Professional Documents
Culture Documents
Azure Kubernetes Service YAML Ansible Azure
Azure Kubernetes Service YAML Ansible Azure
Ansible includes a suite of Ansible modules that can be executed directly on remote hosts or via
playbooks. Users can also create their own modules. Modules can be used to control system
resources - such as services, packages, or files - or execute system commands.
For interacting with Azure services, Ansible includes a suite of Ansible cloud modules that
provides the tools to easily create and orchestrate your infrastructure on Azure.
Each play can run one or more tasks, and each task invokes
an Ansible module. Modules are used to accomplish automation
tasks in Ansible. Ansible modules can be written in any language
that can return JSON, such as Ruby, Python, or bash.
Red Hat Ansible Automation Platform will soon be available on Microsoft Azure. Sign up to
preview the experience.
Ansible includes a suite of modules for interacting with Azure Resource Manager, giving you
the tools to easily create and orchestrate infrastructure on the Microsoft Azure Cloud.
Requirements
Using the Azure Resource Manager modules requires having specific Azure SDK modules
installed on the host running Ansible.
Using the Azure Resource Manager modules requires authenticating with the Azure API.
You can choose from two authentication strategies:
There is now a detailed official tutorial describing how to create a service principal.
Your Client ID, which is found in the “client id” box in the “Configure” page of
your application in the Azure portal
Your Secret key, generated when you created the application. You cannot show
the key after creation. If you lost the key, you must create a new one in the
“Configure” page of your application.
And finally, a tenant ID. It is a UUID (for example, ABCDEFGH-1234-ABCD-
1234-ABCDEFGHIJKL) pointing to the AD containing your application. You
will find it in the URL from within the Azure portal, or in the “view endpoints” of
any given URL.
Using Active Directory Username/Password
The modules offer several ways to provide your credentials. For a CI/CD tool such as Ansible
AWX or Jenkins, you will most likely want to use environment variables. For local
development you may wish to store your credentials in a file within your home directory.
And of course, you can always pass credentials as parameters to a task within a playbook.
The order of precedence is parameters, then environment variables, and finally a file found in
your home directory.
To pass service principal credentials through the environment, define the following variables:
AZURE_CLIENT_ID
AZURE_SECRET
AZURE_SUBSCRIPTION_ID
AZURE_TENANT
To pass Active Directory username/password through the environment, define the following
variables:
AZURE_AD_USER
AZURE_PASSWORD
AZURE_SUBSCRIPTION_ID
To pass Active Directory username/password in ADFS through the environment, define the
following variables:
AZURE_AD_USER
AZURE_PASSWORD
AZURE_CLIENT_ID
AZURE_TENANT
AZURE_ADFS_AUTHORITY_URL
“AZURE_ADFS_AUTHORITY_URL” is optional. It is necessary only when you have own
ADFS authority like https://yourdomain.com/adfs.
Storing in a File
[default]
subscription_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
client_id=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
secret=xxxxxxxxxxxxxxxxx
tenant=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Note
If your secret values contain non-ASCII characters, you must URL Encode them to avoid
login errors.
It is possible to store multiple sets of credentials within the credentials file by creating
multiple sections. Each section is considered a profile. The modules look for the [default]
5 yaml ansible -- Azure Kubernetes Service
Passing as Parameters
If you wish to pass credentials as parameters to a task, use the following parameters for
service principal:
client_id
secret
subscription_id
tenant
Or, pass the following parameters for Active Directory username/password:
ad_user
password
subscription_id
Or, pass the following parameters for ADFS username/password:
ad_user
password
client_id
tenant
adfs_authority_url
“adfs_authority_url” is optional. It is necessary only when you have own ADFS authority
like https://yourdomain.com/adfs.
To use an Azure Cloud other than the default public cloud (for example, Azure China Cloud,
Azure US Government Cloud, Azure Stack), pass the “cloud_environment” argument to
modules, configure it in a credential profile, or set the
“AZURE_CLOUD_ENVIRONMENT” environment variable. The value is either a cloud
name as defined by the Azure Python SDK (for example, “AzureChinaCloud”,
“AzureUSGovernment”; defaults to “AzureCloud”) or an Azure metadata discovery URL
(for Azure Stack).
6 yaml ansible -- Azure Kubernetes Service
There are two ways to create a virtual machine, both involving the azure_rm_virtualmachine
module. We can either create a storage account, network interface, security group and public
IP address and pass the names of these objects to the module as parameters, or we can let the
module do the work for us and accept the defaults it chooses.
An Azure module is available to help you create a storage account, virtual network, subnet,
network interface, security group and public IP. Here is a full example of creating each of
these and passing the names to the azure.azcollection.azure_rm_virtualmachine module at the
end:
subnet: subnet001
public_ip_name: publicip001
security_group: secgroup001
If you simply want to create a virtual machine without specifying all the details, you can do
that as well. The only caveat is that you will need a virtual network with one subnet already
in your resource group. Assuming you have a virtual network already with an existing subnet,
you can run the following to create a VM:
azure.azcollection.azure_rm_virtualmachine:
resource_group: Testing
name: testvm10
vm_size: Standard_D1
admin_username: chouseknecht
ssh_password_enabled: false
ssh_public_keys: "{{ ssh_keys }}"
image:
offer: CentOS
publisher: OpenLogic
sku: '7.1'
version: latest
Creating a Virtual Machine in Availability Zones
Both OS disk and data disk must be a ‘managed disk’, not an ‘unmanaged disk’.
When creating a VM with
the azure.azcollection.azure_rm_virtualmachine module, you need to explicitly set
8 yaml ansible -- Azure Kubernetes Service
If you are not familiar with Ansible’s dynamic inventory scripts, check out Intro to Dynamic
Inventory.
