Azure Kubernetes Service (AKS) Concepts

Introduction to Azure Kubernetes Service (AKS)

Azure Kubernetes Service (AKS) simplifies deploying, managing, and automating Kubernetes applications. AKS provides a managed Kubernetes experience, allowing you to focus on your applications rather than the underlying infrastructure. It integrates deeply with other Azure services, offering a robust platform for containerized workloads.

Kubernetes Architecture

Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It groups containers that make up your applications into logical units for easy management and discovery. A Kubernetes cluster consists of two main types of resources:

• Control Plane: Manages the cluster's state and desired configuration. It includes components like the API server, etcd, scheduler, and controller manager.
• Nodes: Worker machines that run your containerized applications. Each node runs a container runtime (like containerd or Docker), a kubelet, and a kube-proxy.

AKS Components

When you create an AKS cluster, Azure manages the Kubernetes control plane for you. This includes:

• API Server: Exposes the Kubernetes API.
• etcd: A distributed key-value store for storing cluster data.
• Scheduler: Assigns Pods to Nodes.
• Controller Manager: Runs controller processes that regulate the cluster's state.
• Cloud Controller Manager: Interacts with Azure APIs to manage Azure resources like load balancers and storage.

You are responsible for managing the worker nodes in your cluster, although AKS provides tooling to simplify this. Nodes run the following components:

• Kubelet: Agent that runs on each Node and ensures containers are running in a Pod.
• Kube-proxy: Maintains network rules on Nodes, enabling network communication to your Pods.
• Container Runtime: Software responsible for running containers (e.g., containerd).

Nodes and Node Pools

A Node is a virtual machine in your AKS cluster that runs your application workloads. Each AKS cluster must have at least one node. A Node Pool is a group of nodes within an AKS cluster that all have the same configuration. Node pools allow you to manage groups of nodes independently.

AKS supports different VM sizes and types for your nodes. You can have multiple node pools with different VM sizes or operating systems to accommodate various application requirements.

Virtual Kubelet

AKS also supports the Virtual Kubelet, which allows you to integrate with serverless container services like Azure Container Instances (ACI). This enables you to run Pods on-demand without managing the underlying infrastructure.

Pods and Deployments

A Pod is the smallest deployable unit in Kubernetes. It represents a single instance of a running process in your cluster and can contain one or more containers that share resources like network and storage. While you can create Pods directly, it's more common to manage them through higher-level abstractions.

A Deployment is a Kubernetes object that manages a stateless application. It provides declarative updates for Pods and ReplicaSets. A Deployment defines the desired state for your application, and Kubernetes ensures that the actual state matches the desired state. Key features include:

• Rolling updates and rollbacks
• Scaling
• Self-healing

Services and Ingress

Services provide a stable IP address and DNS name to a set of Pods. They act as a load balancer, distributing network traffic to Pods. Kubernetes Services are essential for enabling communication between different parts of your application and for exposing your application to the outside world.

Ingress manages external access to services in a cluster, typically HTTP. It provides routing rules, TLS termination, and name-based virtual hosting. An Ingress controller is required to fulfill the Ingress resources, and AKS can deploy and manage one for you.

Storage in AKS

AKS integrates with Azure Storage services to provide persistent storage for your containerized applications. Common storage options include:

• Azure Disks: Provide block-level storage volumes for use with Pods.
• Azure Files: Offer fully managed file shares that can be accessed concurrently from multiple VMs.
• Azure Blob Storage: Can be used for less frequent access or for storing larger objects.

You can dynamically provision storage using StorageClasses, which abstract the details of the underlying storage provider.

Networking in AKS

AKS provides flexible networking options to manage communication within your cluster and with external resources. Key networking concepts include:

• Kubernetes Network Model: Each Pod gets its own IP address, and containers within a Pod share the same IP and port space.
• CNI Plugins: AKS supports various Container Network Interface (CNI) plugins, such as Azure CNI and Kubenet, to configure network policies and IP addressing.
• Services: As mentioned, Services provide stable endpoints for accessing Pods.
• Ingress: For HTTP/S routing to services.
• Network Policies: Allow you to control traffic flow between Pods at the IP address or port level.

Security and Access Control

Security is paramount in AKS. Azure provides several mechanisms to secure your cluster:

• Azure Active Directory (Azure AD) Integration: Use Azure AD for centralized authentication and authorization, allowing you to control access to your AKS cluster based on Azure AD identities and groups.
• Role-Based Access Control (RBAC): Kubernetes RBAC enables fine-grained control over who can perform actions on which resources within the cluster.
• Network Security: Use Network Security Groups (NSGs) and Network Policies to restrict traffic to and from your cluster nodes and Pods.
• Secrets Management: Securely store and manage sensitive information like passwords and API keys using Kubernetes Secrets and Azure Key Vault integration.
• Image Scanning: Integrate with Azure Container Registry (ACR) to scan container images for vulnerabilities.