Cloud architect & IaC Geek
IT guy since 2004
Cloud architect, (mainly on Azure) since 2015
Still exploring the Cloud platform capabilities (which get new stuff all the time)
Breath IaC and Automation (but more Hashicorp stuff than other ^^)
Still struggles in the K8S landscape
MVP Azure since 2019
MCT since 2020
Area of Expertise
Azure Kubernetes Service is the trendy solution in Azure environment.
As such, it requires proper configuration to achieve a security validated design.
Without going into the pure Kubernetes configuration, there are things to consider to secure the first of the four C, which is the Cloud platform.
In this session, we will review focus on the Network access on the Control plane and how to leverage it with Azure Private Endpoint and the Private AKS cluster.
Learning through Infrastructure as code, we will use Terraform to find what is required and the available options for an up and running private AKS.
Last, we will discuss the things to consider regarding theuser experience once in a private AKS.
AKS ops have to take care of their AKS cluster.
But which actions with which tools?
In this session, we take a look at what we can do with Logic App to operate AKS cluster through 2 use cases:
Start stop aks clusters
Schedule certificate rotation
We will build step by step our automated process while discussing the + of logic apps vs other solutions
With maturity growing, AKS cluster host more and more critical workloads.
So the question arise: how do I recover an app, or a node pool, or a cluster.
In this session, we will start by an overview of the available solutions for workload protection in AKS, mixing known community tools and Azure native features.
Then we will illustrate the following scenarios:
Simple workload recovery
Full cluster recovery
Each time selecting the appropriate solution.
By the end of this session, you will have the pointers to implement the protection of your AKS clusters
Kubernetes is moving fast, and so is AKS.
More visibility, more security...
Those are usual topics for Kubernetes Ops.
In this session, we will have a look at the Service Mesh Concepts, as described on the SMI, and look on solution: Open Service Mesh
On the agenda,
- and Traffic management.
At the end of the session, we'll have seen the basics of service mesh in AKS, and we will look what more can be done with service mesh.
Ideally, micro-segmentation should be achieve as a standard in Kubernetes.
One way to achieve that is through Network policies.
Unfortunately, it can be tedious to to define the network policies for granular filtering.
Another way is through the use of Consul connect intentions.
In the first part of this session, we will
- review network policies basics
- have an overview of Consul connect capabilities and specifically the intentions
In the second part, with a sample application, we will implement micro-segmentation both way, with network policies first and then intentions.
The nice thing with AKS is that it's evolving really fast... Or is it the worst thing?
Are you lost in which part is using which Identity... Stuff?
Not sure how to authenticate on the API server?
Not clear on how to interact with other Azure part? From Kubelet or the apps?
In this session, we go back on the AAD integration and what is managed in either the Azure plane or the Kubernetes control plane.
We also take a look at the Kubernetes worker plane and what are the options to manage Identities on the pod's level.
#AKS #AAD #PodIdentity #WorkloadIdentity #ManagedIdentity
The demand for hybrid cloud is rising, and with It the need for managing multi cloud resources.
Unfortunately, it's not as simple to get a hybrid kubernetes as, let's say a sheep drawing.
Or is it ?
In this session we'll take a look at the Azure Arc proposal.
We'll start looking at what is behind the Azure Arc offer.
Then we'll focus on Azure Arc Enabled Kubernetes and what we can achieve from Azure plane with Kubernetes plane... well everywhere.
We'll take a look at the "how to" with Azure Arc and Kubernetes and try to find what level of integration with the Azure platform can be achieved for Azure engineer so they can manage other (cloud managed) Kubernetes.
Cloud architect & IaC Geek