The Azure Resource Manager inventory script is called azure_rm.py. It authenticates with the
Azure API exactly the same as the Azure modules, which means you will either define the
same environment variables described above in Using Environment Variables, create
a $HOME/.azure/credentials file (also described above in Storing in a File), or pass command
line parameters. To see available command line options execute the following:
$ wget https://raw.githubusercontent.com/ansible-community/contrib-scripts/main/inventory/
azure_rm.py
$ ./azure_rm.py --help
As with all dynamic inventory scripts, the script can be executed directly, passed as a
parameter to the ansible command, or passed directly to ansible-playbook using the -i option.
No matter how it is executed the script produces JSON representing all of the hosts found in
your Azure subscription. You can narrow this down to just hosts found in a specific set of
Azure resource groups, or even down to a specific host.
For a given host, the inventory script provides the following host variables:
{
"ansible_host": "XXX.XXX.XXX.XXX",
"computer_name": "computer_name2",
"fqdn": null,
"id": "/subscriptions/subscription-id/resourceGroups/galaxy-production/providers/
Microsoft.Compute/virtualMachines/object-name",
"image": {
9 yaml ansible -- Azure Kubernetes Service
"offer": "CentOS",
"publisher": "OpenLogic",
"sku": "7.1",
"version": "latest"
},
"location": "westus",
"mac_address": "00-00-5E-00-53-FE",
"name": "object-name",
"network_interface": "interface-name",
"network_interface_id": "/subscriptions/subscription-id/resourceGroups/galaxy-
production/providers/Microsoft.Network/networkInterfaces/object-name1",
"network_security_group": null,
"network_security_group_id": null,
"os_disk": {
"name": "object-name",
"operating_system_type": "Linux"
},
"plan": null,
"powerstate": "running",
"private_ip": "172.26.3.6",
"private_ip_alloc_method": "Static",
"provisioning_state": "Succeeded",
"public_ip": "XXX.XXX.XXX.XXX",
"public_ip_alloc_method": "Static",
"public_ip_id":
"/subscriptions/subscription-id/resourceGroups/galaxy-production/providers/
Microsoft.Network/publicIPAddresses/object-name",
"public_ip_name": "object-name",
"resource_group": "galaxy-production",
"security_group": "object-name",
"security_group_id":
"/subscriptions/subscription-id/resourceGroups/galaxy-production/providers/
Microsoft.Network/networkSecurityGroups/object-name",
"tags": {
"db": "mysql"
},
"type": "Microsoft.Compute/virtualMachines",
"virtual_machine_size": "Standard_DS4"
}
Host Groups
NOTE: The name of the .ini file is the basename of the inventory script (in other words,
‘azure_rm’) with a ‘.ini’ extension. This allows you to copy, rename and customize the
inventory script and have matching .ini files all in the same directory.
AZURE_GROUP_BY_RESOURCE_GROUP=yes
AZURE_GROUP_BY_LOCATION=yes
AZURE_GROUP_BY_SECURITY_GROUP=yes
AZURE_GROUP_BY_TAG=yes
AZURE_GROUP_BY_OS_FAMILY=yes
Select hosts within specific resource groups by assigning a comma separated list to:
AZURE_RESOURCE_GROUPS=resource_group_a,resource_group_b
Select hosts for specific tag key by assigning a comma separated list of tag keys to:
AZURE_TAGS=key1,key2,key3
Select hosts for specific locations by assigning a comma separated list of locations to:
AZURE_LOCATIONS=eastus,eastus2,westus
Or, select hosts for specific tag key:value pairs by assigning a comma separated list key:value
pairs to:
AZURE_TAGS=key1:value1,key2:value2
If you don’t need the powerstate, you can improve performance by turning off powerstate
fetching:
AZURE_INCLUDE_POWERSTATE=no
A sample azure_rm.ini file is included along with the inventory script in here. An .ini file will
contain the following:
[azure]
# Control which resource groups are included. By default, all resources groups are
included.
# Set resource_groups to a comma separated list of resource groups names.
#resource_groups=
# Control which tags are included. Set tags to a comma separated list of keys or key:value
pairs
#tags=
# Control which locations are included. Set locations to a comma separated list of
locations.
#locations=
11 yaml ansible -- Azure Kubernetes Service
# Include powerstate. If you don't need powerstate information, turning it off improves
runtime performance.
# Valid values: yes, no, true, false, True, False, 0, 1.
include_powerstate=yes
# Control grouping with the following boolean flags. Valid values: yes, no, true, false,
True, False, 0, 1.
group_by_resource_group=yes
group_by_location=yes
group_by_security_group=yes
group_by_tag=yes
group_by_os_family=yes
Examples
When an HTTPS proxy is present, or when using Azure Stack, it may be necessary to disable
certificate validation for Azure endpoints in the Azure modules. This is not a recommended
security practice, but may be necessary when the system CA store cannot be altered to
include the necessary CA certificate. Certificate validation can be controlled by setting the
“cert_validation_mode” value in a credential profile, through the
12 yaml ansible -- Azure Kubernetes Service
In this article
1. Configure your environment
2. Automatic credential configuration
3. Test Ansible installation
4. Next steps
Get started with Ansible by configuring Ansible on Azure and creating a basic Azure
resource group.
This article describes getting started with Ansible from the Azure Cloud
Shell environment.
1. If you already have a Cloud Shell session open, you can skip to the next
section.
When signed into the Cloud Shell, Ansible authenticates with Azure to manage
infrastructure without any extra configuration.
When working with multiple subscriptions, specify the subscription Ansible uses by
exporting the AZURE_SUBSCRIPTION_ID environment variable.
Azure CLICopy
ConsoleCopy
export AZURE_SUBSCRIPTION_ID=<your-subscription-id>
You now have configured Ansible for use within Cloud Shell!
This section shows how to create a test resource group within your new Ansible
configuration. If you don't need to do that, you can skip this section.
