Kubernetes Service

Deploy a Kubernetes Service on Azure with IP address that is in a different resource group to the cluster

When a service is deployed to Kubernetes we often need to specify a static IP address. This means that if the service gets recreated it retains the same IP. By default when you deploy a service in Kubernetes on Azure that static IP address must reside in the same resource group as the cluster nodes. This causes a couple of potential problems: If you delete an Azure Kubernetes Service cluster then the cluster resource group (starts MC_) gets deleted and can lose the IP address in the resource group. If need to reassign the IP address to a different cluster…
Read more

Configuring Kubernetes ingress with a wildcard DNS certificate, single TLS secret and applications in multiple namespaces

Scenario An organisation wanted to deploy each application into a separate Kubernetes namespace. Each application will be available at a subdomain of example.com, via a wildcard DNS entry of *.example.com pointing to the ingress controller’s service IP address. A single wildcard TLS certificate ( *.example.com ) will be used to protect all applications using the ingress controller. It was desired that only a single TLS secret should exist on the cluster to facilitate certificate renewal. Challenges Kubernetes secrets are only accessible from the namespace in which they are created. We discussed having a single namespace with all ingress resources and…
Read more

Enforcing Network Policies using kube-router on AKS

Corporate security policy often requires the flow of traffic to be restricted between between Kubernetes pods. This is similar to how switch access control lists restrict traffic between physical servers. This functionality Kubernetes the traffic flow is configured using network policies. There are a number of projects that support network policy enforcement. The majority require a specific network plugin to be deployed. As the Azure Kubernetes Service is a managed service we do not have the flexibility to choose the network plug in that is deployed. The default is kubenet, or if using advanced networking AKS uses the Azure CNI…
Read more