Overview

The following is the detailing of the Azure Kubernetes Service (AKS) cluster provisioning by Palette:

  1. The Palette platform enables the effortless deployment and management of containerized applications with fully-managed AKS.
  1. It provides the users with server-less Kubernetes, an integrated continuous integration and continuous delivery (CI/CD) experience, and enterprise-grade security and governance.
  1. This unites the development and operations to a single platform achieving faster build, delivery, and scaling of applications with credence.
  1. The infrastructure has an event-driven autoscaling and triggers that enable Elastic provisioning for this self-managed infrastructure.
  1. Extensive authentication and authorization capabilities using Azure Active Directory and dynamic rules enforcement, across multiple clusters with Azure Policy.

aks_cluster_architecture.png

Prerequisites

The following prerequisites must be met before deploying an AKS workload cluster:

  1. You need an active Azure cloud account with sufficient resource limits and permissions to provision compute, network and security resources in the desired regions.
  1. You must have permissions to deploy clusters using AKS service on Azure.
  1. Register your Azure cloud account in Palette as described in the "Creating an Azure Cloud account" section below.
  1. You should have an Infrastructure cluster profile created in Palette for AKS.

Additional prerequisites

There are additional prerequisites if Azure Active Directory integration for the AKS cluster is desired:

  1. A Tenant Name must be provided as part of the Azure cloud account creation in Palette.
  1. For the Azure client used in the Azure cloud account, these API permission have to be provided:

    Microsoft Graph:Group.Read.All (Application Type)
    Microsoft Graph:Directory.Read.All (Application Type)
  2. These permissions can be configured from the Azure cloud console under App registrations > API permissions for the specified App.

Creating an Azure cloud account

To create an Azure cloud account, we need:

  • Client ID
  • Tenant ID
  • Client secret

For this, we first need to create an Azure Active Directory (AAD) Application which can be used with role-based access control. Follow the steps below to create a new AAD application, assign roles, and create the client secret:

  1. Follow the steps described here to create a new Azure Active Directory application. Note down your ClientID and TenantID.
  1. On creating the application, a minimum required ContributorRole needs to be assigned. To assign any kind of role, the user must have a minimum role of UserAccessAdministrator. The role can be assigned by following the Assign Role To Application link.
  1. Follow the steps described in the Create an Application Secret section to create the client application secret. Store the Client Secret safely as it will not be available as plain text later.

Deploying an AKS Cluster

 

The following steps need to be performed to provision a new AKS cluster:

  1. Provide the basic cluster information like Name, Description, and Tags.
  1. Select a Cluster Profile created for the AKS Cluster. The profile definition will be used as the Cluster Construction Template.
  1. Review and override pack parameters as desired. By default, parameters for all packs are set with values defined in the Cluster Profile.

  2. Provide the Azure Cloud account and placement information.

    ParameterDescription
    Cloud AccountSelect the desired cloud account. Azure cloud accounts with credentials need to be preconfigured in project settings.
    SubscriptionSelect the subscription which is to be used to access Azure Services.
    RegionSelect a region in Azure in which the cluster should be deployed.
    Resource GroupSelect the resource group in which the cluster should be deployed.
    SSH KeyPublic key to configure remote SSH access to the nodes.
    PlacementIf the choice of placement is Static, then select:
    Virtual Network: Select the virtual network from dropdown menu.
    Control plane Subnet: Select the control plane network from the dropdown menu.
    Worker Network: Select the worker network from the dropdown menu.
  3. Configure the worker node pools. A worker node pool is configured by default.

    ParameterDescription
    NameA descriptive name for the node pool.
    SizeNumber of nodes to be provisioned for the node pool.
    Instance TypeSelect the Azure instance type to be used for all the nodes in the pool.
    Managed DiskSelect the managed disk type to be used
    Disk SizeStorage disk size in GB to be attached to the node.
    Availability Zones (if any)Choose one or more availability zones. Palette provides fault tolerance to guard against failures like hardware failures or network failures, by provisioning nodes across availability zones if multiple zones are selected. Zones are supported only for worker pools
Every AKS cluster must contain at least one system node pool with at least one node.

If you run a single system node pool for your AKS cluster in a production environment, it is recommended to use at least three nodes for the node pool.

A minimum allocation of two (2) CPU cores is required across all worker nodes.

A minimum allocation of 4Gi of memory is required across all worker nodes.

  1. Set the schedules of OS Patching, Scans, or backup and recovery as per user choice.

  2. Review the settings and deploy the cluster. Provisioning status with details of ongoing provisioning tasks is available to track progress.

New worker pools may be added if it desired to customize certain worker nodes to run specialized workloads. As an example, the default worker pool may be configured with the Standard_D2_v2 instance types for general-purpose workloads and another worker pool with instance type Standard_NC12s_v3 can be configured to run GPU workloads.

Deleting an AKS Cluster

The deletion of an AKS cluster results in the removal of all Virtual Machines and associated Storage Disks, created for the cluster. The following tasks need to be performed to delete an AKS cluster:

  1. Select the cluster to be deleted from the Cluster View page and navigate to the Cluster Overview page.
  1. Invoke a delete action available on the page: Cluster > Settings > Cluster Settings > Delete Cluster.
  1. Click Confirm to delete.

The Cluster Status is updated to Deleting while cluster resources are being deleted. Provisioning status is updated with the ongoing progress of the delete operation. Once all resources are successfully deleted, the cluster status changes to Deleted and is removed from the list of clusters.

Force Delete a Cluster

A cluster stuck in the Deletion state can be force deleted by the user through the User Interface. The user can go for a force deletion of the cluster, only if it is stuck in a deletion state for a minimum of 15 minutes. Palette enables cluster force delete from the Tenant Admin and Project Admin scope.

To force delete a cluster:

  1. Log in to the Palette Management Console.
  1. Navigate to the Cluster Details page of the cluster stuck in deletion.

    • If the deletion is stuck for more than 15 minutes, click the Force Delete Cluster button from the Settings dropdown.

    • If the Force Delete Cluster button is not enabled, wait for 15 minutes. The Settings dropdown will give the estimated time for the auto-enabling of the Force Delete button.

If there are any cloud resources still on the cloud, the you should cleanup those resources before going for the force deletion.

Configuring an Azure Active Directory

The Azure Active Directory (AAD) could be enabled while creating and linking the Azure Cloud account for the Palette Platform, using a simple check box. Once the Cloud account is created, you can create the Azure AKS cluster. The AAD-enabled AKS cluster will have its Admin kubeconfig file created and can be downloaded from our Palette UI as the 'Kubernetes config file'. You need to create manually the User's kubeconfig file to enable AAD completely. The following are the steps to create the custom user kubeconfig file:

  1. Go to the Azure console to create the Groups in Azure AD to access the Kubernetes RBAC and Azure AD control access to cluster resources.
  1. After you create the groups, create users in the Azure AD.
  1. Create custom Kubernetes roles and role bindings for the created users and apply the roles and role bindings, using the Admin kubeconfig file.
The above step can also be completed using Spectro RBAC pack available under the Authentication section of Add-on Packs.
  1. Once the roles and role bindings are created, these roles can be linked to the Groups created in Azure AD.
  1. The users can now access the Azure clusters with the complete benefits of AAD. To get the user-specific kubeconfig file please run the following command:
az aks get-credentials --resource-group <resource-group> --name <cluster-name>

References:

Use Kubernetes RBAC with Azure AD integration