YAMLCopy
---
- hosts: localhost
connection: local
tasks:
- name: Creating resource group - "{{ name }}"
azure_rm_resourcegroup:
name: "{{ name }}"
location: "{{ location }}"
register: rg
- debug:
var: rg
BashCopy
ansible-playbook create_rg.yml --extra-vars
"name=<resource_group_name> location=<resource_group_location>"
Key points:
Ansible
Azure CLI
Azure PowerShell
15 yaml ansible -- Azure Kubernetes Service
ymlCopy
---
- hosts: localhost
tasks:
- name: Deleting resource group - "{{ name }}"
azure_rm_resourcegroup:
name: "{{ name }}"
state: absent
register: rg
- debug:
var: rg
BashCopy
ansible-playbook delete_rg.yml --extra-vars "name=<resource_group>"
Key points:
az aks create \
--resource-group myResourceGroup \
--name myK8sCluster \
--node-count 3 \
--generate-ssh-keys
This will create an AKS cluster with one node, ready for you to begin
deploying applications. From there, you can specify more parameters
such as the number of nodes, SKU, network configuration, and more.
Finally, you can access the AKS dashboard to manage and monitor
your cluster usage.
Overall, AKS provides a comprehensive and robust solution for
running containerized applications in the cloud.
It is secure, reliable, and highly scalable, making it an ideal choice for
businesses of any size.
apiVersion: apps/v1
kind: Deployment
19 yaml ansible -- Azure Kubernetes Service
metadata:
name: my-app-deployment
namespace: default
spec:
replicas: 3
selector:
matchLabels:
app: my-application
template:
metadata:
labels:
app: my-application
spec:
containers:
- name: my-application
image: my.container.registry.io/my-application:latest
```
az aks create \
--resource-group myResourceGroup \
--name myAKSCluster
--node-count 3 \
--generate-ssh-keys
```
2. Cost Savings: AKS is cost-effective, reducing the costs associated with buying,
renting or leasing servers and other hardware for running Kubernetes workloads.
3. Security and Compliance: AKS integrates with Azure RBAC, providing secure
access control to resources. It also supports LDAP integration and SAML
authentication.
4. Scale and Resilience: AKS allows you to quickly scale up or down depending on
your needs, making sure your applications are always running. Additionally, many
features are built in that help protect the cluster from various types of failure.
6. Monitoring and Logging: AKS integrates with Azure Monitor and Log Analytics,
allowing you to fully monitor your Kubernetes resources.
21 yaml ansible -- Azure Kubernetes Service
az aks create \
--resource-group $resourceGroupName \
--name $clusterName \
--node-count 3 \
--enable-rbac \
--enable-private-cluster \
--network-policy azure \
--generate-ssh-keys \
--no-wait
This will list the last 100 lines of all the logs for your current
Kubernetes environment, which you can then analyze to determine
any abnormality in your system.
This command will scale the deployment "nginx" to 6 replicas and thus
increase the number of containers running for that service. After
making sure that both the cluster and deployment is correctly scaled,
you will be able to use the application and handle higher traffic with
ease.
24 yaml ansible -- Azure Kubernetes Service
--resource-group myResourceGroup \
--name myAKSCluster \
--enable-aad
IP address management
DNS services
Load Balancing
Virtual Network (VNET)
Network Security Groups (NSGs)
DNS services are managed through Azure DNS, which allows for
automated name resolution of resources in AKS clusters.
Additionally, nodes can have their own hostnames assigned making it
easier to reach them.
Load balancing is handled using Azure's Load Balancer, which offers
multiple features such as traffic distribution, health checks and
performance tracking. Additionally, TCP, UDP and HTTP ports can be
opened and configured for incoming traffic.
Virtual Networks (VNETs) are used to group and contain AKS node
deployments.
This helps to ensure that nodes in the same network can communicate
with each other, but nodes outside of the network are unable to
communicate.
Finally, Network Security Groups (NSGs) are used to further enhance
security. These allow for control over which IP addresses and ports can
access AKS clusters, and also provides advanced filters and rules for
traffic.
An example of a code snippet that allows you to configure NSG rules
for an AKS cluster is shown below:
apiVersion: autoscaling/v2beta2
kind: HorizontalPodAutoscaler
metadata:
name: <name-of-autoscaler>
spec:
minReplicas: 1
maxReplicas: 10
targetCPUUtilizationPercentage: <desired-level-of-utilization>
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: <name-of-deployment>
Installatio Setup is very complicated, but once installed Installation is very simple, but the cluster is
31 yaml ansible -- Azure Kubernetes Service
n & Cluster
cluster is robust. not robust.
Config
Auto-
Kubernetes can do auto-scaling. Docker swarm cannot do auto-scaling.
scaling
Load Manual intervention needed for load balancing Docker swarm does auto load balancing of
Balancing traffic between different containers and pods. traffic between containers in the cluster.
Rolling
Can deploy rolling updates and does automatic Can deploy rolling updates, but not
Updates &
rollbacks. automatic rollback.
Rollbacks
DATA Can share storage volumes only with the other Can share storage volumes with any other
Volumes containers in the same pod. container.
Logging & 3rd party tools like ELK stack should be used
In-built tools for logging and monitoring.
Monitoring for logging and monitoring.
share the libraries present in that operating system whereas while deploying
applications in containers the architecture is a little different.
This kind of architecture will have a kernel and that is the only thing that’s going
to be the only thing common between all the applications. So, if there’s a
particular application that needs Java then that particular application we’ll get
access to Java and if there’s another application that needs Python then only that
particular application will have access to Python.
The individual blocks that you can see on the right side of the diagram are
basically containerized and these are isolated from other applications. So, the
applications have the necessary libraries and binaries isolated from the rest of
the system, and cannot be encroached by any other application.
So, the API which sits in front of services, the worker nodes & the Kubelet
process that the nodes run, all together make up the Kubernetes Cluster.
1. **Drain the Node**: Before performing maintenance, you should drain the node
to gracefully evict all the running pods from the node. The Kubernetes control
plane will schedule the evicted pods to other healthy nodes in the cluster. Use
the following command to drain the node:
“`
“`
36 yaml ansible -- Azure Kubernetes Service
Replace `<node_name>` with the name of the node you want to drain.
