Azure Kubernetes Service Flashcards
What are the components thet make up Kubernetes?
kub-apiserver
etcd
kub-scheduler
kub-controller-manager
cloud-controller-manager
node (kublet)(kub-proxy)(kub-=runtime)
What are the cluster configuration presets available?
Production Standard
Best for most applications serving production traffic with AKS-recommended best practices.
Dev/Test
Best for developing new workloads or testing existing workloads.
Production Economy
It is best for serving production traffic in a cost-conscious way if your workloads can tolerate interruptions.
Production Enterprise
Best for serving production traffic with rigorous permissions and hardened security.
Can you have a private cluster using:
production standard
Dev/Test
Production Economy
Production Enterprise
Just Production Enterprise.
What is a private cluster?
In Azure Kubernetes Service (AKS), a private cluster is a cluster where the API server (the control plane) is only accessible within a private network rather than being exposed over the public internet.
This configuration enhances security by restricting access to the AKS API server to a specific virtual network (VNet), eliminating the potential attack surface exposed by having the control plane accessible publicly.
Key features of an AKS private cluster include:
Private endpoint: The API server is exposed through a private IP address within the configured VNet.
No public IP: The API server doesn’t have a public endpoint, ensuring that external users or systems cannot access it directly over the internet.
Network Security: You can use Azure Network Security Groups (NSGs), User Defined Routes (UDRs), and firewalls to further control and secure the traffic to the AKS cluster.
Managed Identity & RBAC: Private clusters still support managed identities and Role-Based Access Control (RBAC) for secure access management.
Private DNS Zone: A private DNS zone is used to resolve the private endpoint of the AKS API server within your network.
I require AKS control plane to be only accessible in a vNET?
Use private cluster:
Private endpoint: The API server is exposed through a private IP address within the configured VNet.
No public IP: The API server doesn’t have a public endpoint, ensuring that external users or systems cannot access it directly over the internet.
Network Security: You can use Azure Network Security Groups (NSGs), User Defined Routes (UDRs), and firewalls to further control and secure the traffic to the AKS cluster.
Managed Identity & RBAC: Private clusters still support managed identities and Role-Based Access Control (RBAC) for secure access management.
Private DNS Zone: A private DNS zone is used to resolve the private endpoint of the AKS API server within your network.
Can you have a private endpoint with the control plane using:
- Production standard
- Dev/Test
- Production Economy
No, you need Production Enterprise
What is a private link AKS cluster?
It is a private cluster deployed with a private link to a vnet where the control plane is available only over the vnet and not the public interface.
What components of an AKS are deployed to the node?
kublet
kub-proxy
container runtime
What does the sublet do?
he kubelet ensures that containers are running in a pod.
What does the Kub-proxy do?
The kube-proxy is a network proxy that maintains network rules on nodes.
Are availability zones available in AKS for nodes?
Yes, 100%. You can use availability zones for nodes when using Production Enterprise or Production Standard.
Can you use Azure Policy with AKS?
Yes, 100% when using Production Enterprise or Production Standard.
Can you use Azure Monitor with AKS?
Yes, 100% when using Production Enterprise or Production Standard.
What is a pod in AKS?
A Kubernetes pod is the smallest and simplest unit in the Kubernetes object model. It represents a single instance of a running process in your Kubernetes cluster. Each pod contains one or more containers, which are applications that need to run together. These containers share the same network namespace, meaning they can communicate with each other using localhost, and they can share storage volumes as well.
What is the pause container?
In Kubernetes, the pause container is a special, lightweight container that acts as the “parent” container for all other containers in a pod. It serves as a base container that holds the pod’s network namespace and allows other containers in the pod to share networking resources, such as IP addresses and port bindings.
Namespace Anchor: The pause container creates and holds the network and process namespaces for the pod. All other containers in the pod join these namespaces, which allows them to communicate over localhost and share resources.
Minimal Resource Usage: The pause container itself does very little—it’s an extremely lightweight container, often referred to as a “sleep” container because it essentially just sleeps or waits indefinitely, using minimal CPU and memory.
Pod Lifecycle Management: By separating the network namespace from the application containers, the pause container ensures that the pod’s IP address and networking setup remain stable, even if application containers are restarted or replaced.
Maintaining Isolation: It ensures that the pod’s network and other shared resources are consistently available, even if application containers experience lifecycle changes like restarts or upgrades.