into great cities with azure Haiti so that we can simplify the management of high identities from a single place.
The other best practice around using port identities. So, in some cases, our parts or application or containerized applications that are running within this pot need access to set in as your service is,
it's not a good idea to use fix credentials to do this. The best idea is we integrate with something called as your manager identity to achieve this. And what does Mrs. If on application that running within apart minutesto access and at your service, like sick or database our cosmos debut as your storage,
they can simply request for a bear a token from measure here. They're using the pod identity,
obtained the talking on, then used talkinto access the application that didn't need access to
number four. Limit continent access to resources.
And what is Mrs with the port? Identities that we talked about? Want to limit access toe actions that containers can perform within azure platform,
So we provide list number for missions and we want to avoid the used off your privilege escalation.
Also, it's a good practice to regularly updated little vision of communities, so to stay current on new features and Bach fixes want regularly upgrades to the communities. Vision at Michael's office releases the latest supported vision.
We also want to process Lennox no updates and reboots years in communities. We both demon on a chaos, automatically downloads and install security fixes on each Lennox notes that are running within our psyche s cluster. But it does no automatic Allenby boots if every boat is necessary.
So we want to use this community's re boot Damon to watch Harpenden reports and then save leek or done
and drain the notes toe. Allow notes to the books and apply the hot dates on so that we can be as secure as possible as we get to the operating system. So if we're using Windows seven notes within our A ks cluster, we want to regularly perform an A. K s upgrade operation,
which was safely condom off the coast and then during the parts and then the play Detailed notes.
Here's some availability. Best practices for a ks
Number one plan for a ks clusters in multiple regions,
a chaos is deployed into a single region by default, but to protect a system from regional failures who want to the priory our application into multiple a ks clusters across different regions.
Now, if we have more to play guess clusters in different regions want to use traffic manager to control our traffic flows to our applications that runs in each cluster on ajob. Traffic management's a Deanna's based traffic load balance that I can distribute network traffic across regions
number three used your application for continent image registries. Do not forget these in planning for availability,
because it's very easy to focus on availability for the running applications and forget that the container images for applications are actually starred in either as your container registry or a private registers somewhere. So you want to ensure that you have availability configured for that. Also,
the other option that wants to do is want a plan for application states across multiple clusters because, where possible, we don't want to start seventh state inside the container. Instead, what we want to use issues and as your platform of the service option that support multivision replication
and finally want to replicate stoppage across multiple regions if we're using are just average want to prepare and test out of my great. Our storage from primary region to the backup region on our applications might use. I just started for the A data.
Maybe because applications are spread across multiple acres, closeness in different regions,
we need to ensure that we have a way to keep the storage in sync. And we also want to test the fail over across the difference savage clusters. When it comes to scale of our continent sized applications that are running on a K s,
the Cabinet is shed. Doula allocate apart to run on notes within the cluster.
And if we run out of resources with existing notes, we can hardman notes to a cluster provided that we have not reached the azure cluster limit and I'll be showing you how to do this in the demo.
But it may take a few minutes for does not to successfully provisions on before the Cuban it is. Schadler is allowed to run parts on them.
There is another option, however,
to rapidly scale our hey chaos cluster we can integrate with as your continent. Instances which allows us to quickly deploy, continue instances without additional infrastructure overhead. So we discussed this earlier
when we connect a case with a C I s C. I becomes a secured a logical extension of a key s cluster. And what does this mean?
What is misses? That we can use a C high as a veteran note
for a ks.
So this is done using something called the A C I connector,
which does a C high into a veteran note. And this is based on the open source Virtual kid Blitz.
This will be installed on my kids cluster and it's gonna present a C high as a virtual Cuban it is not.
We can then use a cares virtual notes to provision port inside a c I the start in seconds. This enables a ks to run with just enough capacity for ah have ridge workload on As we run out of capacity and a ks cluster we can see it brings me to the hand off this lesson. Thanks very much for watching
and I'll see you in the next lesson
Up Next