- Create AKS Cluster
- Add cluster to Calico Cloud
- Calico Cloud -> Add Cluster
- Look at Flow Visualization & Default Service Graph
- Point out various traffic
- Add Staged Deny All (kubectl apply -f staged-deny-all.yaml)
- Look at Flow Visualization
- Point out various traffic
- Add Monitoring Addon (az aks enable-addons -a monitoring -n $AKS_NAME -g $RG)
- Look at Flow Visualization
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Intro | |
Two types of rate limiting you might see: | |
- Subscription | |
- Resource Provider (Storage, Network Compute) | |
See current throttling status by looking at response headers. | |
Example: | |
* x-ms-ratelimit-remaining-resource |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from datetime import datetime, timedelta | |
from azure.storage.blob import ( | |
BlockBlobService, | |
ContainerPermissions, | |
BlobPermissions, | |
PublicAccess, | |
) | |
AZURE_ACC_NAME = '<account_name>' | |
AZURE_PRIMARY_KEY = '<account_key>' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
REG=sandboxtmf | |
az acr login -n $REG | |
# Works only on OSX. Windows uses wincred, so someone would need to figure out the equivalent | |
TOKEN=`security find-internet-password -s $REG.azurecr.io -w` | |
USER=00000000-0000-0000-0000-000000000000 | |
kubectl create secret docker-registry acr-auth --docker-server $REG.azurecr.io --docker-password=$TOKEN --docker-username=$USER | |
kubectl apply -f /tmp/deploy.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Tested in zsh & bash | |
# This function is designed for Private Clusters with Azure CLI AKS Run Command | |
# https://docs.microsoft.com/en-us/azure/aks/private-clusters#use-aks-run-command | |
# It assumes your current context is the private cluster and parses that data from the context data | |
# Prerequisite: Your private cluster is the Kube config current-context (e.g. az aks get-credentials) | |
# Usage: azk <command> | |
# Example: azk kubectl get pods -n kube-system | |
function azk() { | |
AZK_CURRENT_CONTEXT=$(kubectl config current-context) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
thfalgou@kernel-addon-2-md-0-cvx9n:~$ ls /sys/fs/cgroup/cpu/cpu.rt_period_us | |
/sys/fs/cgroup/cpu/cpu.rt_period_us | |
thfalgou@kernel-addon-2-md-0-cvx9n:~$ ls /sys/fs/cgroup/cpu/cpu.rt_runtime_us | |
/sys/fs/cgroup/cpu/cpu.rt_runtime_us | |
thfalgou@kernel-addon-2-md-0-cvx9n:~$ grep CONFIG_RT_GROUP_SCHED /boot/config-* | |
/boot/config-5.4.0-1051-azure:# CONFIG_RT_GROUP_SCHED is not set | |
/boot/config-5.4.0-1053-azure:CONFIG_RT_GROUP_SCHED=y |
# kubectl create secret generic azure-files-secret --from-literal=azurestorageaccountname=STORAGE_ACCOUNT_NAME --from-literal=azurestorageaccountkey=STORAGE_ACCOUNT_KEY
apiVersion: v1
kind: PersistentVolume
metadata:
name: azure-files-pv
spec:
capacity:
storage: 5Gi
accessModes:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
helm upgrade -i kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --debug \ | |
--set service.type=ClusterIP \ | |
--set ingress.enabled=true \ | |
--set "ingress.paths[0]=/\(\.\*\)" \ | |
--set "ingress.hosts[0]=$APP_HOSTNAME" \ | |
--set "ingress.tls[0].secretName=$APP_HOSTNAME-tls" \ | |
--set "ingress.tls[0].hosts[0]=$APP_HOSTNAME" \ | |
--set ingress.annotations."kubernetes\.io/ingress\.class"=nginx \ | |
--set ingress.annotations."cert-manager\.io/cluster-issuer"=letsencrypt-prod \ | |
--set ingress.annotations."nginx\.ingress\.kubernetes\.io/rewrite-target"="/\$1" \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Overview | |
There are 3 options listed here: https://docs.microsoft.com/en-us/azure/api-management/api-management-kubernetes | |
* APIM + Public AKS Service, no shared Vnet | |
* APIM + Public AKS Ingress, no shared Vnet | |
* APIM + Private AKS in same Vnet, no ingress | |
A missing scenario is: | |
* APIM + Private AKS in same Subnet, with ingress |
NewerOlder