Catégorie : Kubernetes (AKS)

AKS | Mariner Container Optimized OS on AKS

Hi!

Mariner is an open-source Linux distribution created by Microsoft and is now available for preview as a container host on Azure Kubernetes Service (AKS). Optimized for AKS, the Mariner container host provides reliability and consistency from cloud to edge across the AKS, AKS-HCI, and Arc products. You can deploy Mariner node pools in a new cluster, add Mariner node pools to your existing Ubuntu clusters, or migrate your Ubuntu nodes to Mariner nodes.

Key Capabilities Of CBL-Mariner:

CBL-Mariner provides many of the traditional benefits of using Linux. In addition to that, CBL-Mariner provides hardened security and efficient lifecycle management.

  • CBL-Mariner core

Minimal core system that supports a variety of profiles (Azure VM or on bare-metal x64 or ARM64) and allows the customer to build on top of it as needed.

Lightweight footprint: 450MB uncompressed.

  • Support & Updates

SLA for vulnerabilities.

Patches automatically available for the customer to update when most convenient for them.

dnf infrastructure used for upgrading packages.

  • Security hardened

The kernel and other aspects of the OS are built with an emphasis on security and follow the secure-by-default principle, compliant with Microsoft security standards and industry certifications.

  • Federated Builds

Enables teams to innovate on top by allowing the generation and maintenance of packages on top of the CBL-Mariner builds.

With over 6000 packages already built, teams can customize their image easily.

  • Robust Testing

Through a robust testing matrix of package, image and kernel tests, we allow for earlier issue detections and mitigations prior to the image being published.

  • Virtualization

CBL-Mariner supports a container host image that includes the Kubernetes infrastructure.

  • Efficient lifecycle management

CBL-Mariner supports both RPM package and image-based update mechanisms for releases – with an “evergreen” release alongside specific security-patched stable snaps. New releases are made available annually and each release is supported for 18 months.

If you want to replace your existing AKS Ubuntu Node Pool by Mariner, please follow this link: https://microsoft.github.io/CBL-Mariner/docs/#using-cbl-mariner-with-aks

Maxime.

AKS | Suppress alerts based on Container and Kubernetes entities

Hi!

You can now suppress alerts based on these Kubernetes entities so you can use the container environment details to align your alerts your organization’s policy and stop receiving unwanted alerts:

  • Container Image
  • Container Registry
  • Kubernetes Namespace
  • Kubernetes Pod
  • Kubernetes Service
  • Kubernetes Secret
  • Kubernetes ServiceAccount
  • Kubernetes Deployment
  • Kubernetes ReplicaSet
  • Kubernetes StatefulSet
  • Kubernetes DaemonSet
  • Kubernetes Job
  • Kubernetes CronJob

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/release-notes#suppress-alerts-based-on-container-and-kubernetes-entities

Maxime.

AKS | Image Cleaner

Hi!

In this article, I will show you how you can clean unreferenced images stored at the nodes level. When done manually, this process can be time intensive, which ImageCleaner can mitigate via automatic image identification and removal.

ImageCleaner does not support the following:

  • Windows node pools
  • ARM64 node pools

When enabled, an eraser-controller-manager pod is deployed on each agent node, which will use an ImageList CRD to determine unreferenced and vulnerable images. Vulnerability is determined based on a trivy scan, after which images with a LOW, MEDIUM, HIGH, or CRITICAL classification are flagged.

An updated ImageList will be automatically generated by ImageCleaner based on a set time interval, and can also be supplied manually. Once an ImageList is generated, ImageCleaner will remove all the images in the list from node VMs.

To enable Image Cleaner on an existing AKS cluster:

az aks update -g MyResourceGroup -n MyManagedCluster --enable-image-cleaner

To enable Image Cleaner with an interval of hours:

az aks update -g MyResourceGroup -n MyManagedCluster --image-cleaner-interval-hours 48

Based on your configuration, ImageCleaner will generate an ImageList containing non-running and vulnerable images at the desired interval. ImageCleaner will automatically remove these images from cluster nodes.

Source: https://docs.microsoft.com/en-us/azure/aks/image-cleaner

Maxime.