2. **Mark the Node as Unschedulable**: Prevent new pods from being scheduled
on the node during maintenance:
“`
“`
“`
“`
6. **Validate Pod Status**: Check the status of the pods that were running on the
node before draining to ensure they have been successfully rescheduled to
other nodes.
7. **Rollout Updates (if applicable)**: If you have made any changes that require
pod updates (e.g., container image updates), trigger a controlled rollout of the
affected pods to the updated version.
8. **Monitor Cluster Health**: Keep an eye on the overall health of the cluster
after maintenance. Monitor the logs and metrics to ensure that all components
and nodes are functioning as expected.
– Resource Limits: It specifies the maximum amount of CPU and memory that
a container can consume. Kubernetes enforces these limits to prevent a single
container from using more resources than specified, which helps in avoiding
resource contention.
“`yaml
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
– name: my-container
image: my-image
resources:
requests:
cpu: “0.5”
38 yaml ansible -- Azure Kubernetes Service
memory: “512Mi”
limits:
cpu: “1”
memory: “1Gi”
By using these mechanisms, you can effectively control the resource usage of
Pods in your Kubernetes cluster, ensuring efficient resource allocation, high
availability, and optimal performance for all applications running in the cluster.
Q13. What are the various K8 services running on nodes and describe the
role of each service?
1. **kubelet**: The kubelet is an agent that runs on each node and is responsible
for managing the containers running on that node. It communicates with the
Kubernetes control plane and ensures that the containers specified in Pod
manifests are running and healthy.
2. **kube-proxy**: The kube-proxy is responsible for network proxying and load
balancing for services running in the cluster. It enables communication between
39 yaml ansible -- Azure Kubernetes Service
Pods and services and maintains network rules to forward traffic to the
appropriate destinations.
3. **container runtime**: The container runtime is the software responsible for
pulling container images and running containers on the node. Kubernetes
supports various container runtimes, such as Docker, containerd, and others.
4. **kube-dns/coredns**: The kube-dns or CoreDNS service provides DNS
resolution within the cluster. It allows Pods to discover and communicate with
each other using DNS names instead of direct IP addresses.
5. **kubelet-certificate-controller**: This service ensures that each node has the
necessary TLS certificates required for secure communication with the control
plane.
6. **kubelet-eviction-manager**: The kubelet-eviction-manager monitors the
resource usage of the node and triggers Pod eviction when there is a lack of
resources, helping to maintain node stability and prevent node resource
exhaustion.
7. **kube-proxy (IPVS mode)**: In clusters running with IPVS (IP Virtual Server)
mode, kube-proxy uses IPVS to handle the load balancing of services more
efficiently.
8. **metrics-server**: The metrics-server collects resource usage metrics (CPU,
memory, etc.) from nodes and Pods and provides them to Kubernetes Horizontal
Pod Autoscaler (HPA) and other components for scaling decisions.
9. **node-problem-detector**: The node-problem-detector detects and reports
node-level issues, such as kernel panics or unresponsive nodes, to the
Kubernetes control plane for further actions.
10. **kube-reserved and kube-system-reserved cgroups**: These are control
groups that reserve CPU and memory resources for the kubelet and critical
system components to ensure their stability and proper functioning.
These services, running on every node, play a crucial role in maintaining the
health, networking, and performance of the Kubernetes cluster. They ensure
seamless communication, resource management, and container orchestration,
providing the foundation for deploying and managing containerized applications
effectively in the Kubernetes environment.
A Pod Disruption Budget (PDB) is a Kubernetes resource that allows you to set
policies on how many Pods of a particular ReplicaSet or Deployment can be
simultaneously unavailable during voluntary disruptions. Voluntary disruptions
can occur during planned maintenance, scaling events, or other administrative
actions.
The main purpose of a Pod Disruption Budget is to ensure high availability and
reliability of applications running in a Kubernetes cluster while allowing for
necessary maintenance and updates. By setting a PDB, you define the maximum
40 yaml ansible -- Azure Kubernetes Service
Instructor-led Sessions
Assessments
Lifetime Access
24 x 7 Expert Support
Explore Curriculum
A typical use case for PDB is during rolling updates or scaling events. When you
update a deployment or scale it up or down, Kubernetes will try to ensure that
the disruption does not exceed the defined PDB. This prevents scenarios where
all instances of an application are taken down simultaneously, leading to service
outages or degraded performance.
“`yaml
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: example-pdb
spec:
selector:
matchLabels:
41 yaml ansible -- Azure Kubernetes Service
app: example-app
maxUnavailable: 1
“`
It’s important to note that a PDB does not prevent involuntary disruptions
caused by node failures or other unforeseen issues. Instead, it focuses on
controlling voluntary disruptions to maintain application availability during
planned events. PDBs are particularly useful for applications that require a
certain level of redundancy or have strict availability requirements.
1. **Sequential Execution**: Init containers run one after another, and each init
container must successfully complete before the next one starts. This allows for
a sequential setup of required resources or configurations.
2. **Temporary Nature**: Init containers are temporary and are not part of the
main application’s ongoing lifecycle. Once their tasks are completed, they
terminate, and the main containers start.
3. **Different Image**: Init containers can use a different container image than the
main application containers. This allows for separate tools or configurations to
be used for initialization tasks.
“`yaml
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
containers:
– name: main-container
image: my-app-image
initContainers:
– name: init-container
image: busybox
“`
43 yaml ansible -- Azure Kubernetes Service
In this example, the Pod contains an init container named “init-container” with a
simple command to echo a message and sleep for 10 seconds. The main
application container is named “main-container” and is specified below the init
container. When the Pod starts, the init container will run and complete its task
before the main application container starts.
Using init containers can help ensure that the required setup and configuration
tasks are completed successfully before the main application starts, improving
the reliability and stability of the overall application deployment.
