Hello there, Azure enthusiasts! Today, we’re diving into a game-changing feature in Azure Kubernetes Service (AKS) that’s currently in preview: the Fully Managed Resource Group, also known as AKS Node Resource Group Lockdown Mode. If you’ve been following the AKS scene, you know how critical it is to manage your cluster’s resources effectively. Well, this feature is all about giving you that control while enhancing security. Let’s explore what it’s all about!
The Challenge: Keeping Your AKS Cluster in Check
In AKS, your applications rely on a set of resources deployed into your subscription. These resources, part of the Node Resource Group, are the backbone of your cluster operations. But here’s the catch: if you tweak these resources directly – think scaling, storage, or networking – you might stir up some operational chaos or future issues. We’ve all been there, making direct changes and then facing the consequences. In-fact You are even out of support if you edit the resources directly.
The Solution: Lockdown Mode to the Rescue
This is where the AKS Node Resource Group Lockdown Mode shines. It’s like having a virtual guard for your Node Resource Group. By setting up a ‘deny assignment,’ AKS ensures no one can alter the resources that form the core of your AKS cluster. It’s a straightforward yet powerful way to funnel all changes through the Kubernetes API, maintaining the stability and integrity of your setup.
Getting Started: The Essentials
Before jumping in, make sure you’re equipped with the right tools:
- Azure CLI version 2.44.0 or later. Check your version with
az --version. Need an update? Head over to Install Azure CLI.
- The aks-preview extension version 0.5.126 or more.
Setting Up the aks-preview CLI Extension
# To install the aks-preview extension
az extension add --name aks-preview
# Don't forget to update to the latest version
az extension update --name aks-preview
Registering the ‘NRGLockdownPreview’ Feature Flag
# Register the feature flag
az feature register --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"
# Verify registration status
az feature show --namespace "Microsoft.ContainerService" --name "NRGLockdownPreview"
# Refresh the registration of the resource provider
az provider register --namespace Microsoft.ContainerService
Implementing Lockdown: Your Safety Net
The lockdown mode offers two settings:
ReadOnly (the go-to choice) and
ReadOnly, you can peek at the resources but can’t touch them – perfect for maintaining that delicate balance.
Creating a Cluster with Lockdown
# Create a cluster with ReadOnly restriction
az aks create -n aks-nrg-test -g rg-aks-nrg-test --nrg-lockdown-restriction-level ReadOnly
Updating an Existing Cluster
# Update an existing cluster to ReadOnly
az aks update -n aks-nrg-test -g rg-aks-nrg-test --nrg-lockdown-restriction-level ReadOnly
# Remove lockdown, setting to Unrestricted
az aks update -n aks-nrg-test -g rg-aks-nrg-test --nrg-lockdown-restriction-level Unrestricted
Putting Node Resource Group Lockdown to the Test
To put the AKS Node Resource Group Lockdown feature to the test, I tried restarting the Virtual Machine Scale Set (VMSS) within the managed node resource group. As anticipated, the lockdown enforced its rules strictly. I encountered an error message indicating a denial of permission due to the active lockdown. The error highlighted the effectiveness of the lockdown mode, ensuring changes can only be made through the Kubernetes API, thus upholding the cluster’s stability and security. This real-world test confirms the robustness of AKS’s new security feature.
Wrapping Up: Secure and Controlled AKS Management
Node Resource Group Lockdown in AKS marks a significant step towards more secure and controlled Kubernetes deployments. By channelling modifications through the AKS control plane and preventing direct interference, AKS ensures a stable and reliable environment for your applications. As this feature is in preview, its evolution and integration into standard practices will be a space to watch for enhancements in Kubernetes service management.