AKS | Enable host-based encryption

Hi,

In this article I would like share with you how you can enable host-based encryption on AKS. This feature is still in preview.

With host-based encryption, the data stored on the VM host of your AKS agent nodes’ VMs is encrypted at rest and flows encrypted to the Storage service. This means the temp disks are encrypted at rest with platform-managed keys. The cache of OS and data disks is encrypted at rest with either platform-managed keys or customer-managed keys depending on the encryption type set on those disks.

# Requirements
az feature register --namespace "Microsoft.Compute" --name "EncryptionAtHost"

az feature register --namespace "Microsoft.ContainerService" --name "EnableEncryptionAtHostPreview"

az feature list -o table --query "[?contains(name, 'Microsoft.Compute/EncryptionAtHost')].{Name:name,State:properties.state}"

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableEncryptionAtHostPreview')].{Name:name,State:properties.state}"

az provider register --namespace Microsoft.Compute

az provider register --namespace Microsoft.ContainerService

# Install the aks-preview extension
az extension add --name aks-preview

# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview

# Create a new cluster to use host-based encryption
az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --aks-custom-headers EnableEncryptionAtHost=true

# Update an existing cluster to use host-based encryption
az aks nodepool add --name hostencrypt --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS2_v2 -l westus2 --aks-custom-headers EnableEncryptionAtHost=true

Maxime.

AKS | Ephemeral Disk

Hi,

In this article, I would like to share with you, how you can enable ephemeral os disk with your AKS cluster. This feature is still in public preview. Please don’t use use this feature with your production cluster.

By default, the operating system disk for an Azure virtual machine is automatically replicated to Azure storage to avoid data loss should the VM need to be relocated to another host. However, since containers aren’t designed to have local state persisted, this behavior offers limited value while providing some drawbacks, including slower node provisioning and higher read/write latency.

az feature register --name EnableEphemeralOSDiskPreview --namespace Microsoft.ContainerService

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/EnableEphemeralOSDiskPreview')].{Name:name,State:properties.state}"

az provider register --namespace Microsoft.ContainerService

az extension add --name aks-preview

az extension update --name aks-preview

Configure the cluster to use Ephemeral OS disks when the cluster is created. Use the --aks-custom-headers flag to set Ephemeral OS as the OS disk type for the new cluster.

az aks create --name myAKSCluster --resource-group myResourceGroup -s Standard_DS3_v2 --aks-custom-headers EnableEphemeralOSDisk=true

Configure a new node pool to use Ephemeral OS disks. Use the --aks-custom-headers flag to set as the OS disk type as the OS disk type for that node pool.

az aks nodepool add --name ephemeral --cluster-name myAKSCluster --resource-group myResourceGroup -s Standard_DS3_v2 --aks-custom-headers EnableEphemeralOSDisk=true

Maxime.

AKS | Custom Resource group name

[English below]

Bonjour,

Dans cet article je vais vous présenter comment changer le nom du deuxième ressource group créé pour les nodes de votre cluster AKS.

Par défaut, AKS nomme le groupe de ressources de noeuds: MC_resourcegroupname_clustername_location, mais avec l’aide de la commande ci-dessous vous pouvez changer ce nom :

az aks create --name myAKSCluster --resource-group myResourceGroup --node-resource-group myNodeResourceGroup

Je vous recommande fortement d’utiliser des conventions de nommage de vos ressources, notamment afin d’assurer une bonne gouvernance de votre infastructure. Pour cela vous pouvez utiliser le service Azure Policy afin d’appliquer vos conventions de nommage (tagging stategy).

Maxime.

Hi,

In this article, I would like to share with you, how you can customize the name of the AKS node resource group. When you deploy an Azure Kubernetes Service cluster in Azure, a second resource group gets created for the worker nodes.

By default, AKS will name the node resource group: MC_resourcegroupname_clustername_location but you can also provide your own name.

az aks create --name myAKSCluster --resource-group myResourceGroup --node-resource-group myNodeResourceGroup

I recommend you to use a tagging strategy for all your Azure ressources, this can help you to manage your cost and security governance. Please do not hesitate to use the Azure policy to enforce your tagging strategy.

Maxime.