Q17. What are the various things that can be done to increase Kubernetes
security?
1. Use RBAC (Role-Based Access Control): Implement RBAC to control and restrict
access to different resources within the cluster. Assign roles and permissions
based on the principle of least privilege, ensuring that users and applications
have only the necessary access rights.
2. Enable Network Policies: Use Network Policies to control network traffic
between Pods within the cluster. Network Policies help enforce communication
rules, limiting the attack surface and preventing unauthorized access between
Pods.
3. Secure API Server: Ensure that the Kubernetes API server is properly secured.
Use TLS certificates for communication, disable insecure ports, and enable audit
logging to monitor API server activity.
4. Image Security: Scan container images for vulnerabilities and use trusted
sources for images. Implement container image signing and verification to
ensure image integrity.
5. Pod Security Policies: Utilize Pod Security Policies to enforce security standards
and best practices for Pod specifications. Pod Security Policies can prevent the
creation of Pods that do not meet security requirements.
6. Secure Secrets Management: Use Kubernetes Secrets to store sensitive
information securely. Avoid exposing sensitive data directly in Pod specifications
or YAML files.
7. Regularly Update and Patch: Keep all components of the Kubernetes cluster,
including nodes, control plane, and add-ons, up to date with the latest security
patches and updates.
8. Secure etcd: Ensure that the etcd data store used by the Kubernetes control
plane is secure. Configure TLS encryption for etcd communication and consider
enabling role-based access control for etcd.
9. Limit External Access: Minimize external access to the Kubernetes API server
and use a VPN or private network for secure access.
10. Implement Pod Security Context: Set appropriate security context for Pods to
control their privileges and capabilities. Avoid running containers with excessive
permissions.
45 yaml ansible -- Azure Kubernetes Service
11. Monitoring and Logging: Implement robust monitoring and logging solutions to
detect and respond to security incidents. Monitor cluster activity, audit logs, and
network traffic for suspicious behavior.
12. Secure Network Communication: Use TLS for secure communication between
components in the cluster. Enable mutual TLS authentication for enhanced
security.
13. Limit Host OS Access: Restrict direct access to the host OS from within
containers, as it can pose security risks.
14. Regular Security Audits: Conduct regular security audits and vulnerability
assessments of your Kubernetes cluster and applications.
15. Training and Education: Educate your team about Kubernetes security best
practices and conduct security training regularly.
By following these security measures and best practices, you can significantly
enhance the security of your Kubernetes cluster, reducing the risk of potential
threats and ensuring a more resilient and protected environment for your
applications.
Prometheus can scrape metrics from these components, and alerting rules can
be configured to notify of any issues.
7. Alerting: Configure alerting rules in Prometheus or through your monitoring
solution to get notified of critical issues or abnormal behavior. Use Alertmanager
to manage and route alerts to various channels like email, Slack, or other
messaging platforms.
8. Visualize Data: Create custom dashboards in Grafana to visualize the collected
metrics. Display critical cluster metrics, application-specific metrics, and any
other relevant data for easy monitoring.
9. Long-Term Storage: Consider setting up long-term storage for historical metrics
data. Tools like Thanos or VictoriaMetrics can help store and query historical
data from Prometheus.
10. Log Aggregation: Use a centralized logging solution (e.g., ELK Stack, Fluentd, Loki)
to collect and analyze container logs for debugging and troubleshooting
purposes.
11. Security Monitoring: Implement security monitoring to detect potential security
threats and unauthorized access attempts in your Kubernetes cluster.
12. Regular Review and Maintenance: Regularly review the monitoring data, analyze
trends, and fine-tune alerting thresholds. Keep monitoring components updated
and ensure that they are functioning correctly.
To collect central logs from Pods running in a Kubernetes cluster, you can use a
centralized logging solution. One popular approach is to use the ELK Stack,
which consists of three main components: Elasticsearch, Logstash (or Fluentd),
and Kibana. Here’s how you can set up central logging using the ELK Stack:
3. Configure Application Logs: Inside your Kubernetes Pods, ensure that your
applications are configured to log to the standard output and standard error
streams. Kubernetes will collect these logs by default.
4. Install Kibana: Set up Kibana as a web-based user interface to visualize and
query the logs stored in Elasticsearch. Kibana allows you to create custom
dashboards and perform complex searches on your log data.
5. Configure Log Forwarding: Configure Logstash or Fluentd to forward logs from
the Kubernetes Pods to Elasticsearch. This may involve defining log collection
rules, filters, and log parsing configurations.
6. View Logs in Kibana: Access Kibana using its web interface and connect it to the
Elasticsearch backend. Once connected, you can create visualizations, search
logs, and analyze log data from your Kubernetes Pods.
Additionally, you can consider using other centralized logging solutions like Loki
or Splunk for log aggregation and analysis. The process may vary slightly
depending on the logging tool you choose, but the core concept remains the
same: collect logs centrally from Kubernetes Pods and make them available for
analysis and visualization in a user-friendly interface.
This section of questions will deal with the questions related to the architecture
of Kubernetes.
that reflects the services as configured in Kubernetes API on each node. So, the
Docker-linkable compatible environment variables provide the cluster IPs and
ports which are opened by proxy.
DevOps Training
5(79900)
5(5400)
5(3800)
5(3150)
5(3700)
51 yaml ansible -- Azure Kubernetes Service
5(1950)
5(350)
Next
Q3. Can you brief on the working of the master node in Kubernetes?
Kubernetes master controls the nodes and inside the nodes the containers are
present. Now, these individual containers are contained inside pods and inside
each pod, you can have a various number of containers based upon the
configuration and requirements. So, if the pods have to be deployed, then they
can either be deployed using user interface or command-line interface. Then,
these pods are scheduled on the nodes, and based on the resource
requirements, the pods are allocated to these nodes. The kube-apiserver makes
sure that there is communication established between the Kubernetes node and
the master components.
