Hey there Azure enthusiasts! I’ve got some cool news to share from the AKS front. If you’ve been looking for more flexibility with network policies in Azure Kubernetes Service (AKS), your prayers have been answered although it is currently still in preview. Let’s dive right in and see what this is all about.
So, What’s the Buzz About?
First off, network policies in Kubernetes aren’t just another buzzword. These bad boys are crucial when it comes to defining how pods interact with each other. Think of them as the bouncers of the Kubernetes club, deciding who gets in and who doesn’t. And now, AKS has spiced things up a bit.
What AKS Has Brought to the Table
AKS now allows you to change or, dare I say, completely turn off the network policy of your cluster. You’ve got a few choices:
Azure: This is your standard Azure network policy manager.
Calico: The OG open-source network policy provider.
Cilium: The new kid on the block, representing the Azure CNI Overlay.
And if you decide to give no hoots about specifying a policy? You can simply disables the feature by passing in none. Neat, right?
Before You Get Started
Hold up! Before you dive in, let’s get the environment right.
1. Azure CLI: Make sure it’s the latest version. No compromises here!
2. AKS-Preview Extension: This one’s non-negotiable. You need version 0.5.172 or above.
And if you haven’t got around to updating or adding the AKS-Preview extension, here you go:
1 2 3 |
az extension add --name aks-preview az extension update --name aks-preview |
After the installation or update, you can check the extension’s version with:
1 |
az extension list --output table |
Ensure that the version next to “aks-preview” is at least0.5.1.
Let’s give it a go
So, you’re ready to take the new AKS feature for a spin? Let’s get our hands dirty and see how to actually use the command to switch between these network policies. Remember, it’s all about that hands-on experience!
The starting block: Disabling Network Policy
You always need to start from having no network policies. So, if you are already have the any of the network policy providers installed you need to disable the network policy feature. Luckily AKS has made it pretty straightforward. Check this out:
1 |
az aks update -g YOUR_RESOURCE_GROUP -n YOUR_CLUSTER_NAME --network-policy none |
Yep, just make sure you swap out YOUR_RESOURCE_GROUP
and YOUR_CLUSTER_NAME
with your actual resource group and cluster name and make sure network policy is set to none
and you’re good to go!
As you can see we now have the network policy set to none.
Lets look at changing the network policy.
Choosing Azure as Your Network Policy
If you’re feeling a bit traditional and want to stick with Azure’s own network policy manager, here’s what you do:
1 |
az aks update -g YOUR_RESOURCE_GROUP -n YOUR_CLUSTER_NAME --network-policy azure |
Make sure to replace YOUR_RESOURCE_GROUP
and YOUR_CLUSTER_NAME
with your actual resource group and cluster name. Easy as pie!
Going the Calico Way
For those who have a soft spot for the OG, Calico, you’re just a command away:
1 |
az aks update -g YOUR_RESOURCE_GROUP -n YOUR_CLUSTER_NAME --network-policy calico |
Again, don’t forget to swap out YOUR_RESOURCE_GROUP
and YOUR_CLUSTER_NAME
with your specifics.
You can now see we have Calico running inside the cluster.
Embracing the New Kid: Cilium
Venturing into new horizons? Cilium might be the change you’re after. It’s not just about the Azure CNI Overlay here; Cilium brings its own flair to the AKS playground. To set it up, there’s a slight twist: besides the network policy, you also need to enable the Cilium dataplane, oh and you need to be using Azure CNI Overlay. Lets enable that first.
1 |
az aks update -g YOUR_RESOURCE_GROUP -n YOUR_CLUSTER_NAME --network-plugin-mode overlay --pod-cidr 10.244.0.0/16 |
As my IP range of my cluster overlaps with the default Pod Cidr I am having to set one with the above commnad. You can change this value to one that works better for you.
Now we can switch to Cilium and get everything rolling, use:
1 |
az aks update -g YOUR_RESOURCE_GROUP -n YOUR_CLUSTER_NAME --network-dataplane=cilium --network-policy=cilium |
Don’t forget to plug in your actual YOUR_RESOURCE_GROUP
and YOUR_CLUSTER_NAME
.
once it has finished you can now see we have Cilium installed.
Wrapping it Up
Azure never fails to surprise, right? With this new flexibility in AKS’s network policies, I’m definitely excited about the endless possibilities. Whether you’re Team Calico or rooting for Cilium, AKS has got something for you.
So, give it a whirl, play around with the new features, and let me know how it goes! Until next time, happy Kube-ing!
1 Comment
Gaurav Sharma · April 4, 2024 at 1:27 pm
Hello,
I tried to remove the network policy from aks cluster. but receiving below error with aks update command:
$ az aks update –resource-group rg-name –name cluster-name –network-policy none
ERROR: unrecognized arguments: –network-policy none
Examples from AI knowledge base:
az aks update –resource-group MyResourceGroup –name MyManagedCluster –load-balancer-managed-outbound-ip-count 2
Update a kubernetes cluster with standard SKU load balancer to use two AKS created IPs for the load balancer outbound connection usage.
az aks update –resource-group MyResourceGroup –name MyManagedCluster –api-server-authorized-ip-ranges 0.0.0.0/32
Restrict apiserver traffic in a kubernetes cluster to agentpool nodes.
az version
Show the versions of Azure CLI modules and extensions in JSON format by default or format configured by –output (autogenerated)
https://docs.microsoft.com/en-US/cli/azure/aks#az_aks_update
Read more about the command in reference docs
below are the az and extension versions
$ az version
{
“azure-cli”: “2.59.0”,
“azure-cli-core”: “2.59.0”,
“azure-cli-telemetry”: “1.1.0”,
“extensions”: {
“aks-preview”: “0.5.70”
}
}
Any help on mitigating this issue?