Being of a highly complex nature, container orchestration platforms (such as Kubernetes) benefit from being packed into a managed service. A well-designed managed service eases the load on your DevOps team, while keeping things simplified and structured to encourage an optimised and robust environment. Azure Kubernetes Services (AKS) is one such managed service. However, while Microsoft has done what they can to simplify Kubernetes, there is still a lot to architect, build and configure to get this service ready for production. Fortunately, there are a range of supporting products available that can improve your overall experience with productionising AKS.
Recently, I’ve been getting my hands dirty with a few such supporting products; experiencing them firsthand, and discovering which ones are the most effective in successfully deploying AKS. In this article, we will be taking a look at some of the tried and tested tools which you should consider for your own AKS deployment.
Setting up logging, monitoring, and alerting is a must before going to production. Get this configured early so you can understand your development environment during pre-production performance testing. This will allow you to tune your alerts to reduce false positives or conversely to develop new alerts to detect unforeseen edge cases.
Azure Monitor has a monitoring solution specifically developed for AKS called Azure Monitor for Containers. This makes for a brilliant out-of-the-box solution for getting AKS logs and performance data into a workspace and onto some dashboards. But it will require custom configuration in a couple of areas which are key for production. Specifically:
- Requires you to design and develop your own alerts based on the logs gathered by Azure Monitor using the Kusto Query Language (KQL) in Log Analytics
- Needs an Action Group for Azure Monitor alerts to integrate with an ITSM toolset, such as ServiceNow
To complement Azure Monitor for Containers, it’s also recommended to configure Application Insights for monitoring applications hosted on AKS. Usually Application Insights requires you to instrument your application with a few lines of code to send data from your application out to Application Insights. While this method will still work, AKS supports code less zero-instrumentation logging to Application Insights using the Isito Service Mesh.
Azure Container Registry
There are lots of options for container repositories out there, but for a production environment you want a secure private repository where you can manage images. A secure image repository like Azure Container Registry which will also scan your images for malware or vulnerabilities to ensure you are not promoting dodgy images to production. A key item to consider, here, would be how you might plan to clean up old images from your repository. Storage can become a costly issue in large environments or environments with a high turnover of images.
Azure Security Centre
Azure Security Centre has a solution built for Kubernetes and Containers called Threat Protection for Azure Containers. This allows for native security recommendations, vulnerability and malware scanning, environment hardening and run-time protection capabilities within AKS. Azure Security Centre also integrates with Azure Container Registry for image scanning, to provide a central location for security related alerts. A big bonus here is Security Center is able to achieve this without installing additional components onto the cluster beyond the Azure Monitor logging agent.
AKS is a complicated behemoth, anywhere you can cut down on complexity while still ticking all the security boxes is an absolute win.
Still on the topic of AKS Security, AKS has several areas which if architected well can provide excellent security benefits. This includes role-based-access control and guardrails for developers to ensure a minimum level of compliance with each AKS deployment.
Design your namespace strategy early, this will make it easier to roll-out AKS to the wider organisation, for people to learn and adopt AKS within your organisation and ensure security permissions and policies can be applied effectively to relevant spaces within your cluster. Part-and-parcel with developing namespaces is understanding what level of access you need to give developers to the AKS cluster itself. The rise of DevOps requires greater permissions for developers to efficiently do their job, this is where Namespaces are a great way to effectively manage permissions between different development teams.
Using an admission controller like Gatekeeper will provide guardrails to developers when building deployments for AKS. This is essential for making sure developers use the right type of mounted storage or do not forget to assign enough memory or CPU. Admission Controls do not need to be onerous but provide a great way to ensure developers build compliant deployments.
Integrating AKS with Azure AD is a must. This will keep the permissions and role-based-access model seamless, allow for easy auditing and secure access to the cluster and underlying containers. Users will authenticate against Azure AD instead of the cluster itself, allowing you to indirectly apply advanced secured features, like conditional access policies, to the AKS cluster.
Setup and manage both your applications and AKS environment using CI/CD pipelines in a tool like Azure DevOps. This will help speed up future Cluster deployments and cut down on code drift between environments. Tools like Terraform are great for this, as it integrates well with both the Azure API and Azure DevOps.
Use a key vault like Azure Key Vault for secure management of secrets. While secrets are encoded within AKS storage, it’s only base-64 which is very weak. Anyone with access to the cluster will have access to the secrets. Azure Key Vault will ensure only the AKS service principal and users with permission to a specific key vault can view encrypted secrets.
This one sounds obvious, but keeping production and non-production environments the same is especially important with AKS. When you have different pipelines for prod and non-prod it’s very easy to have even subtle differences in code, dependencies and tool-sets. This becomes critical when cutting over to production and troubleshooting edge case issues later down the track. AKS has a feature for this called Dev Spaces, allowing you to effectively branch off the production cluster to test and debug your code in a safe development environment.
Adoption and Training
Finally, hold internal AKS learning sessions, such as a lunch and learn. This will start socialising AKS with the wider dev teams and get them excited for the opportunity of using AKS for their application deployments. AKS can take a bit to get ones head around, so the best way to start is by taking your organisation with you on the journey of containerisation with Kubernetes.
AKS is a powerful container orchestration tool which benefits from native Azure integrations to make the most out of its capabilities. Hopefully some of these recommendations have helped, enjoy!