52 yaml ansible -- Azure Kubernetes Service
So, the different types of controller manager running on the master node are :
Now, let me explain to you the working of Ingress network with an example.
There are 2 nodes having the pod and root network namespaces with a Linux
bridge. In addition to this, there is also a new virtual ethernet device called
flannel0(network plugin) added to the root network.
Now, suppose we want the packet to flow from pod1 to pod 4. Refer to the
below diagram.
54 yaml ansible -- Azure Kubernetes Service
So, the packet leaves pod1’s network at eth0 and enters the root network
at veth0.
Then it is passed on to cbr0, which makes the ARP request to find the destination
and it is found out that nobody on this node has the destination IP address.
So, the bridge sends the packet to flannel0 as the node’s route table is
configured with flannel0.
Now, the flannel daemon talks to the API server of Kubernetes to know all the
pod IPs and their respective nodes to create mappings for pods IPs to node IPs.
The network plugin wraps this packet in a UDP packet with extra headers
changing the source and destination IP’s to their respective nodes and sends this
packet out via eth0.
Now, since the route table already knows how to route traffic between nodes, it
sends the packet to the destination node2.
The packet arrives at eth0 of node2 and goes back to flannel0 to de-
capsulate and emits it back in the root network namespace.
Again, the packet is forwarded to the Linux bridge to make an ARP request to
find out the IP that belongs to veth1.
The packet finally crosses the root network and reaches the destination Pod4.
Equity-Based Selectors: This type of selector allows filtering by label key and
values. So, in layman’s terms, the equity-based selector will only look for the
pods with the exact same phrase as the label.
Example: Suppose your label key says app=nginx; then, with this selector, you
can only look for those pods with label app equal to nginx.
Selector-Based Selectors: This type of selector allows filtering keys according to
a set of values. So, in other words, the selector-based selector will look for pods
whose label has been mentioned in the set.
Example: Say your label key says app in (Nginx, NPS, Apache). Then, with this
selector, if your app is equal to any of Nginx, NPS, or Apache, the selector will
take it as a true result.
Q14. What are the best security measures that you can take while using
Kubernetes?
The following are the best security measures that you can follow while using
Kubernetes:
The federated clusters can achieve this by doing the following two things. Refer
to the below diagram.
57 yaml ansible -- Azure Kubernetes Service
How do you think the company shifted from monolithic to microservices and deploy
their services containers?
Solution:
How do you think can such a company manage all the tasks in a consistent way with
Kubernetes?
Solution:
58 yaml ansible -- Azure Kubernetes Service
In such a situation the company can use something that offers them agility,
scale-out capability, and DevOps practice to the cloud-based applications.
So, the company can, therefore, use Kubernetes to customize their scheduling
architecture and support multiple container formats. This makes it possible for
the affinity between container tasks that gives greater efficiency with an
extensive support for various container networking solutions and container
storage.
Solution:
How do you think this company can achieve this to satisfy their customers?
Solution:
In order to give millions of clients the digital experience they would expect, the
company needs a platform that is scalable, and responsive, so that they could
quickly get data to the client website. Now, to do this the company should move
from their private data centers (if they are using any) to any cloud environment
such as AWS. Not only this, but they should also implement the microservice
architecture so that they can start using Docker containers. Once they have the
base framework ready, then they can start using the best orchestration platform
59 yaml ansible -- Azure Kubernetes Service
Solution
Well, to solve the problem, they can shift their monolithic code base to a
microservice design and then each and every microservices can be considered
as a container. So, all these containers can be deployed and orchestrated with
the help of Kubernetes.
How can the company solve the problem on the deployment side?
Solution
Solution
The solution to this problem is none other than Kubernetes. Kubernetes makes
sure that the resources are optimized efficiently, and only those resources are
used which are needed by that particular application. So, with the usage of the
60 yaml ansible -- Azure Kubernetes Service
best container orchestration tool, the company can achieve the distribution of
resources efficiently.
How do you think will the company deal with the servers and their installation?
Solution
The company can adopt the concept of containerization. Once they deploy all
their application into containers, they can use Kubernetes for orchestration and
use container monitoring tools like Prometheus to monitor the actions in
containers. So, with such usage of containers, giving them better capacity
planning in the data center because they will now have fewer constraints due to
this abstraction between the services and the hardware they run on.
How do you think they can achieve this critical target in a dynamic manner?
Solution
How will the company achieve this in the presence of different interfaces?
Solution
The company can decompose its infrastructure into microservices and then
adopt Kubernetes. This will let the company run various workloads on different
cloud infrastructures.
a. Kube-apiserver
b. Kubelet
c. Etcd[Ans]
d. None of the above
a. ReplicaSet
b. Deployment
c. Rolling Updates
d. Both ReplicaSet and Deployment[Ans]
a. Pods
b. Services
c. Volumes
d. All of the above[Ans]
a. Master Node
b. Worker Node
c. All the nodes[Ans]
d. None of the above
a. HTTPGetAction
b. ExecAction
c. TCPSocketAction[Ans]
d. None of the above
Terraform and Ansible are both popular tools used for infrastructure automation, but they have
different approaches and use cases. Here's a comparison between the two:
**Terraform**:
2. **Multi-Cloud Support**: Terraform supports multiple cloud providers (such as AWS, Azure,
Google Cloud Platform, etc.) as well as on-premises infrastructure. It provides a consistent workflow
for managing infrastructure across different environments and cloud providers.
4. **State Management**: Terraform maintains a state file that keeps track of the current state of
your infrastructure. This state file helps Terraform understand which resources are currently
provisioned and manage changes to your infrastructure in a safe and predictable manner.
**Ansible**:
1. **Automation Tool**: Ansible is a general-purpose automation tool that can be used for a wide
range of tasks including configuration management, application deployment, orchestration, and
more. It uses a procedural language based on YAML for defining automation tasks called playbooks.
