Auteur/autrice : zigmax

AKS | Node Pool Snapshot

Hi!

In this article, we will see a new feature of AKS : Node Pool Snapshot.

AKS releases a new node image weekly and every new cluster, new node pool, or upgrade cluster will always receive the latest image that can make it hard to maintain your environments consistent and to have repeatable environments.

Node pool snapshots allow you to take a configuration snapshot of your node pool and then create new node pools or new clusters based of that snapshot for as long as that configuration and kubernetes version is supported.

Take a Node Pool Snapshot:

NODEPOOL_ID=$(az aks nodepool show --name nodepool1 --cluster-name myAKSCluster --resource-group myResourceGroup --query id -o tsv)

az aks snapshot create --name MySnapshot --resource-group MyResourceGroup --nodepool-id $NODEPOOL_ID --location eastus

Create a Node Pool from a Snapshot:

SNAPSHOT_ID=$(az aks snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

az aks nodepool add --name np2 --cluster-name myAKSCluster --resource-group myResourceGroup --snapshot-id $SNAPSHOT_ID

Upgrading a Node Pool from a Snapshot:

SNAPSHOT_ID=$(az aks snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

az aks nodepool upgrade --name nodepool1 --cluster-name myAKSCluster --resource-group myResourceGroup --snapshot-id $SNAPSHOT_ID

Create a cluster from a Snapshot:

SNAPSHOT_ID=$(az aks snapshot show --name MySnapshot --resource-group myResourceGroup --query id -o tsv)

az aks create --name myAKSCluster2 --resource-group myResourceGroup --snapshot-id $SNAPSHOT_ID

Maxime.

ACR | Trusted Azure services

Hi!

Azure Container Registry can allow select trusted Azure services to access a registry that’s configured with network access rules. When trusted services are allowed, a trusted service instance can securely bypass the registry’s network rules and perform operations such as pull or push images. 

Trusted serviceSupported usage scenariosConfigure managed identity with RBAC role
Azure Container InstancesDeploy to Azure Container Instances from Azure Container Registry using a managed identityYes, either system-assigned or user-assigned identity
Microsoft Defender for CloudVulnerability scanning by Microsoft Defender for container registriesNo
ACR TasksAccess the parent registry or a different registry from an ACR TaskYes
Machine LearningDeploy or train a model in a Machine Learning workspace using a custom Docker container imageYes
Azure Container RegistryImport images to or from a network-restricted Azure container registryNo

To enable:

az acr update --name myregistry --allow-trusted-services true

To disable:

az acr update --name myregistry --allow-trusted-services false

Maxime.

ACR | Lock container images

Hi!

In this article I will show you how you can lock a container image or a repository (so that it can’t be deleted or updated) hosted in Azure Container Registry (ACR).

By default, a tagged image in Azure Container Registry is mutable, so with appropriate permissions you can repeatedly update and push an image with the same tag to a registry. Container images can also be deleted as needed. This behavior is useful when you develop images and need to maintain a size for your registry.

However, when you deploy a container image to production, you might need an immutable container image. An immutable image is one that you can’t accidentally delete or overwrite.

Show the current repository attributes
az acr repository show \
    --name myregistry --repository myrepo \
    --output jsonc


Show the current image attributes
az acr repository show \
    --name myregistry --image myimage:tag \
    --output jsonc

Lock an image by tag
az acr repository update \
    --name myregistry --image myimage:tag \
    --write-enabled false

Lock an image by manifest digest
az acr repository update \
    --name myregistry --image myimage@sha256:123456abcdefg \
    --write-enabled false

Lock a repository
az acr repository update \
    --name myregistry --repository myrepo \
    --write-enabled false

Protect an image from deletion
az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled false --write-enabled true

Prevent read (pull) operations on an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --read-enabled false

az acr repository update \
    --name myregistry --repository myrepo \
    --read-enabled false

Unlock an image or repository
az acr repository update \
    --name myregistry --image myimage:tag \
    --delete-enabled true --write-enabled true

az acr repository update \
    --name myregistry --repository myrepo \
    --delete-enabled true --write-enabled true

Maxime.