AKS-managed Azure AD : How to integrate your AKS cluster with Azure AD

AKS is evolving at a dizzying pace and there have been quite  a number of changes since I wrote about AKS namespace isolation and AAD integration . The major update is in terms of creating and Azure AD integrated AKS cluster. You no longer need to create and manage the server and client application, it is handled by the AKS resource provider. 

There are few limitations with this approach though before you get started

  - You cannot disable the AKS-managed Azure AD integration once it is enabled

  - Process is supported only for RBAC enabled clusters

  - Azure AD tenant once integrated cannot be switched to a different one

Lets start with creating an Azure AD group. You can also use an existing one if you want to. Note that creating an Azure AD group would need Global administrator rights

I am executing these steps from Azure cloud shell, where all the required tools like Azure CLI and Kubectl are preinstalled

1. Create the Azure AD group for your cluster administrators. Note down the object id of the group as it is required during cluster provisioning

~$ az ad group create --display-name AKSdemoadminGroup --mail-nickname AKSdemoadmingroup

Note: Once the AD group is created, add the users who will have cluster admin rights to this group

2. Note down the tenant id of your Azure AD. You can get this from Azure portal-> Azure active directory->overview->Tenant information. 

3. Create resource group for the AKS cluster

$ az group create --name demoaksgroup --location  EastUS

4. Create AKS cluster , the object id of the AD group that we created in step 1 and the AD tenant id that was copied in step 2 will be used here

az aks create -g demoaksgroup -n demoaks1  --enable-aad --aad-admin-group-object-ids <AD group obejct ID> --aad-tenant-id <Azure AD tenant ID> --generate-ssh-keys

5. Login to cluster using an user account that is part of cluster admin AD group that was used for the integration. When prompted, login using the Azure AD credentials . 

az aks get-credentials --resource-group demoaksgroup --name demoaks1

In the above example I am executing the "kubectl get nodes" and "kubectl get namespaces" commands after authenticating 

Now you can go ahead and follow the steps in my earlier blog  to setup RBAC for  namespaces using Azure AD credentials

Read More

Azure Well Architected framework - An Introduction

When your workloads are in the cloud the constructs of deployment, configuration and operations are strikingly different from what you would have used on-premises. Adopting the right architecture, without doubt, is the key to host an application successfully in the cloud. Azure helps you with this every step of the process through Azure Well Architected framework. Consider this as a blueprint for excellence in Azure cloud. It consist of five main pillars - Cost optimization, Operational excellence, Performance efficiency, Reliability and Security

Cost Optimization : The basic principle is to start small and scale as you go. Instead of making a  huge investment upfront, it is recommended to follow the approach of "Build-Measure-Learn" , aligned with Azure Cloud Adoption Framework (CAF). It focusses on building a minimum viable product(MVP), measuring the feedback and then use a  fail fast approach  to optimize your cost. Azure cost calculator can help to get you the initial cost, then you can use services like Azure cost management to review the ongoing operational cost

Operational excellence :  Success of cloud deployment depends on how well oiled your operations engine is. Starting with automation of deployment to monitoring , logging and diagnostics - the more granular your visibility is, the better placed you are to keep the lights on for your production environment. The monitoring and logging approach has to be consistent across cloud resources to achieve this goal. The raw monitoring data stored in a central storage can be leveraged by tools like log analytics to get to the root of operational issues , enabling faster resolution. Visualization tools can be leveraged to spot trends like resource utilization and unusual traffic and alert the operations team. 

Performance efficiency: One of the main perks of cloud adoption is scaling on demand , which can be vertical scaling or horizontal scaling. Vertical scaling helps you to increase the compute power and capacity of your resources on demand, for eg: increase the number of CPU cores when your workloads are in peak demand. Horizontal scaling on the other hand is adding more instances of the resources , automatically if possible. Horizontal scaling embodies the true power of cloud scale deployments, and is often more cheaper than increasing capacity of a single instance

Reliability:   No matter how airtight the architecture is , the possibility of a downtime or failure is not 100% eliminated . Hence it is important to design your systems to be reliable i.e. they should be able  recover from failures with minimal damage. Reliability is a combined function of resiliency and availability. Due to distributed nature of deployments in the cloud, failure of one component would impact multiple other components. The thumb rule is to leverage the built-in resiliency features for the native cloud services , be it your VMs, databases or storage services . Not just your infra layer, but your application logic should also be built on this principle for the solution to be completely reliable

Security: Security in the cloud is multilayered . You need to consider the infra and network security , application layer security and data security at-rest and in-transit. As identity is considered the new security perimeter , selecting and implementing the right identity management solution is the first step in securing your applications. Security of the management plane and data pane should be taken into account here. RBAC leveraging Azure AD takes care of the management plane , by helping you implement fine grained access control to Azure resources. For data plane , there are multiple options depending on the Azure service being used, for eg: Data encryption, TDE etc. In addition to application development security best practices, leverage services like application gateway that can provide layer 7 security from common attack vectors.

There are many nuances to adopting the well architected framework, the starting point would be to evaluate the current state of the deployment. You can leverage the Azure well-architected review to get started .

Read More