64 yaml ansible -- Azure Kubernetes Service
3. **Idempotent Operations**: Ansible playbooks are idempotent, meaning running the same
playbook multiple times will result in the same state. This makes it safe to run Ansible playbooks
repeatedly, reducing the risk of unintended changes.
4. **Configuration Management**: Ansible is often used for configuration management tasks such
as installing software, managing configuration files, and ensuring system configurations are
consistent across multiple servers.
**Key Differences**:
1. **Declarative vs Procedural**: Terraform uses a declarative approach where you define the
desired state of your infrastructure, while Ansible uses a procedural approach where you specify the
steps to be executed to achieve a desired outcome.
3. **State Management**: Terraform manages infrastructure state using state files, while Ansible
doesn't maintain state between playbook runs.
In summary, Terraform is well-suited for managing infrastructure as code and provisioning resources
across multiple cloud environments, while Ansible is a versatile automation tool that can be used for
a wide range of tasks including configuration management, application deployment, and
orchestration. Depending on your specific use case, you may choose to use one or both of these
tools in your infrastructure automation workflows.
65 yaml ansible -- Azure Kubernetes Service
https://www.spiceworks.com/tech/devops/articles/terraform-vs-ansible/#:~:text=Terraform%20is
%20a%20tool%20used,deployment%2C%20and%20other%20IT%20processes.&text=Terraform
%20is%20defined%20as%20an,and%20manage%20IT%20infrastructure%20effectively.
Terraform vs Ansible: which tool should you use? Here’s the answer from experts
who have working experience on both tools.
This post highlights the differences between Terraform and Ansible, explores the
similarities and concludes with the best way to manage infrastructure.
What is Terraform?
Terraform enables you to provision, manage, and deploy your infrastructure as code
(IaC) using a declarative configuration language called HashiCorp Configuration
Language (HCL). One of the most popular IaC tools available, it was initially
developed by Hashicorp under an open-source license, but it recently switched to a
Business Source License (BUSL).
What is Ansible?
Ansible is a software tool designed for cross-platform automation and orchestration at
scale. Written in Python and backed by RedHat and a loyal open-source community, it
is a command-line IT automation application widely used for configuration
management, infrastructure provisioning, and application deployment use cases.
YAML: A popular, simple data format that is easy for humans to understand.
Modules: Reusable standalone scripts that perform a specific task
Playbooks: A playbook is a YAML file that expresses configurations,
deployments, and Orchestration in Ansible. They contain one or multiple plays.
Plays: Subset within a playbook. Defines a set of tasks to run on a specific host
or group of hosts.
Inventories: All the machines you use with Ansible are listed in a single
simple file, together with their IP addresses, databases, servers, and other
details.
Roles: Redistributable units of organization that make it easier for users to
share automation code.
Both Terraform and Ansible are capable of executing remote commands on the virtual
machine that is newly created. This means, both the tools are agentless. There is no
need to deploy agents on the machines for operational purposes.
67 yaml ansible -- Azure Kubernetes Service
Terraform uses cloud provider APIs to create infrastructure and basic configuration
tasks are achieved using SSH. The same goes with Ansible – it uses SSH to perform
all the required configuration tasks. The “state” information for both does not require
a separate set of infrastructure to manage, thus both the tools are masterless.
In general, both the tools are great in their own ways. They have an overlap of
functions when it comes to infrastructure management. Infrastructure management
broadly encompasses 2 aspects – orchestration and configuration management.
Terraform and Ansible have their own ways of managing both – with strong and weak
points when it comes to overlaps. Thus, it is important to delve into some details of
both the tools to make a “perfect” choice or a combination with boundaries.
68 yaml ansible -- Azure Kubernetes Service
Ansible, on the other hand, is also capable of provisioning the cloud infrastructure but
it is not comprehensive enough. It is mainly geared towards configuration
management. Configuration management is a process of keeping the applications and
dependencies up to date. This is where Ansible really shines as compared to
Terraform.
Both the tools can perform both kinds of activities. However, there are limitations
when implementing configuration management using Terraform, and infrastructure
automation using Ansible. They are not flexible enough when it comes to complex
infrastructure management.
No matter how you write the code, Terraform identifies the dependencies, and
provisions infrastructure. Writing or translating existing infrastructure to code is easy
in Terraform. Check this Terraform import tutorial if you would like to know more
about importing infrastructure under Terraform management.
Ansible uses YAML syntax to define the procedure to perform on the target
infrastructure. Ansible YAML scripts are procedural in nature – meaning when you
write the script, it will be executed from top to bottom.
Ansible scripts are called “ansible playbooks“. When you have to perform a certain
series of tasks, you define the same in the playbook. The tasks will be performed in
the sequence they are written. For example, to install an Apache server on the given
virtual machine as a root user, you would have to write the user creation step before
defining the task for installation.
Mutability is an attribute associated with the underlying infrastructure that defines the
way newer versions of applications and services are deployed. Deployment either
takes place on existing infrastructure, or we can provision a completely new set of
infrastructure for the same.
Mutability seems convenient, but the risk of failure associated with it is higher. When
application configurations are re-applied on the same infrastructure, there are
additional steps of uninstalling the previous version and then installing the desired
version. More steps also introduce more chances of failure. Doing this for a fleet of
servers can result in uneven configurations and unpredictable behavior.
However, there is no golden rule defined that advocates one approach over the other.
As far as the configuration changes are concerned, Ansible wins the race since it is
primarily a configuration management tool. Ansible supports infrastructure
immutability by offering VM image creation. However, maintaining these additional
images requires additional efforts.
4. State Management
Terraform manages the entire lifecycle of the resources under its management. It
maintains the mapping of infrastructure resources with the current configuration in
state files. State management plays a very important role in Terraform.
States are used to track changes to the configuration and provision the same. It is also
possible to import existing resources under Terraform management by importing the
real-world infrastructure in state files.
At any given time, it is possible to query the Terraform state files to understand the
infrastructure component and their attributes currently available.
