AKS | Containerd

Hi,

In this article, I would like to share with you how we can create an AKS cluster with Containerd.

Containerd is an OCI compliant core container runtime designed to be embedded into larger systems. It provides the minimum set of functionality to execute containers and manages images on a node. It was initiated by Docker Inc. and donated to CNCF in March of 2017.

A container runtime is software that executes containers and manages container images on a node. The runtime helps abstract away sys-calls or operating system (OS) specific functionality to run containers on Linux or Windows. Today AKS is using Moby (upstream docker) as its container runtime.

With a containerd-based node and node pools, instead of talking to the dockershim, the kubelet will talk directly to containerd via the CRI (container runtime interface) plugin, removing extra hops on the flow when compared to the Docker CRI implementation. As such, you’ll see better pod startup latency and less resource (CPU and memory) usage.

By using containerd for AKS nodes, pod startup latency improves and node resource consumption by the container runtime decreases. These improvements are enabled by this new architecture where kubelet talks directly to containerd through the CRI plugin while in Moby/docker architecture kubelet would talk to the dockershim and docker engine before reaching containerd, thus having extra hops on the flow.

# - Requirements
az extension add --name aks-preview 
az extension list

az feature register --name UseCustomizedContainerRuntime --namespace Microsoft.ContainerService 
az feature register --name UseCustomizedUbuntuPreview --namespace Microsoft.ContainerService

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/UseCustomizedContainerRuntime')].{Name:name,State:properties.state}" 
az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/UseCustomizedUbuntuPreview')].{Name:name,State:properties.state}"

az provider register --namespace Microsoft.ContainerService

# - Ressource Group + AKS Cluster creation
az group create --name aksmaxime --location eastus

az aks create --name aksclustermax --resource-group aksmaxime --aks-custom-headers CustomizedUbuntu=aks-ubuntu-1804,ContainerRuntime=containerd

az aks get-credentials --resource-group aksmaxime --name aksclustermax --overwrite-existing

kubectl get nodes -o wide

Maxime.

Back from MS Build 2020 – Security

Bonjour,

J’ai eu l’opportunité de faire un retour sur les annonces de sécurité qui ont pu avoir lieu lors de l’événement Microsoft Build 2020.

Ci-dessous la vidéo de cette session:

Loader Loading...
EAD Logo Taking too long?

Reload Reload document
| Open Open in new tab

Un grand merci à nos nombreux participants et continuer à prendre soin de vous!

Maxime.

Azure Security Center | Policies for enabling Threat Protection and Advanced Data Security

Hi,

In this article, I would like to share with you, how you can use built-in Azure Policies for enabling:

Advanced Data Security (AKS):

Threat Protection:

Example with Threat Protection should be enabled on Azure AKS

Click on: Advanced threat protection should be enabled on Azure Kubernetes Service clusters

  • Define your scope, in this example my subscription Visual Studio Enterprise
  • Policy enforcement should be defined with the value: Enabled

Effect: AuditifNotExists

Remediation, in this example we don’t have a Managed Identity.

Click on: Create

Maxime.