Azure Kubernetes Service (AKS) - Planning

-

When creating an AKS cluster it can be easy to get started with quick start templates for ARM and Terraform available.  This is fine for a lab environment but when it comes to building a production ready AKS cluster there are some decisions you need to make at the beginning to save yourself unnecessary pain further down the line.  In this article we will explore some of the key decisions areas which I hope will help you in deploying your AKS cluster.


Cluster Node SKUs

You have to have a default node pool, you can add additional node pools at a later point which can have different skus but if you want to change the sku on the default node pool it would cause the cluster to be rebuilt. Plan what size SKU size is sensible for your workload.  You can scale out easily but you can not scale-up easily so it is worth getting this right.  We cover adding additional node pools below, this can help get around changing the default node pool.

Load Balancer SKU and Multiple Node Pools

When you come to deploy your AKS cluster you can choose a basic or standard load balancer SKU.  the default when deploying via Terraform is standard SKU.  Again, switching this is a breaking change so choose wisely.  The biggest limitation of the basic SKU is that you can not add multiple node pools.  As per this guide which states;

"The AKS cluster must use the Standard SKU load balancer to use multiple node pools, the feature is not supported with Basic SKU load balancers."

Why is this important?

As we mentioned you can have multiple node pools, this allows you to run Linux or Windows node pools and the pools can be assigned different SKUs.  If you are the using the basic load balancer SKU you remove the ability to have multiple node pools.  This is because AKS needs an Azure managed device to manage the routing to the node pools.

In the scenario where you provisioned the default node pool and a small VM SKU, you start using your cluster and then hit resource issues. As we mentioned changing the SKU is a breaking change.  The alternative is to add a new pool with larger VM SKU and move some  or all services over to the new pool.  You can not remove the default pool but you can scale this down to 1.  

In the future if you hit the issue again you can repeat the process adding node pool three for example  and would be able to decommission node pool two once you have re-deployed services.

Basic or Advanced Networking 

You have a choice when you come to create your cluster, you can create the cluster with Basic networking  - Kubenet or Advanced Networking - Azure Container Networking Interface (CNI)

With Advanced networking as the name suggest there is more configuration required.  Each pod gets an IP address from the subnet and can be accessed directly.  When you define the subnet address these IPs are from your network they must be unique and so you need to plan for this which we will cover fully in the next section.  

When configuring advanced networking you also define a Kubernetes service address range this is separate and used by AKS and should not overlap with your other IP ranges.

As you can imagine you can not change between these two modes so review the options and make your decision on how to configure your network.

Subnet Size

When we are using CNI we need to plan out our subnets.  Review this document on how to plan your network.  The important thing to note is that with CNI it pre-allocates the IP addresses for the pods.  This is where the setting max pods per node comes into effect.

Max Pods per Node

For full details on planning your IP addressing and how max pods per nodes impacts this review this document .  In short the default setting for max pods per nodes is 30.  This means that every time you deploy or scale out your node pool Azure will allocate 31 IPs, 1 for the node and 30 for the pods.  

This takes some planning, firstly based on your SKU and the pods you will be deploying what kind of resources will they need realistically? how many pods can fit on a node before you would need to scale out?  Will you hit the node resource limit or the mac pods limit first?  Then take into consideration your scaling needs, what are the likely min and max number of nodes you will want to scale out to?  Use these factors to work out the correct subnet size.

Ingress Controller

There are a couple of choices now on what device you use in conjunction with your ingress controller.  The default scenario is you deploy a Azure Load Balancer and then you install your ingress controller of choice.  The ingress controller then works in unison with the Load balancer. 

Another option now available it the Application Gateway Ingress Controller (AGIC) this ingress controller allows you to use the Azure Application Gateway Layer 7 device to expose your services to the internet.  As you add services to your cluster it automatically updates the Azure Application gateway.  You get to use some of the features of AppGW like re-write rules.

