Azure Kubernetes Service
Azure Kubernetes Service (AKS) is a managed container orchestration service provided by Azure. It simplifies the deployment, scaling, and operations of containerized applications using Kubernetes, an open-source platform.
Centralized Azure Kubernetes Service (CAKS) is needed to enhance the capabilities of AKS. It provides features like Namespace Isolation for resource organization, AGIC for efficient traffic routing, FluentD for log management, Network Policies for traffic control, Azure Policy for compliance enforcement, RBAC for access management, and Azure Active Directory Integration for authentication. These collectively enhance the security, manageability, and operational efficiency of the AKS environment. These features help in managing access to different namespaces within a single AKS cluster while maintaining centralized control and governance.
Centralized Azure Kubernetes Service
Overview
In a centralized AKS architecture, we've adopted a cost-effective approach by consolidating multiple clients to access their namespaces through a centralized AKS (Azure Kubernetes Service) instance. This allows us to streamline management and resource allocation, reducing overhead and optimizing efficiency. By centralizing access and management, we ensure better control, scalability, and cost-effectiveness compared to individual AKS setups for each client.
Architecture
SGS CAKS Tier0 Architecture
The CAKS architecture is a meticulously managed environment that allows two distinct clients, Client1 and Client2, to operate seamlessly yet independently. Here's a detailed explanation of the architecture:
Architecture Components
-
CAKS Subscription
This includes client namespaces, pods, services, ingress, PVC, AGIC, and Fluentd. Each client has its namespace, ensuring logical isolation and security. Within these namespaces are node pools like dev, test, and staging. Each node pool contains respective pods, for instance, the dev node pool contains dev pods and dev ingress. Taints and tolerations ensure that specific pods are assigned to appropriate nodes. -
Dynamic On-Demand PVC
The Persistent Volume Claim (PVC) is dynamically connected to the client’s storage account within their resource group. This dynamic allocation ensures flexibility and efficiency in storage management. -
Application Logs & Analytics
Application logs from the client resource group are meticulously analyzed by Tier0 log analytics workspace. These insights are then channeled through a function app to the Tier0 event hub for comprehensive log management. -
System Node Pool
In the default namespace of each client lies a system node pool containing AGIC (Application Gateway Ingress Controller) pod. It's intricately linked to the application gateway in the client subscription ensuring seamless connectivity. -
Client Subscription
This consists of an application gateway, storage account, and resource group. The application logs from the client resource group are triggered by the Tier0 log analytics workspace. -
Connectivity Subscription
This consists of an application gateway that ensures internet connectivity. -
Tier0 Subscription
This consists of an event hub, function app, and Tier0 log analytics workspace.
The tier0 team meticulously manages this centralized AKS. Network policies ensure that logical isolation is not just a term but an operational reality guaranteeing security and efficiency. Every application deployed in pods is linked to its respective node using labels ensuring precision in deployment and operations. This architecture stresses the features and important implementation of the CAKS.
Tier0 Managed Azure Kubernetes Service
Overview
In a Managed Azure Kubernetes Service involves individual AKS setups for clients, providing dedicated clusters for each application or tenant. This approach offers enhanced isolation and control over resources for specific workloads.
Architecture
Tier0 Managed Azure Kubernetes Service Architecture
Architecture Components
-
Client Subscription
This is where all the action happens. It contains an Azure Kubernetes Service (AKS) cluster. Within the client subscription, there are two namespaces: client-test and client-dev. -
Client Dev Namespace
In this namespace, we have a node pool specifically for development purposes. Taints and tolerations are used to ensure that only development pods are assigned to this node pool. Components in this namespace include the Client Dev Pod, which represents the application or workload for development, and the Client Dev Ingress, which handles incoming traffic to the development environment. -
Client Test Namespace
Similar to the dev namespace, but set up for testing. Components in this namespace include the Client Test Pod, which represents the application or workload for testing, the Client Test Ingress, which manages incoming traffic for testing, and the Test PVC (Persistent Volume Claim), which is dynamically connected on-demand to a storage account within the same client subscription. -
Default Namespace
Contains system-level components such as the AGIC (Application Gateway Ingress Controller) Pod, which is responsible for connecting to the Application Gateway in the connectivity subscription, and the Fluentd Pod, which collects logs from various sources. -
Log Collection & Analysis
Fluentd collects logs from different parts of the system. The log flow is as follows: Fluentd sends logs to a Tier 0 Event Hub. From there, logs proceed to a Tier 0 Function App. Finally, they are analyzed in a Tier 0 Log Analytics Workspace. Application logs from this process are reflected back in the client’s resource group. -
Connectivity Subscription
The AGIC Pod is connected to the Application Gateway in this subscription.
Features which are supported by CAKS
Azure Kubernetes service provides several features to support centralized management while granting access to different namespaces for various clients within a single AKS cluster. Some of these features include:
-
Namespace Isolation:
In AKS, each namespace serves as a logical boundary for organizing and isolating resources. By allocating clients to distinct namespaces, we achieve workload segregation while maintaining shared access to the same cluster resources.It’s like having separate compartments within a larger storage unit—each compartment holds its own items, but they all reside in the same physical space. -
AGIC (Application Gateway Ingress Controller):
AGIC simplifies Kubernetes ingress management by integrating with Azure Application Gateway. It enables traffic routing, SSL termination, and Web Application Firewall (WAF) capabilities, enhancing security and scalability. AGIC dynamically updates routing rules based on Kubernetes Ingress resources, ensuring efficient load balancing. It provides centralized management of ingress traffic for multiple AKS clusters, improving operational efficiency. AGIC offloads SSL/TLS encryption and decryption operations, optimizing performance and simplifying certificate management. -
FluentD:
Fluentd in Centralized Azure Kubernetes Service (CAKS) facilitates log collection and aggregation from containers, enabling centralized monitoring. It supports various input and output plugins for flexibility in data sources and destinations. Fluentd seamlessly integrates with Azure Monitor, enabling real-time log analysis and visualization. It ensures reliable log forwarding with buffering and retry mechanisms, enhancing data integrity. Fluentd simplifies log management in CAKS, providing insights for troubleshooting and performance optimization. -
Network Policies:
AKS supports Kubernetes network policies, which allow us to define rules for traffic flow within the cluster. we can restrict communication between namespaces or allow specific traffic based on labels and selectors. -
Azure Policy:
Azure Policy can be used to enforce compliance requirements and governance standards across the AKS cluster. we can define policies that ensure clients adhere to security best practices, resource naming conventions, and more. -
RBAC (Role-Based Access Control):
AKS utilizes Kubernetes Role-Based Access Control (RBAC) for access control management. By using RBAC, we can create custom roles and role bindings to precisely assign permissions to users or groups within specific namespaces. -
Azure Active Directory Integration:
AKS can integrate with Azure Active Directory (AAD) for authentication. This allows us to assign AAD users or groups to RBAC roles, providing fine-grained access control.
With the help of these features, we can effectively manage access to different namespaces within a single AKS cluster while maintaining centralized control and governance.