Tagging Azure resources with Git metadata using Terraform & Azure DevOps
Azure Blue
by Matthias Güntert
1w ago
Introduction When dealing with enterprise-grade Azure deployments, tracking a specific resource down to the Terraform code it stems from can be difficult. Also, finding the person responsible who can be asked questions regarding the configuration used is not always obvious. This is especially true in setups where multiple teams maintain Azure deployments with Terraform. So, when looking at an Azure resource within the Azure portal, I find it helpful to get a quick answer to the following questions: Who can I contact if you have questions regarding the resource configuration? Where can I find ..read more
Visit website
How AKS authentication integrates & works with Microsoft ID
Azure Blue
by Matthias Güntert
2M ago
Introduction In production & enterprise-grade setups an AKS cluster gets usually configured to authenticate users against Azure Entra ID and perform authorziation decisions based on the Kubernetes RBAC model. This makes sense since Entra ID is usually the central identity provider with on-premises Active Directory, while the Kubernetes API still manages authorization decisions. But have you ever wondered how the Azure Entra ID integration works and why the additional helper binary called kubelogin is required? In this post, we'll look at Kubernetes and its authentication mechanism and se ..read more
Visit website
How to log into an Azure Container Registry using Podman CLI
Azure Blue
by Matthias Güntert
5M ago
Introduction After replacing my resource-heavy Docker Desktop setup with Podman, I encountered the following issue when logging into an Azure Container Registry using my Azure Entra ID. $ az login $ az acr login --name crfoobar 2023-11-21 06:34:31.990676 An error occurred: DOCKER_COMMAND_ERROR Please verify if Docker client is installed and running. When logging into an ACR with az acr login, the Azure CLI reuses the token fetched by the previous az login command and sets it in the docker.config file. The Docker CLI and Docker daemon must be installed and running for this to work. Simply cr ..read more
Visit website
Automating DNS registration & certificate management in AKS: A step-by-step guide
Azure Blue
by Matthias Güntert
7M ago
Introduction With this blog post, I'll demonstrate how we can automatically register Ingress resources running on an AKS cluster with a public Azure DNS zone so they can be easily reached outside your cluster. Further, I'll demonstrate how certificates can be automatically obtained from Let's Encrypt and then be assigned to those Ingress resources. For that purpose, I'll use two Kubernetes controllers: ExternalDNS and Cert-Manager. ExternalDNS for Kubernetes is a controller that automates the management of DNS records for Kubernetes resources by syncing them with various DNS providers, like A ..read more
Visit website
AKS and proactive monitoring: Triggering alerts when the maximum node count of an autoscaling-enabled node pool has been reached
Azure Blue
by Matthias Güntert
9M ago
Introduction When running an AKS cluster with autoscaling-enabled node pools, you probably want to get alerted when the auto scaler starts hitting its configured maximum node count. This helps to further tweak and adjust your node pool setup to better match the workload it's carrying. It seems there is no predefined signal for this kind of scenario so I had to do a little research on my own. In the following steps, I describe how alerts can be generated and notification mails be sent, whenever an AKS node pool reaches its configured maximum node count. Here is how I solved it. Step by step En ..read more
Visit website
How to reclaim an existing PV in state "Released" with AKS
Azure Blue
by Matthias Güntert
10M ago
Introduction In this blog post, I will demonstrate how a PersistentVolume in state Released, can be reclaimed on AKS. Consider the following scenario... Scenario A seemingly dangling PersistentVolumeClaim gets deleted accidentally. Maybe because the Used By: <none> information revealed by kubectl describe pvc gave the impression it's not in use anymore or you overlooked the PVC is still in a bound state. The referenced StorageClass has the ReclaimPolicy set to Retain, and therefore the PersistentVolume, including the Managed Disk, still exists. apiVersion: storage.k8s.io/v1 kind: Stora ..read more
Visit website
Secure Your Codeless REST API with Automatic HTTPS using Data API Builder and Caddy
Azure Blue
by Matthias Güntert
1y ago
Introduction In my previous article, I demonstrated how we can build a codeless REST API with Data API Builder and how the endpoints can be write-protected by introducing roles with the help of Azure AD. Creating and securing a codeless REST API on Azure using Data API Builder This article describes how we can build a codeless REST API using Data API Builder and host it securely on Azure Container Instances Matthias' BlogMatthias Güntert Unfortunately, the described architecture doesn't provide HTTPS out of the box, which makes its use insecure. This is especially true for any operations ..read more
Visit website
How to quickly switch between multiple Azure subscriptions
Azure Blue
by Matthias Güntert
1y ago
Introduction If you are like me and have to work with many Azure subscriptions with Azure CLI, you must have reached the point where you got tired of inner dialogs and commands like the following... Which subscription am I right now? az account show -o table Okay, but I want to switch to that DEV subscription... but what again was the subscription id? az account list -o table Then you start copying & pasting the Id into... az account set -n <id> That is... wasteful ⏰ So here is a short timesaver I use in my PowerShell $profile to speed up things. My Setup Edit your PowerShel ..read more
Visit website
Hardening AKS: How to prevent pulling from unknown container registries using Azure Policies
Azure Blue
by Matthias Güntert
1y ago
Introduction In this post, I'll demonstrate how pulling from foreign registries can be restricted on your Azure Kubernetes Cluster. By limiting the sources from which Docker images can be pulled, you enhance the overall security of your Azure Kubernetes Cluster, as it reduces the risk of running potentially malicious or vulnerable images. It can further lead to resource optimizations as it will reduce network bandwidth. Although there are other ways to solve this use case, I'll only outline the Azure way of protecting your cluster by leveraging Azure Policy, as it is the most native. Let's di ..read more
Visit website
How to configure node (pool) affinity for pods with AKS
Azure Blue
by Matthias Güntert
1y ago
Introduction When dealing with multiple node pools, you usually want to configure node affinity so that pods stick to nodes with a specific characteristic. The reasons for this can be manifold. For example, to take advantage of specialized hardware or resources on specific nodes, such as GPUs or high-memory nodes. It also can help increasing security by running sensitive workloads on separate nodes. Another use-case is saving money, e.g., by separating application environments  (DEV, QA, UAT, PROD) onto different types of node poolds. What ever your reasons are, this post will show you t ..read more
Visit website

Follow Azure Blue on FeedSpot

Continue with Google
Continue with Apple
OR