Introduction When dealing with enterprise-grade Azure deployments, tracking a specific resource down to the Terraform code it stems from can be difficult. Also, finding the person responsible who can be asked questions regarding the configuration used is not always obvious. This is especially true in setups where multiple teams maintain Azure deployments with Terraform. So, when looking at an Azure resource within the Azure portal, I find it helpful to get a quick answer to the following questions: Who can I contact if you have questions regarding the resource configuration? Where can I find ..read more

Introduction In production & enterprise-grade setups an AKS cluster gets usually configured to authenticate users against Azure Entra ID and perform authorziation decisions based on the Kubernetes RBAC model. This makes sense since Entra ID is usually the central identity provider with on-premises Active Directory, while the Kubernetes API still manages authorization decisions. But have you ever wondered how the Azure Entra ID integration works and why the additional helper binary called kubelogin is required? In this post, we'll look at Kubernetes and its authentication mechanism and se ..read more

Introduction After replacing my resource-heavy Docker Desktop setup with Podman, I encountered the following issue when logging into an Azure Container Registry using my Azure Entra ID. $ az login $ az acr login --name crfoobar 2023-11-21 06:34:31.990676 An error occurred: DOCKER_COMMAND_ERROR Please verify if Docker client is installed and running. When logging into an ACR with az acr login, the Azure CLI reuses the token fetched by the previous az login command and sets it in the docker.config file. The Docker CLI and Docker daemon must be installed and running for this to work. Simply cr ..read more

Introduction With this blog post, I'll demonstrate how we can automatically register Ingress resources running on an AKS cluster with a public Azure DNS zone so they can be easily reached outside your cluster. Further, I'll demonstrate how certificates can be automatically obtained from Let's Encrypt and then be assigned to those Ingress resources. For that purpose, I'll use two Kubernetes controllers: ExternalDNS and Cert-Manager. ExternalDNS for Kubernetes is a controller that automates the management of DNS records for Kubernetes resources by syncing them with various DNS providers, like A ..read more

Introduction When running an AKS cluster with autoscaling-enabled node pools, you probably want to get alerted when the auto scaler starts hitting its configured maximum node count. This helps to further tweak and adjust your node pool setup to better match the workload it's carrying. It seems there is no predefined signal for this kind of scenario so I had to do a little research on my own. In the following steps, I describe how alerts can be generated and notification mails be sent, whenever an AKS node pool reaches its configured maximum node count. Here is how I solved it. Step by step En ..read more

Introduction In this blog post, I will demonstrate how a PersistentVolume in state Released, can be reclaimed on AKS. Consider the following scenario... Scenario A seemingly dangling PersistentVolumeClaim gets deleted accidentally. Maybe because the Used By: <none> information revealed by kubectl describe pvc gave the impression it's not in use anymore or you overlooked the PVC is still in a bound state. The referenced StorageClass has the ReclaimPolicy set to Retain, and therefore the PersistentVolume, including the Managed Disk, still exists. apiVersion: storage.k8s.io/v1 kind: Stora ..read more

Introduction In my previous article, I demonstrated how we can build a codeless REST API with Data API Builder and how the endpoints can be write-protected by introducing roles with the help of Azure AD. Creating and securing a codeless REST API on Azure using Data API Builder This article describes how we can build a codeless REST API using Data API Builder and host it securely on Azure Container Instances Matthias' BlogMatthias Güntert Unfortunately, the described architecture doesn't provide HTTPS out of the box, which makes its use insecure. This is especially true for any operations ..read more

Introduction If you are like me and have to work with many Azure subscriptions with Azure CLI, you must have reached the point where you got tired of inner dialogs and commands like the following... Which subscription am I right now? az account show -o table Okay, but I want to switch to that DEV subscription... but what again was the subscription id? az account list -o table Then you start copying & pasting the Id into... az account set -n <id> That is... wasteful ⏰ So here is a short timesaver I use in my PowerShell $profile to speed up things. My Setup Edit your PowerShel ..read more

Introduction In this post, I'll demonstrate how pulling from foreign registries can be restricted on your Azure Kubernetes Cluster. By limiting the sources from which Docker images can be pulled, you enhance the overall security of your Azure Kubernetes Cluster, as it reduces the risk of running potentially malicious or vulnerable images. It can further lead to resource optimizations as it will reduce network bandwidth. Although there are other ways to solve this use case, I'll only outline the Azure way of protecting your cluster by leveraging Azure Policy, as it is the most native. Let's di ..read more

Introduction When dealing with multiple node pools, you usually want to configure node affinity so that pods stick to nodes with a specific characteristic. The reasons for this can be manifold. For example, to take advantage of specialized hardware or resources on specific nodes, such as GPUs or high-memory nodes. It also can help increasing security by running sensitive workloads on separate nodes. Another use-case is saving money, e.g., by separating application environments  (DEV, QA, UAT, PROD) onto different types of node poolds. What ever your reasons are, this post will show you t ..read more