AKS | Auto Upgrade

Hi!

In this article, I would to show you a new feature of AKS, the goal of this feature is to automate the upgrade of your AKS cluster.

4 channels are available:

ChannelActionExample
nonedisables auto-upgrades and keeps the cluster at its current version of KubernetesDefault setting if left unchanged
patchautomatically upgrade the cluster to the latest supported patch version when it becomes available while keeping the minor version the same.For example, if a cluster is running version 1.17.7 and versions 1.17.91.18.41.18.6, and 1.19.1 are available, your cluster is upgraded to 1.17.9
stableautomatically upgrade the cluster to the latest supported patch release on minor version N-1, where N is the latest supported minor version.For example, if a cluster is running version 1.17.7 and versions 1.17.91.18.41.18.6, and 1.19.1 are available, your cluster is upgraded to 1.18.6.
rapidautomatically upgrade the cluster to the latest supported patch release on the latest supported minor version.In cases where the cluster is at a version of Kubernetes that is at an N-2 minor version where N is the latest supported minor version, the cluster first upgrades to the latest supported patch version on N-1 minor version. For example, if a cluster is running version 1.17.7 and versions 1.17.91.18.41.18.6, and 1.19.1 are available, your cluster first is upgraded to 1.18.6, then is upgraded to 1.19.1.
# - Requirements
az feature register --namespace Microsoft.ContainerService -n AutoUpgradePreview

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/AutoUpgradePreview')].{Name:name,State:properties.state}"

az provider register --namespace Microsoft.ContainerService
 
# - Create a new cluster with the auto-upgrade feature
az aks create --resource-group myResourceGroup --name myAKSCluster --auto-upgrade-channel stable --generate-ssh-keys
 
# - Update an existing cluster with the auto-upgrade feature
az aks update --resource-group myResourceGroup --name myAKSCluster --auto-upgrade-channel stable

Maxime.

AKS | OPA Gatekeeper Monitoring

Hi,

In this article, I will show you how you can configure a Prometheus and Grafana solution to monitor your OPA Gatekeeper policies. The requirement is to have an existing Prometheus and Grafana stack deployed. If you don’t have an OPA Gatekeeper deployed in your AKS cluster, please follow the step of this article.

By default, when you deploy OPA Gatekeeper inside your kubernetes cluster, some OPA Gatekeeper metrics are already exposed for you! The idea is to consume these metrics via Prometheus and use Grafana to create a dashboard. In this example, we will create a new Grafana Dashboard to expose the number of violation of our dry-run OPA policies.

We will use the prometheus scrape feature to collect the OPA metrics. I will recommend you to edit the configuration of the OPA gatekeeper audit pod and add these following configuration lines:

  • prometheus.io/scrape: « true »
  • prometheus.io/port: « 8888 »
➜  ~ kubectl get pods --namespace gatekeeper-system
 NAME                                             READY   STATUS    RESTARTS   AGE
 gatekeeper-audit-576f6d6f8d-p5nvk                1/1     Running   0          18h
 gatekeeper-controller-manager-85d8bf48c9-5j2f5   1/1     Running   0          6d
 gatekeeper-controller-manager-85d8bf48c9-v2d92   1/1     Running   1          6d1h
 gatekeeper-controller-manager-85d8bf48c9-z924v   1/1     Running   0          18h
 gatekeeper-policy-manager-5bf4586996-2cmw9       1/1     Running   0          18h

➜  ~ kubectl edit pods gatekeeper-audit-576f6d6f8d-p5nvk --namespace gatekeeper-system
apiVersion: v1
 kind: Pod
 metadata:
   annotations:
     container.seccomp.security.alpha.kubernetes.io/manager: runtime/default
     prometheus.io/scrape: "true"
     prometheus.io/port: "8888"

When it’s done, we can see in the prometheus target a new resource:

Now, we can create a new Kubernetes dashboard from Grafana and add a metric to display only the gatekeeper violations for our dry-run policies:

Metrics: gatekeeper_violations{control_plane="audit-controller", enforcement_action="dryrun"}

In conclusion, we saw how you can configure Prometheus and Grafana to monitor the number of OPA gatekeeper violations. Do not hesitate to read the official documentation of OPA gatekeeper, other metrics are available to help you to monitor your OPA gatekeeper solution (Current number of known constraints, Number of observed constraint templates, …).

Maxime.

Happy New Year 2021!

Bonjour!

Je tenais à prendre quelques minutes afin de vous remercier d’avoir été plus de 500 000 visiteurs à lire mon blog ces derniers mois. Nous avons vécu dans un contexte compliqué mais qui nous a permis également de nous ré-inventer technologiquement.

La ligne éditoriale de ce blog continuera d’évoluer sur les thématique liées à la sécurité Cloud (Azure Security Center, Azure Sentinel), la gouvernance (Azure Policy, OPA Gatekeeper, …) ainsi que sur les sujets liés à la sécurité des clusters Kubernetes.

Je vous souhaite à toutes et à tous mes meilleurs voeux pour cette année 2021!

Maxime.