You can deploy this using helm or the add-on which is a fully managed service. The add-on provides added benefits such as automatic updates and increased support.  NOTE! AGIC deployed through Helm is not supported by AKS, AGIC deployed as an AKS add-on is supported by AKS.

This link provides the steps for both approaches.  Currently (at the time of writing) the only way to deploy AKS using the add-on is via Azure CLI so you may want to continue using the Helm approach for Terraform and ARM pipeline deployments until support is added (I know there are open issue for Terraform to add support for the add-on). 

AD Integration 

To make it easier to manage and control access to manage your AKS cluster you will likely want to enable AKS-managed Azure Active Directory integration .  This integration only works with RBAC enabled clusters.  This is a simple setting to configure when you deploy but not something you can turn on/off so get this one right at the beginning.  

If you are using Terrform you will need a block like the one below to enable rbac and the AD integration.  The ID is the list of AD user or Group IDs that should be allowed to manage the cluster.

role_based_access_control {
    enabled = true
    azure_active_directory {
        managed = true
        admin_group_object_ids = ["123456abc-a123-a123-a123-123456abc"]
    }
}

Conclusion

These are some of the key configurations and gotchas I have found along my path deploying AKS clusters.  As you will  have seen a lot of the changes are breaking changes that require the cluster to be rebuilt so it really is worth planning your cluster to reduce the impact to your solution in the future.  I hope this article has been useful and provided you some good tips for when you deploy your own AKS environments.

If you are currently working with AKS you may find some of my other articles useful;

Azure Kubernetes Service (AKS) and Managed Identities

Comments

Post a Comment

Popular posts from this blog

Terraform Functions - Part 3 - Conditional expression

-
In part three of this blog series we will take a look at the conditional expression function in  Terraform  and see how we can use this with a basic  Azure Web App  deployment. In a future blog we will explore how to use the conditional expression alongside the count function in a more complex resource deployment.  In part one we cover an overview of the blog series and some pre-requisites you will need to get started when working through the deployment steps in this blog series, if you haven't seen this information please review this  here  before you get started with the steps below. Conditional expressions can be used to dynamically omit or change an argument depending on a certain condition. This can be useful for several scenarios, one example may be that you create a module for deploying VMs and have a variable for VM size of small or large, you can set this as a variable and evaluate this variable to change configurations like SKU, disk size etc.  The example we will go thr
Read more

Azure Kubernetes Service (AKS) and Managed Identities

-
Image
In this blog I will be exploring the use of Azure Manged Identities in Azure Kubernetes Service (AKS).  We will then discuss how we can use managed identities according to security best practice. We will look at how we configure the managed identities for the AKS cluster so it can in turn manage other Azure resources.  We will explore how we can configure managed identities for our services/applications that are running on AKS so pods can reach out to other Azure services. Managed Identities Why are we using managed identities? The alternative is to use Service Principal accounts (SPNs). The issues with SPNs is you have a client secret which you have to manage and keep secure. Your cluster apps and services will need to access the SPNs you have created so this means potentially saving it in a few places so it is available to CI/CD pipelines. The secret attached to an SPN rotates so you need to ensure it is valid to ensure your cluster and services continue to run. Managed identi
Read more

Working with WSL and AKS

-
Image
Introduction I find I am working with  Azure Kubernetes Service (AKS) more and more recently and I thought I would share a few tips and snippets of code I have found useful. For reasons I will explain shortly I have started using the Windows Subsystem for Linux (WSL) as my main way of managing AKS.  If you are starting out with AKS I hope you will find some of these hints and tips useful. AKS is a fully managed Kubernetes service from Azure, if you want to find out more about AKS check out the material and video from Microsoft here  .  For the purpose of this document I am assuming you are familiar with AKS and have at least started to play around with it.   Commands There are some key commands you will need when working with AKS and kubectl you can find some of these on the first link below.  While working with AKS you will  be using other tools like Docker for creating and managing your container images.,  I have provided some key starter commands for this on the second link. Helm
Read more