Reading Time: 3 minutes
Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Hello there, Azure enthusiasts! Today, we’re diving into a game-changing feature in Azure Kubernetes Service (AKS) that’s currently in preview: the Fully Managed Resource Group, also known as AKS Node Resource Group Lockdown Mode. If you’ve been following the AKS scene, you know how critical it is to manage your cluster’s resources effectively. Well, this feature is all about giving you that control while enhancing security. Let’s explore what it’s all about!

The Challenge: Keeping Your AKS Cluster in Check

In AKS, your applications rely on a set of resources deployed into your subscription. These resources, part of the Node Resource Group, are the backbone of your cluster operations. But here’s the catch: if you tweak these resources directly – think scaling, storage, or networking – you might stir up some operational chaos or future issues. We’ve all been there, making direct changes and then facing the consequences. In-fact You are even out of support if you edit the resources directly.

The Solution: Lockdown Mode to the Rescue

This is where the AKS Node Resource Group Lockdown Mode shines. It’s like having a virtual guard for your Node Resource Group. By setting up a ‘deny assignment,’ AKS ensures no one can alter the resources that form the core of your AKS cluster. It’s a straightforward yet powerful way to funnel all changes through the Kubernetes API, maintaining the stability and integrity of your setup.

Getting Started: The Essentials

Before jumping in, make sure you’re equipped with the right tools:

  • Azure CLI version 2.44.0 or later. Check your version with az --version. Need an update? Head over to Install Azure CLI.
  • The aks-preview extension version 0.5.126 or more.

Setting Up the aks-preview CLI Extension

Registering the ‘NRGLockdownPreview’ Feature Flag

Implementing Lockdown: Your Safety Net

The lockdown mode offers two settings: ReadOnly (the go-to choice) and Unrestricted. With ReadOnly, you can peek at the resources but can’t touch them – perfect for maintaining that delicate balance.

Creating a Cluster with Lockdown

Updating an Existing Cluster

Removing Lockdown

Putting Node Resource Group Lockdown to the Test

To put the AKS Node Resource Group Lockdown feature to the test, I tried restarting the Virtual Machine Scale Set (VMSS) within the managed node resource group. As anticipated, the lockdown enforced its rules strictly. I encountered an error message indicating a denial of permission due to the active lockdown. The error highlighted the effectiveness of the lockdown mode, ensuring changes can only be made through the Kubernetes API, thus upholding the cluster’s stability and security. This real-world test confirms the robustness of AKS’s new security feature.

Wrapping Up: Secure and Controlled AKS Management

Node Resource Group Lockdown in AKS marks a significant step towards more secure and controlled Kubernetes deployments. By channelling modifications through the AKS control plane and preventing direct interference, AKS ensures a stable and reliable environment for your applications. As this feature is in preview, its evolution and integration into standard practices will be a space to watch for enhancements in Kubernetes service management.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *