AKS | Karpenter Introduction


As businesses continue to embrace Kubernetes for container orchestration, the need for efficient resource utilization and cost optimization becomes paramount. Enter Karpenter, an open-source node provisioning project tailored specifically for Kubernetes environments. In this article, we’ll explore how Karpenter can be a game-changer for Azure Kubernetes Service (AKS) users, helping them unlock the full potential of their clusters while minimizing operational costs.

This is achieved through a set of core functionalities:

  1. Automated Unschedulable Pod Handling: Karpenter actively monitors the Kubernetes scheduler for pods that have been flagged as unschedulable. This ensures that no resources go to waste, and workloads can be efficiently distributed across the cluster.
  2. Dynamic Scheduling Constraints Evaluation: The system meticulously evaluates a range of scheduling constraints specified by the pods. These constraints include resource requests, nodeselectors, affinities, tolerations, and topology spread constraints. By taking these factors into consideration, Karpenter ensures optimal node selection for each workload.
  3. Precision Node Provisioning: Karpenter excels in the art of resource allocation. It automatically provisions nodes that precisely align with the specific requirements of the pods. This results in a finely tuned infrastructure that maximizes resource utilization.
  4. Automated Node Decommissioning: As workloads evolve, the need for certain nodes may diminish. Karpenter is equipped to intelligently identify when nodes are no longer essential and orchestrates their graceful removal from the cluster. This proactive management ensures that resources are allocated efficiently and are not tied up unnecessarily.

The API for AKS Karpenter Provider is currently alpha (v1alpha2).

Documentation: https://github.com/Azure/karpenter


AKS | Disable SSH support


SSH is currently enabled by default for AKS provisioned nodes, and it’s essential to manually disable it if desired. This public preview feature grants you the flexibility to toggle SSH on or off, providing you with greater control over cluster security and reducing potential attack vectors.

To disable SSH for your AKS cluster, you can use the following command:

az aks update --name myAKSCluster --resource-group MyResourceGroup --no-ssh-key

Keep in mind that after updating the SSH key, AKS does not automatically apply the changes to your node pool. You have the option to initiate a node pool update operation at your convenience. It’s worth noting that the updated SSH key will only take effect after a node image update has been successfully completed. This ensures a seamless transition to the new SSH configuration.

Documentation: https://learn.microsoft.com/en-us/azure/aks/manage-ssh-node-access#disable-ssh


TLS 1.2 to become the minimum TLS version for Azure Storage


To align with evolving technology and regulatory standards, Azure Storage will cease support for TLS versions 1.1 and 1.0, with the new minimum supported version being TLS 1.2, effective November 1, 2024. TLS 1.2 not only offers enhanced security but also delivers faster performance compared to its older counterparts. It’s important to note that TLS 1.0 and 1.1 lack support for modern cryptographic algorithms and cipher suites.

This transition will affect both existing and new storage accounts utilizing TLS 1.0 and 1.1 across all cloud environments. To ensure uninterrupted connectivity to Azure Storage for your applications, it is imperative to undertake a migration to TLS 1.2 and eliminate any dependencies on TLS versions 1.0 and 1.1.

Documentation: https://azure.microsoft.com/en-us/updates/tls-12-to-become-the-minimum-tls-version-for-azure-storage/