lastcoolnameleft

# Intro

Two types of rate limiting you might see:
- Subscription
- Resource Provider (Storage, Network Compute)

See current throttling status by looking at response headers.

Example:
* x-ms-ratelimit-remaining-resource

lastcoolnameleft

from datetime import datetime, timedelta
from azure.storage.blob import (
    BlockBlobService,
    ContainerPermissions,
    BlobPermissions,
    PublicAccess,
)

AZURE_ACC_NAME = '<account_name>'
AZURE_PRIMARY_KEY = '<account_key>'

lastcoolnameleft

• Create AKS Cluster
• Add cluster to Calico Cloud
  • Calico Cloud -> Add Cluster
• Look at Flow Visualization & Default Service Graph
  • Point out various traffic
• Add Staged Deny All (kubectl apply -f staged-deny-all.yaml)
• Look at Flow Visualization
  • Point out various traffic
• Add Monitoring Addon (az aks enable-addons -a monitoring -n $AKS_NAME -g $RG)
• Look at Flow Visualization

lastcoolnameleft

REG=sandboxtmf
az acr login -n $REG
# Works only on OSX.  Windows uses wincred, so someone would need to figure out the equivalent
TOKEN=`security find-internet-password -s $REG.azurecr.io -w`
USER=00000000-0000-0000-0000-000000000000
kubectl create secret docker-registry acr-auth --docker-server $REG.azurecr.io --docker-password=$TOKEN --docker-username=$USER
kubectl apply -f /tmp/deploy.yaml

lastcoolnameleft

# Tested in zsh & bash
# This function is designed for Private Clusters with Azure CLI AKS Run Command
# https://docs.microsoft.com/en-us/azure/aks/private-clusters#use-aks-run-command
# It assumes your current context is the private cluster and parses that data from the context data

# Prerequisite: Your private cluster is the Kube config current-context (e.g. az aks get-credentials)
# Usage: azk <command>
# Example: azk kubectl get pods -n kube-system
function azk() {
    AZK_CURRENT_CONTEXT=$(kubectl config current-context)

lastcoolnameleft

thfalgou@kernel-addon-2-md-0-cvx9n:~$ ls /sys/fs/cgroup/cpu/cpu.rt_period_us
/sys/fs/cgroup/cpu/cpu.rt_period_us
thfalgou@kernel-addon-2-md-0-cvx9n:~$ ls /sys/fs/cgroup/cpu/cpu.rt_runtime_us
/sys/fs/cgroup/cpu/cpu.rt_runtime_us
thfalgou@kernel-addon-2-md-0-cvx9n:~$ grep CONFIG_RT_GROUP_SCHED  /boot/config-*
/boot/config-5.4.0-1051-azure:# CONFIG_RT_GROUP_SCHED is not set
/boot/config-5.4.0-1053-azure:CONFIG_RT_GROUP_SCHED=y

lastcoolnameleft

# kubectl create secret generic azure-files-secret --from-literal=azurestorageaccountname=STORAGE_ACCOUNT_NAME --from-literal=azurestorageaccountkey=STORAGE_ACCOUNT_KEY
apiVersion: v1
kind: PersistentVolume
metadata:
  name: azure-files-pv
spec:
  capacity:
    storage: 5Gi
 accessModes:

lastcoolnameleft

helm upgrade -i kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --debug  \
    --set service.type=ClusterIP \
    --set ingress.enabled=true \
    --set "ingress.paths[0]=/\(\.\*\)" \
    --set "ingress.hosts[0]=$APP_HOSTNAME" \
    --set "ingress.tls[0].secretName=$APP_HOSTNAME-tls" \
    --set "ingress.tls[0].hosts[0]=$APP_HOSTNAME" \
    --set ingress.annotations."kubernetes\.io/ingress\.class"=nginx \
    --set ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-prod \
    --set ingress.annotations."nginx\.ingress\.kubernetes\.io/rewrite-target"="/\$1" \

lastcoolnameleft

## Overview

There are 3 options listed here: https://docs.microsoft.com/en-us/azure/api-management/api-management-kubernetes
* APIM + Public AKS Service, no shared Vnet
* APIM + Public AKS Ingress, no shared Vnet
* APIM + Private AKS in same Vnet, no ingress

A missing scenario is: 
* APIM + Private AKS in same Subnet, with ingress

lastcoolnameleft

Create Cluster

RG=dol-demo
K8S_NAME=dol-demo

az group create -n $RG -l southcentralus
az aks create -g $RG -n $K8S_NAME --enable-vmss