AKS - Application Gateway Ingress Controller management

-

As discussed in my post about AKS planning there are a couple of choices for what device you use in conjunction with your Azure Kubernetes Service (AKS) ingress controller. The default scenario is you deploy a Azure Load Balancer and then you install your ingress controller of choice. The ingress controller then works in unison with the Load balancer. 

Another option now available it the Application Gateway Ingress Controller (AGIC) this ingress controller allows you to use the Azure Application Gateway Layer 7 device to expose your services to the internet. As you add services to your cluster it automatically updates the Azure Application gateway. 

For information on how to implement AGIC checkout the links on this page .

In this article we are going to discuss AGIC and some of the practicalities of working with this configuration.

Managed Identities


To use AGIC you need to use AAD pod identity. We configure a managed identity with permissions to manage and update the Application Gateway. We use AAD Pod identity to allow AGIC to use this managed identity. For more information on AKS and managed identities checkout my previous post on this topic.

Application Gateway Managed Identity

  • Reader permissions on Application Gateway Resource Group
  • Contributor permissions on Application Gateway resource
  • Managed Identity Operator permissions on KeyVaults if used for SSLs

AKS permissions

AKS kubelet identity needs;
  • Managed Identity Operator over the Application Gateway managed identity for use with the AAD pod identity


Deployments

You can deploy the initial Application Gateway configuration using your IaC tool of choice.  Once you have configured the Application Gateway ingress controller this takes over management of the Gateway and any further deployments of your IaC would wipe out this configuration.  

You will see on the Application Gateway tags that after the AGIC updates the Gateway it applies tags which show when the configuration was last updated by the AGIC. This can be useful in troubleshooting issues as you can see when the Application Gateway was last updated.


You need to manage this conflict for you deployments to avoid potential downtime for your services.  One suggestion is to periodically get the AGIC to push updates.  To avoid any potential impact or down time I have taken an approach using configuration in the IaC code to manage this. I am using Terraform for my deployments so will talk around this method.  I deploy the Application Gateway with a base configuration of some place holder HTTP settings, Listeners and Backend configuration.  

I then use a lifecycle block with an "ignore_changes" list, this means the first deployment will create the Application Gateway but from that point on other changes are made by the AKS cluster and Application Gateway Ingress Controller (AGIC).

Lifecycle gist code


There are a couple of exceptions for configuration that we can change via our Terraform templates. This includes the SSL certificate, which will need updating when it expires and the SSL policy which may need changing as new TLS versions or other policy changes are need.

Annotations


This site contains the annotations that can be used in your ingress config to manage the way the application gateway behaves. You will always need to set the ingress class so the application knows to use AGIC `"kubernetes.io/ingress.class" = "azure/application-gateway"`. In addition the applications are configured to use the certificate that has been deployed to the application gateway. 

Annotation gist code

The name is the friendly name you use when you deploy the SSL to the Application Gateway. If you add new certs or update these after a renewal ensure you are referencing the correct certificate. Below is how the annotation block may look on a common AKS ingress deployment.

Portal Bug 

When you use the annotation for hostname on your application configuration this should be configured on the Application Gateway as a mutli-site listener.  Currently if you check the configuration in the portal you will see an error as shown below;


This should be showing as a mutli-site listener but will show as a basic listener;


This is a bug in the portal and can safely be ignored.  However, if you want to confirm the right hostname is showing on the listener you can run the following command. This shows it is assigned to the value "Hostname", the portal uses the value from "Hostnames" which is where the issues appears.

Hostnames gist code


Conclusion

There is lots to take into consideration when implementing the Application Gateway Ingress Controller.  I hope this article has helped you with your configuration and avoiding some common issues with the deployment of the Application Gateway.


Comments

  1. Anonymous2 December 2022 at 16:44

    Players from South 바카라사이트 Korea are limited to a few forms of legal betting. Horse racing, bike racing, lotteries, and some Toto-style sports activities betting choices are available. Of all the casinos in South Korea, residents might solely enter certainly one of them.

    ReplyDelete

Post a Comment

Popular posts from this blog

Terraform Functions - Part 3 - Conditional expression

-
In part three of this blog series we will take a look at the conditional expression function in  Terraform  and see how we can use this with a basic  Azure Web App  deployment. In a future blog we will explore how to use the conditional expression alongside the count function in a more complex resource deployment.  In part one we cover an overview of the blog series and some pre-requisites you will need to get started when working through the deployment steps in this blog series, if you haven't seen this information please review this  here  before you get started with the steps below. Conditional expressions can be used to dynamically omit or change an argument depending on a certain condition. This can be useful for several scenarios, one example may be that you create a module for deploying VMs and have a variable for VM size of small or large, you can set this as a variable and evaluate this variable to change configurations like SKU, disk size etc.  The example we will go thr
Read more

Azure Kubernetes Service (AKS) and Managed Identities

-
Image
In this blog I will be exploring the use of Azure Manged Identities in Azure Kubernetes Service (AKS).  We will then discuss how we can use managed identities according to security best practice. We will look at how we configure the managed identities for the AKS cluster so it can in turn manage other Azure resources.  We will explore how we can configure managed identities for our services/applications that are running on AKS so pods can reach out to other Azure services. Managed Identities Why are we using managed identities? The alternative is to use Service Principal accounts (SPNs). The issues with SPNs is you have a client secret which you have to manage and keep secure. Your cluster apps and services will need to access the SPNs you have created so this means potentially saving it in a few places so it is available to CI/CD pipelines. The secret attached to an SPN rotates so you need to ensure it is valid to ensure your cluster and services continue to run. Managed identi
Read more

Working with WSL and AKS

-
Image
Introduction I find I am working with  Azure Kubernetes Service (AKS) more and more recently and I thought I would share a few tips and snippets of code I have found useful. For reasons I will explain shortly I have started using the Windows Subsystem for Linux (WSL) as my main way of managing AKS.  If you are starting out with AKS I hope you will find some of these hints and tips useful. AKS is a fully managed Kubernetes service from Azure, if you want to find out more about AKS check out the material and video from Microsoft here  .  For the purpose of this document I am assuming you are familiar with AKS and have at least started to play around with it.   Commands There are some key commands you will need when working with AKS and kubectl you can find some of these on the first link below.  While working with AKS you will  be using other tools like Docker for creating and managing your container images.,  I have provided some key starter commands for this on the second link. Helm
Read more