Everybody wants a container? Yes.
Everybody gets a container? Sure.
Everybody wants to use Kubernetes (https://kubernetes.io/) to orchestrate the container deployment? Definitely.
Everybody wants to manage the Kubernetes cluster? Erm, not really.
Companies, with their shifting focus on the application and away from the underlying infrastructure have told the cloud providers loudly and clearly that they did not want to manage the Kubernetes, also referred to as k8s, cluster that their docker containers would be running on. They expected Microsoft to do this for them.
Microsoft Azure already made it fairly simple to deploy a Kubernetes cluster onto the Azure Container Services platform. The result however was a bunch of Virtual Machines (VMs) that the customer still had to manage. Kubernetes upgrades were sometimes quite painful and integration with the Azure platform was almost non-existent.
In October 2017 Microsoft then announced the public preview of their new managed Kubernetes service, AKS (Azure Kubernetes Service, https://azure.microsoft.com/en-au/services/kubernetes-service/). After eight long months, in June 2018, Microsoft released AKS into General Availability.
So, what is the big deal now? Why do I care?
Well, Microsoft pretty much takes over all the heavy lifting when it comes to deploying and managing the Kubernetes infrastructure.
az aks create \
–resource-group rgaks \
–name aksclusternonprod \
–node-count 1 \
–service-principal <appId> \
–client-secret <password> \
This easy snippet, which could be compressed into a single line, will, after the service-principal and client-secret have been provided, deploy a new, fully functioning kubernetes cluster via the Azure CLI.
Note: Make sure the Resource Group “rgaks” (could be any other name) is already deployed and for demo purposes create this in the “East US” region, this has most VM SKUs available.
After a few minutes the kubernetes cluster exists and can accept docker containers.
For full deployment options on the CLI or via ARM templates, please refer to the documentation.
Every once in a while, upgrades happen.
Microsoft AKS uses upstream Kubernetes, which means it uses the exact same source code that the Open Source Software Kubernetes releases on GitHub (https://github.com/kubernetes/kubernetes) and users can just go and read the documentation for Open Source Kubernetes and Kubernetes deployments will just work.
Upgrading a self-managed Kubernetes cluster is not an easy task, plus, it likely also is not the focus of what your company does. So why not outsource it to someone else? Like Microsoft.
Have them deal with carefully draining all cluster nodes, making sure that applications are gracefully shut down and nodes are not taken offline while clients are still connecting to them.
This sounds painful, so I would not want to do that.
If a new version for Kubernetes becomes available upgrading to that new version is almost a non-event. The cluster upgrade can be triggered via the Azure Portal, the CLI or the REST API.
AKS also tightly integrates into Azure Monitor and its Container monitoring solution. No custom code required to know what health the Kubernetes cluster is in or how the cluster nodes are currently going.
Security out of the Box
Securing a self-managed Kubernetes cluster is hard and requires in-depth knowledge of Kubernetes and the VMs the Kubernetes application and the nodes themselves run on. There is a heck of a lot to consider.
Hardening the Virtual Machines so that foreign processes cannot get in. Making sure that logs and metrics get forwarded to a central location. Enabling Role Based Access Control (RBAC) on the Kubernetes Cluster itself. All those and many more are tasks one needs to consider when rolling one’s own Kubernetes.
AKS gives you all of this out of the box. AKS as a platform is compliant with SOC, ISO, and PCI DSS, out of the box. This makes AKS a nice fit for companies for example from the finance sector.
AKS also natively integrates with Azure Active Directory (AAD) using OpenID Connect, an identity layer built on top of OAuth 2.0.
This means that as a Kubernetes administrator you are in control of who can do what on or to that cluster. Not just from an Azure resource perspective, one should obviously apply RBAC on that level as well, but inside of the cluster. A user’s Azure AD identity is now capable to reach into the application (AKS).
This makes onboarding and offboarding of users to the AKS clusters a breeze.
Easy Cost Calculation
What is better than a managed Kubernetes service? A free managed Kubernetes service. Obviously.
This needs some explanation. Before AKS was a thing one had to deploy loads of Virtual Machines to support one’s Kubernetes environment, especially if the cluster had to be highly available.
Now Microsoft will give their customers the Kubernetes management plane for free. Customers only pay for the nodes, the actual compute nodes that run the docker containers, the ones that they use. This seems fair.
This comes with a little gotcha though. Being a free service, AKS does not come with a Service Level Agreement (SLA). Microsoft targets 99.5% for the Kubernetes API server, which is approximately 44hrs of downtime per year. The good news is, the cluster nodes, being Virtual Machines, are covered by the Virtual Machines SLA, which is a lot better.
To wrap this up, unless one really needs to tweak Kubernetes to the max and one can invest a lot of time, people and money into getting to know the ins and outs of Kubernetes, running a managed service like AKS for one’s containerised applications just makes sense.
Written by David O’Brien
About David O’Brien
David recently started his own consulting company XIRUS (https://xirus.com.au ) focusing on mainly Microsoft stacks in the cloud, training individuals and companies in all things Microsoft Azure and Azure DevOps (formerly VSTS), also still doing hands-on consulting and infracoding.
He has held a Microsoft MVP award for 5 years including the prestigious MVP for Azure.
A co-organiser of the Melbourne Microsoft Cloud and Datacentre meetup he also regularly speaks at international conferences and combines his interest to travel the world with his passion to share IT stories with the community. David’s personal blog can be found on https://david-obrien.net . In addition to blogging he has also published online training courses on Pluralsight.