Catégorie : ACR

AKS | Artifact Streaming 

Hi!

High-performance compute workloads often grapple with the challenge of managing large container images, leading to extended image pull times and delayed workload deployments. Recognizing this pain point, Azure Kubernetes Service (AKS) introduces Artifact Streaming, a powerful feature designed to streamline the process of streaming container images from Azure Container Registry (ACR) to AKS. This article delves into the benefits and implementation of Artifact Streaming, shedding light on how it can significantly enhance the performance of your AKS workloads.

Large images in high-performance compute workloads can impede efficiency, resulting in prolonged image pull times and, subsequently, delayed deployment of workloads. This bottleneck can be particularly problematic for workloads that require rapid scalability and responsiveness.

Artifact Streaming on AKS offers a solution to this challenge by optimizing the process of streaming container images from ACR to AKS. Unlike traditional methods, AKS with Artifact Streaming only pulls the essential layers needed for the initial pod startup. This targeted approach dramatically reduces the time required to pull images, resulting in faster and more efficient workload deployments.

Key Benefits of Artifact Streaming:

  • Reduced Time to Pod Readiness:
    • Experience over a 15% reduction in time to pod readiness, particularly impactful for time-sensitive workloads.
  • Optimized for Images <30GB:
    • While Artifact Streaming is most effective for images under 30GB, our testing showcased substantial improvements for images under 10GB, with pod start-up times decreasing from minutes to seconds.
  • Concurrent Pod Start-ups:
    • Artifact Streaming enables concurrent pod start-ups, offering a significant advantage over the traditional serial start-up process.

Create a new node pool with Artifact Streaming enabled:

az aks nodepool add --resource-group myResourceGroup --cluster-name myAKSCluster --name myNodePool --enable-artifact-streaming

In conclusion, Artifact Streaming on AKS proves to be a game-changer for high-performance compute workloads, offering a streamlined approach to handling large container images. By significantly reducing image pull times and enhancing pod start-up efficiency, AKS with Artifact Streaming empowers businesses to meet the demands of dynamic and scalable workloads. Follow the implementation guide provided to unlock the full potential of this feature and elevate the performance of your AKS deployments.

Documentation: https://learn.microsoft.com/en-us/azure/aks/artifact-streaming

Maxime.

ACR | Containers vulnerability assessment powered by Microsoft Defender Vulnerability Management (MDVM)

Hi!

Enhanced by Microsoft Defender Vulnerability Management (MDVM), the Azure Vulnerability Assessment is an effortless, plug-and-play solution, empowering security teams to swiftly identify and rectify vulnerabilities within Linux container images. This process requires no initial configuration for onboarding and eliminates the need for agent deployment.

Notably, this feature exclusively supports the scanning of images within the Azure Container Registry (ACR). Images stored in alternative container registries must be imported into ACR for coverage.

MDVM-powered Container Vulnerability Assessment boasts the following key capabilities:

  • Scanning OS Packages: This feature allows for the scanning of vulnerabilities present in packages installed by the OS package manager in Linux. Refer to the comprehensive list of supported OS and their versions for further details.
  • Language-Specific Packages: Support is extended to language-specific packages and associated files, along with their dependencies, whether installed or copied without the involvement of the OS package manager. For a complete list of supported languages, please consult our resources.
  • Image Scanning in Azure Private Link: This capability enables the scanning of images within container registries accessible through Azure Private Links. It is contingent upon access to trusted services and authentication with the registry. Learn how to enable access through trusted services.
  • Exploitability Insights: Each vulnerability report undergoes scrutiny within exploitability databases, assisting customers in gauging the actual risk associated with each reported vulnerability.
  • Comprehensive Reporting: Container Vulnerability Assessment for Azure, powered by Microsoft Defender Vulnerability Management (MDVM), furnishes vulnerability reports with the following recommendations:
    • Querying Vulnerability Information via Azure Resource Graph: This functionality facilitates the querying of vulnerability information through the Azure Resource Graph. Find out how to query recommendations via ARG.
    • Querying Vulnerability Information via Subassessment API: Obtain scan results through the REST API.
    • Support for Exemptions: Learn to create exemption rules for a management group, resource group, or subscription.
    • Support for Disabling Vulnerabilities: Gain insights into disabling vulnerabilities on images.

One-Time Triggering:

  • Each image pushed or imported to a container registry undergoes scanning immediately after the operation. Typically, the scan concludes within minutes, but may occasionally extend up to an hour.
  • [Preview] Images pulled from a registry are scheduled for scanning within 24 hours.

Microsoft Defender Vulnerability Management (MDVM) now incorporates an additional trigger for scanning images retrieved from an ACR. This enhancement extends coverage to active images, complementing existing triggers for scanning images pushed to an ACR within the last 90 days and images currently operational in AKS.

Continuous Rescan Triggering:

A continuous rescan is vital to ensure that images, previously scanned for vulnerabilities, receive updates to their vulnerability reports in the event of a newly discovered vulnerability.

  • A rescan is executed once daily for:
    • Images pushed within the last 90 days.
    • [Preview] Images pulled within the last 30 days.
    • Images currently active on the Kubernetes clusters monitored by Defender for Cloud, either via agentless discovery and visibility for Kubernetes or the Defender agent.

Maxime.

ACR | Trusted Azure services

Hi!

Azure Container Registry can allow select trusted Azure services to access a registry that’s configured with network access rules. When trusted services are allowed, a trusted service instance can securely bypass the registry’s network rules and perform operations such as pull or push images. 

Trusted serviceSupported usage scenariosConfigure managed identity with RBAC role
Azure Container InstancesDeploy to Azure Container Instances from Azure Container Registry using a managed identityYes, either system-assigned or user-assigned identity
Microsoft Defender for CloudVulnerability scanning by Microsoft Defender for container registriesNo
ACR TasksAccess the parent registry or a different registry from an ACR TaskYes
Machine LearningDeploy or train a model in a Machine Learning workspace using a custom Docker container imageYes
Azure Container RegistryImport images to or from a network-restricted Azure container registryNo

To enable:

az acr update --name myregistry --allow-trusted-services true 

To disable:

az acr update --name myregistry --allow-trusted-services false

Maxime.