Any cloud Kubernetes service is something of a balancing act between standardization and differentiation. Offering the same Kubernetes features that are available everywhere means the way to compete is to focus on how well the service integrates with the other services in the same public cloud. For Kubernetes on Azure, Microsoft highlights the “enterprise-grade experience” and the new security and latency features announced at this year’s KubeCon + CloudNativeCon Europe, taking place this week virtually.
There are some cloud features that you definitely want for virtual machines — like automatically replicating the operating system drive to persistent storage in case the hardware it’s running on gets shut down and the VM has to move to another host — that doesn’t make sense for Kubernetes. Since containers don’t persist state, and by design will move around without warning, saving the OS disk to remote Azure Storage adds unnecessary cost and latency. That’s especially true when you provision or scale out a cluster because re-imaging and boot will be faster, but it’s going to impact all read and write operations slightly. Ephemeral OS disk support launched for VMs on Azure earlier this year and is now in public preview for AKS giving you the option of using local SSD storage or of the usual network-attached storage.
Wherever it’s stored, the underlying OS on the nodes in your AKS clusters automatically gets security and kernel updates once a week, but until now if any of those updates needed a reboot to be applied, you had to wait until there was an AKS upgrade or use kured (the Kubernetes Reboot Daemon) to reboot the nodes. With the new node image upgrade feature you don’t need to install an extra tool so you can upgrade the node OS to get a security fix without changing the version of Kubernetes you’re running; that’s out of preview and generally available.
Node image update works if you’re using Virtual Machine Scale Sets with AKS. “You can update the AKS resource definition and that in turn will update the VMSS image specification to perform the upgrade, just like a Kubernetes upgrade works, except in this case, only the host OS stays the same,” Kubernetes co-founder and Microsoft CVP Brendan Burns explained on Twitter.
If you want an overview of all your Kubernetes resources on Azure, you can now view them in the Azure portal (rather than using the kube-dashboard addon that’s deprecated with Kubernetes 1.19) and you can already use Azure Monitor to see the status of deployments, but for troubleshooting, you can now look at AKS resources in Azure Resource Health alongside all your other Azure resources. This shows up to 30 days of health history, including problems and maintenance, so you can track down whether an issue you saw was an AKS issue or caused by something elsewhere on Azure.
Azure Key Vault is the logical place to store and rotate credentials, certificates and other secrets and it’s no surprise that AKS now integrates with this. Managed identities for consuming Azure resources use Azure AD, but for keys and credentials for your own services and applications, AKS works with Key Vault using the Secrets Store Container Storage Interface Driver. That’s an open source CSI driver that HashiCorp is now using for Vault (and other secrets stores can create providers for it).
Kubernetes is also moving towards using CSI storage drivers instead of “in-tree” storage volume plugins that are built and shipped with the core Kubernetes code (which means adding a new storage system means checking code into the main Kubernetes repo, waiting for the next version of Kubernetes to ship and giving volume plugins the same privileges as core Kubernetes components like kubelet). With Kubernetes 1.21, AKS will transition to CSI storage drivers and CSI support for both Azure Files and Azure Disks is now in public preview.
Containers-as-a-Service offerings like AKS are the second-fastest-growing cloud service for enterprises in the Flexera “2020 State Of The Cloud” report (right below IoT and just above machine learning). Using containers is a top cloud priority for just over half of enterprises in the survey.
But what three-quarters of enterprises care most about in cloud is controlling costs for their existing cloud usage. So it makes sense that Microsoft is also highlighting new training for AKS on using scale to zero, discount spot node pricing and the Azure Policy add-on to manage CPU and RAM quotas, to get the advantages of Kubernetes in the cloud without unexpectedly high bills.
The Cloud Native Computing Foundation, HashiCorp and KubeCon + CloudNativeCon are sponsors of The New Stack.