AKS | Operation Abort

Hi!

AKS now supports aborting a long running operation. The abort operation supports the following scenarios:

  • If a long running operation is stuck or suspected to be in a bad state or failing, the operation can be aborted provided it’s the last running operation on the Managed Cluster or agent pool.
  • If a long running operation is stuck or failing, that operation can be aborted.
  • An operation that was triggered in error can be aborted as long as the operation doesn’t reach a terminal state first.

The following example terminates an operation on a node pool on a specified cluster:

az aks nodepool operation-abort --resource-group myResourceGroup --cluster-name myAKSCluster --name myNodePool

The following example terminates an operation on a specified cluster:

az aks operation-abort --name myAKSCluster --resource-group myResourceGroup

Reference: https://learn.microsoft.com/en-us/azure/aks/manage-abort-operations

Maxime.

AKS | Azure Linux

Hi!

A few months ago, I wrote an article about CBL Mariner (internal code name). During Microsoft Build 2023, Microsoft announced the General Availability of Azure Linux.

The Azure Linux Container Host is designed to be lightweight, including only the necessary packages to efficiently run container workloads. It has undergone rigorous validation tests and internal usage to ensure its robustness and security. Moreover, it seamlessly integrates with Azure agents, ensuring compatibility and smooth operation.

This solution offers a reliable and consistent experience across various environments, from the cloud to the edge, encompassing AKS, AKS for Azure Stack HCI, and Azure Arc. With its versatility, you have the flexibility to deploy Azure Linux node pools in both new and existing clusters, as well as migrate your current nodes to Azure Linux nodes.

The Azure Linux Container Host offers the following key benefits:

  • Secure supply chain: Microsoft builds, signs, and validates the Azure Linux Container Host packages from source, and hosts its packages and sources in Microsoft-owned and secured platforms.
  • Small and lightweight: The Azure Linux Container Host only includes the necessary set of packages needed to run container workloads – as a result, it consumes limited disk and memory resources.
  • Secure by default: The Azure Linux Container Host has an emphasis on security and follows the secure-by-default principles, including using a hardened Linux kernel with Azure cloud optimizations and flags tuned for Azure. It also provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages.
  • Extensively validated: The AKS and Azure Linux teams run a suite of functional and performance regression tests with the Azure Linux Container Host before releasing to customers, which enables earlier issue detection and mitigation.​

Create an AKS cluster with Azure Linux:

az aks create --name testAzureLinuxCluster --resource-group testAzureLinuxResourceGroup --os-sku AzureLinux

Resource: https://learn.microsoft.com/en-us/azure/azure-linux/

Maxime.

AKV | Access Configuration Update

Hi!

Azure Key Vault offers two authorization systems: Azure role-based access control (Azure RBAC), which operates on the management plane, and the access policy model, which operates on both the management plane and the data plane.

  • Azure RBAC is built on Azure Resource Manager and provides fine-grained access management of Azure resources. With Azure RBAC you control access to resources by creating role assignments, which consist of three elements: a security principal, a role definition (predefined set of permissions), and a scope (group of resources or individual resource). 
  • The access policy model, on the other hand, is an existing authorization system built in Key Vault to provide access to keys, secrets, and certificates. You can control access by assigning individual permissions to security principals (user, group, service principal, managed identity) at Key Vault scope.

Azure RBAC offers several advantages over access policies

  • A unified access control model for Azure resource– it uses the same API across Azure services
  • Centralized access management for administrators – manage all Azure resources in one view
  • Integration with Privileged Identity Management for time-based access control
  • Deny assignments – ability to exclude security principals at a particular scope
  • More stringent permissions — managing access for users and service principals require Owner or User Access Administrator roles

Azure RBAC is now the recommended authorization system for the Azure Key Vault data plane.

Maxime.