Introduction to Azure Kubernetes Service (AKS) Baseline Cluster
The Azure Kubernetes Service (AKS) baseline cluster is a recommended starting point for deploying a general-purpose AKS infrastructure on Microsoft Azure. This reference implementation aims to guide teams from different fields, like networking, security, and development, in setting up a baseline AKS cluster and understanding its components. The documentation provides a comprehensive walkthrough of the deployment to help users learn about each layer of the cluster, equipping them with the knowledge to apply it to their projects.
Azure Architecture Center Guidance
The project is supported by a series of articles on the Azure Architecture Center that discuss challenges, design patterns, and best practices for creating a secure AKS cluster. These articles provide the context for the architecture implemented in this project. Therefore, reading them is recommended for a deeper understanding of the design decisions and considerations.
Architecture Overview
This architecture focuses on infrastructure and the AKS cluster itself, dealing with aspects such as identity, post-deployment configuration, secret management, and network topologies. It integrates with Azure services that offer observability and supports a network topology that can grow across regions, all while keeping in-cluster traffic secure. This setup should be considered as a starting point for both pre-production and production use.
The approach taken is thorough to impart a clear understanding of the relationship between various components, opting not to provide a "one click" deployment to emphasize learning.
Throughout the implementation, a fictional company, "Contoso Bicycle," is used to demonstrate an AKS implementation scenario. The example also utilizes the ASP.NET Core Docker sample web app as a workload to assist users in experiencing the baseline infrastructure.
Core Architecture Components
Azure Platform Components
The AKS baseline cluster includes:
- AKS version 1.30 with system and user node pool separation
- AKS-managed Microsoft Entra ID integration
- Managed identities and controlled access with Kubernetes RBAC
- Azure CNI Overlay for network management
- Azure Monitor for containers and Azure Firewall for network egress
- Azure Application Gateway (WAF) for web traffic
- Internal load balancers managed by AKS
In-Cluster Open Source Components
Additional components include:
- Azure Workload Identity and Flux GitOps Operator
- ImageCleaner (Eraser) for container management
- Kubernetes Reboot Daemon for node updates
- Secrets Store CSI Driver for Kubernetes
- Traefik Ingress Controller for traffic routing
Deployment Process
The deployment of AKS-hosted workloads involves multiple stages, often managed by different teams. The steps include preparing for the cluster, building the target network, deploying the cluster, and finally deploying the workload. Each step is designed to be manual at first, emphasizing understanding the involved components before moving to automated pipelines through DevOps processes.
Additional Features and Maintenance
AKS is rapidly evolving, and this implementation includes some preview features that add value to a general-purpose cluster. Users are encouraged to evaluate these features as they consider their production readiness. Furthermore, resource cleanup is necessary after deployment to avoid unwanted charges.
Final Thoughts
Kubernetes offers versatility, allowing organizations to tailor the infrastructure and applications to their needs. This reference implementation is intended as a starting point for architectural discussions, enabling teams to customize solutions that meet their specific requirements and delight customers.
Additional Resources
- Azure Kubernetes Service Documentation
- Microsoft Azure Well-Architected Framework
- Microservices architecture on AKS
This project welcomes contributions, guided by the Microsoft Open Source Code of Conduct, to improve and extend the reference implementation.