As opposed to this, Ansible does not support any lifecycle management. Since Ansible
mainly deals with configuration management and considering it defaults to immutable
infrastructure, any changes introduced in the configuration are executed automatically
on the target resource.
5. Configuration Drift
Configuration drift refers to the difference between the desired and actual state of your
configuration. One of the most common reasons for this is that engineers/machines
make changes outside the configuration. If you are using Terraform to manage your
infrastructure and you make a change outside it, you’ve introduced drift. Drift
happens, and solutions like Spacelift’s drift detection not only detect the drift but can
optionally remediate it, too.
While both Ansible and Terraform aim to mitigate drift, their methodologies differ.
Ansible relies on idempotent tasks and continuous execution without maintaining a
persistent state of the infrastructure. In contrast, Terraform relies on a stored state to
detect and manage drift, emphasizing a declarative approach to infrastructure as code.
-
72 yaml ansible -- Azure Kubernetes Service
In Microsoft Azure, pricing tiers refer to the different service plans or subscription
levels offered for Azure services. Each service in Azure typically offers multiple pricing
tiers with varying features, performance levels, and pricing models to meet the
diverse needs of customers.
1. Basic Tier: Basic tiers often offer entry-level features and limited
functionalities at a lower cost. They are suitable for small-scale applications or
testing purposes.
2. Standard Tier: Standard tiers provide additional features, higher performance,
and enhanced capabilities compared to basic tiers. They are suitable for
production workloads and applications that require higher reliability and
scalability.
3. Premium Tier: Premium tiers offer the highest level of performance,
reliability, and advanced features. They are designed for mission-critical
applications, high-demand workloads, and scenarios that require guaranteed
service levels and premium support.
4. Free Tier: Some Azure services offer a free tier with limited usage quotas or
trial periods, allowing users to explore the service and its capabilities at no
cost.
5. Pay-As-You-Go: Many Azure services operate on a pay-as-you-go pricing
model, where customers are billed based on their actual usage of resources or
services. This model offers flexibility and scalability, allowing customers to pay
only for the resources they consume.
6. Reserved Instances: Azure also offers reserved instance pricing, where
customers can commit to a specific usage level for a fixed term (e.g., one year
or three years) in exchange for discounted rates. Reserved instances provide
cost savings for predictable workloads with steady usage patterns.
The availability of pricing tiers and their specific features vary depending on the
Azure service. Customers can choose the pricing tier that best aligns with their
requirements, budget, and performance needs. Azure also provides pricing
calculators and cost management tools to help customers estimate and optimize
their cloud spending.
73 yaml ansible -- Azure Kubernetes Service
Sometimes the choice between the two tools depends on what is familiar.
For those coming from an on-premises environment, PowerShell is the
more natural choice since it's been a part of Microsoft Windows for more
than a decade, but the Azure command-line interface (Azure CLI) has its
merits, too.
The differences between the two are often subtle, and your selection will
likely come down to personal preference. Thankfully, though, the process
of choosing is made easier by the fact that the Azure CLI and PowerShell
call the same exact APIs. Let's take a closer look at Azure CLI and
PowerShell, as well as the possibility of combining them.
Azure CLI
The Azure CLI is a set of commands developers use to create, manage and
interact with all Azure resources from a programmatic perspective. The Azure CLI
is built in Python. You can use the Azure CLI from both the terminal on your
computer and the Azure Cloud Shell, which is a browser-accessible shell.
74 yaml ansible -- Azure Kubernetes Service
Linux distributions
MacOS
Windows
PowerShell
While it was originally only for Windows, PowerShell was re-created as an open
source scripting and programming language with an interactive command-line
shell. Microsoft built it to serve as an automation tool for system administrators.
Unlike most command-line shells, PowerShell was built on the .NET framework
and works with objects.
Similar to the Azure CLI, IT teams can run PowerShell on any OS. Developers can
also use it to interact with any platform or application that has a public-facing API.
PowerShell is still one of the top languages used, alongside Python and JavaScript,
for scripting and automating in Azure.
First, Let's create an Azure resource group using a cmdlet, which is a scaled-back
version of a PowerShell function:
As you can see, the length is pretty much the same. However, one thing that you
can do with PowerShell natively is expand the cmdlet and create a PowerShell
Tool out of it. This is sometimes referred to as Toolmaking.
function New-ResourceGroup {
param (
[parameter(Mandatory)]
[string]$rgName,
[parameter(Mandatory)]
[string]$location
$params = @{
'Name' = $rgName
'Location' = $location
New-AzResourceGroup @params
Now, you're more likely to use the New-AzResourceGroup command, but the
point of this example is to show that you can extend the cmdlet with additional
functionality that you don't have with a command-line tool like Azure CLI. That's
because PowerShell gives you more "programmer" type options, including
parameters, error testing and more.
76 yaml ansible -- Azure Kubernetes Service
As you can see in the example below, the code uses a PowerShell function and
adds in the Azure CLI. This ensures that the Azure CLI has reusable code and error
handling added in, to make it a true script.
function New-ResourceGroup {
param (
[parameter(Mandatory)]
[string]$rgName,
[parameter(Mandatory)]
[string]$location
try {
-n $rgName
catch {
$pscmdlet.ThrowTerminatingError($_)
}
77 yaml ansible -- Azure Kubernetes Service
Combining both PowerShell and Azure CLI is a great approach if you cannot
decide which one to use.
Below is an example of using the Azure CLI with Python. If you're a Python
developer, as you can see, you're writing Python code the same way you would
always write it. There's no difference in syntax.
The azure.cli.core library enables you to use an invoke function, which you can use
to type out an Azure CLI command. This scenario is listing VMs in a specific
resource group.
import logging
import sys
def list_vms(resource_group):
resource_group = sys.argv[1]
if __name__ == '__main__':
list_vms(resource_group)
78 yaml ansible -- Azure Kubernetes Service