6. Sensitivity: Regular
CONTAINER?
Containers = operating system virtualization Traditional virtual machines = hardware virtualization
Windows Server containers: maximum speed and density Hyper-V containers: isolation plus performance
OS
Kernel
Applications
Container Container Container
Hardware
Hardware
Container Container Container
Hyper-V
Container
Kernel
Container
Kernel
Container
Kernel
Hardware
OS
Application
VM VM VM
App
OS
App
OS
App
OS
7. Sensitivity: Regular
Wat doen we niet met containers
Voorzien van Security updates (patchen)
Maken van back-up
Wat doen we wel met container images
Voorzien van Security updates (patchen)
8. Sensitivity: Regular
Developers
• ‘write-once, run-anywhere’ apps
• Microservice architectures
• Veel flexibeler dan Virtual Machines
• Consistentie
Operations
• Portability, Portability, Portability
• Standarisatie development, QA, and
prod environments
• Veel schaalbaarder
• Beheerbaar op grote schaal
DevOps
9. Sensitivity: Regular
• Applicatie modernisering
• Scaling van applicatie op grote schaal
(Search engines, social media websites, e-commerce
websites
10. Sensitivity: Regular
❖ Open source container runtime
❖ De Foundation voor containers ( AKS, ARO)
❖ Format (image) om containers te maken
❖ Mac, Windows & Linux support
❖ Portability
17. Sensitivity: Regular
Copyright InSpark
• Kubernetes is an open-source (orchestration) framework for automating deployment and
management of containerized workloads (microservices).
– Orchestration:
• Scheduling
• Failover
• Scaling
• Networking
• Service discovery
• Health monitoring
18. Sensitivity: Regular
Copyright InSpark
• 2003/2004 - Designed by Google (Borg)
• 2014 - Introduced as Kubernetes as open-source version of Borg
• 2015 – Kubernetes v1.0
• 2016 – Kubernetes goes mainstream
• 2017 – Enterprise adoption & support (Azure, AWS)
19. Sensitivity: Regular
Copyright InSpark
• AKS is a Azure Managed Kubernetes Platform
– Hosted environment
– Eliminates the burden of maintenance & operations
– Master nodes are fully managed
– Worker nodes are almost fully managed
• “Have” to scale yourself
• “Have” to reboot yourself (after updates)
– “Quick” and easy deployment of a cluster
• az cli, terraform, ansible, arm, pws
21. Sensitivity: Regular
Copyright InSpark
Responsibilities DIY with Kubernetes Managed Kubernetes on Azure
Containerization
Application iteration,
debugging
CI/CD
Cluster hosting
Cluster upgrade
Patching
Scaling
Monitoring and logging
Customer
Microsoft
Managed Kubernetes
empowers you to do more
Focus on your containers
and code, not the plumbing
of them
27. Sensitivity: Regular
Copyright InSpark
Kubernetes
control
API server
replication, namespace,
serviceaccounts, etc.
-controller-
manager -scheduler
etcd
Master node
Worker node
kubelet kube-proxy
Docker
Prod Prod
Containers Containers
Worker node
kubelet kube-proxy
Docker
Prod Prod
Containers Containers
Internet
28. Sensitivity: Regular
Copyright InSpark
API server
Controller
ManagerScheduler
etcd
Store
Cloud
Controller
Self-managed master node(s)
• Automated upgrades, patches
• High reliability, availability
• Easy, secure cluster scaling
• Self-healing
• API server monitoring
• At no charge
Customer VMs
App/
workload
definitionUser
Docker
Pods
Docker
Pods
Docker
Pods
Docker
Pods
Docker
Pods
Schedule pods over
private tunnel
Kubernetes
API endpoint
Azure managed control plane
29. Sensitivity: Regular
Copyright InSpark
Built-in
auto scaling
Global
data center
Geo-replicated
container registry
Elastically burst
using ACI
Browser
Traffic
manager
Geo-replicated
container registry
AKS clusters
Azure Container Instances
Pod Pod
Pod Pod
Pod Pod
30. Sensitivity: Regular
Copyright InSpark
Do It Yourself acs-engine Azure Kubernetes
Service
Description Create your VMs,
deploy k8s
acs-engine generates
ARM templates to
deploy k8s
Managed K8S
Possibility to modify
the cluster
Highest Highest Medium
You pay for Master+Node VMs Master+Node VMs Node VMs
38. Sensitivity: Regular
Maintain at least N-1 fot minor releases for production workloads
Recommend 3 Month upgrade cycle for minor verions
Enable functional add ons to cluster minimal cluster redeployment
Recommend automating nodes reboot for security patches
Recommend blue/green cluster upgrades for customer production
workloads
43. Sensitivity: Regular
Copyright InSpark
1. Kubernetes Developer authenticates with AAD
2. The AAD token issuance endpoint issues the access
token
3. Developer performs action w/ AAD token.
Eg.kubectlcreate pod
4. Kubernetes validates token with AAD and fetches the
Developer’s AAD Groups Eg.Dev Team A, App Group B
5. Kubernetes RBAC and cluster policies are applied
6. Request is successful or not based on the previous
validation
44. Sensitivity: Regular
Copyright InSpark
$ az aks get-credentials --resource-group myAKSCluster --name myAKSCluster
$ kubectl get nodes
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BUJHWDGNL to authenticate.
Or
Error from server (Forbidden): nodes is forbidden: User baduser@contoso.com cannot list nodes at
the cluster scope
47. Sensitivity: Regular
Copyright InSpark
o Use namespaces, do not deploy to default
o Namespaces Object is the logical Isolation boundary
o Provide a scope for names
o Not all objects can be namespaced i.e. nodes
o Optionally, use different clusters for different apps/environments (remember, you
do not pay for the master nodes!)
o Use resource quotas
o Use at least 3 nodes, that will give you enough capacity during upgrades (especially
if using disks as persistent volumes)
48. Sensitivity: Regular
Copyright InSpark
• You can use AAD-based access to Azure Files
• Managed Disks encrypted with Storage Service
Encryption
More information:
https://docs.microsoft.com/mt-mt/azure/aks/concepts-storage
49. Sensitivity: Regular
Copyright InSpark
o Dynamic disk
o Static Azure disks
o Dynamic Azure files
o Static Azure files
Notes:
o Disks are ReadWriteOnce, Files are ReadWriteMany
o Only Disks support Premium storage
53. Sensitivity: Regular
Copyright InSpark
o Service Type LoadBalancer
o Basic Layer4 Load Balancing
(TCP/UDP)
o Each service as assigned an IP on
the ALB (Azure Load Balancer)
55. Sensitivity: Regular
Copyright InSpark
o Ingress is a Kubernetes API that manages external access to the services in the
cluster
o Supports HTTP and HTTPs
o Path and Subdomain based routing
o SSL Termination
o Save on public IP-addresses
o Ingress controller is a daemon, deployed as a Kubernetes Pod, that watches the Ingress
Endpoint for updates. Its job is to satisfy requests for ingresses.
58. Sensitivity: Regular
Copyright InSpark
o Scales nodes based on pending pods
o Scale up and scale down
o Reduces dependency on monitoring
o Removes need for users to manage
nodes and monitor service usage
manually
61. Sensitivity: Regular
Copyright InSpark
o Step1:
az group create -–name aksrg
o Step2:
az aks create -n myakscluster -g aksrg --node-count 2 -k 1.11.3 -s Standard_DS2_v2
o Step3
az aks get-credentials –myakscluster -g aksrg
65. Sensitivity: Regular
Easily run serverless containers
Containers as a primitive
billed per second
Secure applications with
hypervisor isolation
Run containers
without managing
servers