Posted inCardiagtech

Understanding Support Policies for AKS Engine on Azure Stack Hub

No Comments

As a content creator at vcdstool.com and an automotive repair expert branching into cloud technologies, this article details the technical support policies and limitations for the AKS engine on Azure Stack Hub. It’s crucial for users leveraging self-managed Kubernetes clusters in hybrid environments to understand the support boundaries. This article clarifies what aspects of your AKS engine deployments are supported by Microsoft, and what falls under user management, ensuring clarity and optimized security practices, potentially involving tools for Azure Stack scanning to maintain robust and compliant systems.

Self-Managed Kubernetes Clusters on Azure Stack Hub and User Responsibility

Infrastructure as a Service (IaaS) components, such as compute and networking on Azure Stack Hub, provide extensive control and customization. The AKS engine is designed to transparently utilize these IaaS components, granting users deep access to manage and configure their Kubernetes deployments. This level of control, while powerful, necessitates a clear understanding of responsibility, especially when considering aspects like security and compliance, where tools for Azure Stack scanning might become relevant.

When you deploy a Kubernetes cluster using AKS engine, you define the configurations for both master and worker nodes. These nodes are where your workloads operate. Crucially, you retain ownership and visibility into these nodes, with the ability to modify them. However, unauthorized or incorrect modifications can lead to data loss, workload disruptions, and cluster instability. Furthermore, AKS engine operations like upgrades or scaling can overwrite manual changes. For instance, statically defined pods may not persist after an AKS engine upgrade.

Given that customer cluster nodes process private code and store sensitive data, Microsoft Support’s access is deliberately limited. Without explicit customer consent or assistance, Microsoft Support cannot directly access, execute commands on, or view logs within these nodes. This emphasizes the shared responsibility model, where users are responsible for the security and operational integrity of their node configurations, potentially employing Azure Stack Scanning Tools to proactively identify and mitigate risks.

Version Support for AKS Engine

Microsoft’s support for AKS engine versions on Azure Stack Hub follows an N-1 policy. For example, if the latest AKS engine version is v0.55.0, supported versions include 0.55.0 and the previous version, 0.51.0. It’s also vital to align your AKS engine version with your Azure Stack Hub update version, as detailed in the AKS engine release notes. Staying within supported versions is crucial for maintaining a secure and stable environment, and might influence the compatibility and effectiveness of Azure Stack scanning tools you choose to implement.

Areas of AKS Engine Support

Microsoft offers technical support for specific areas related to AKS engine on Azure Stack Hub, ensuring a reliable foundation for your Kubernetes deployments. These supported areas include:

  • AKS Engine Command Issues: Support for commands like deploy, generate, upgrade, and scale, ensuring consistent behavior with AKS engine on Azure.
  • Kubernetes Cluster Deployment Issues: Support for clusters deployed according to the Overview of AKS engine.
  • Connectivity to Azure Stack Hub Services: Addressing issues related to connecting your Kubernetes cluster with other Azure Stack Hub services.
  • Kubernetes API Connectivity: Support for problems affecting connectivity to the Kubernetes API.
  • Azure Stack Hub Kubernetes Provider Functionality: Support for issues related to the Azure Stack Hub Kubernetes provider and its integration with Azure Resource Manager.
  • AKS Engine-Generated Azure Stack Hub Artifacts: Support for configurations of native Azure Stack Hub artifacts created by AKS engine, such as load balancers, Network Security Groups, VNETs, subnets, network interfaces, route tables, availability sets, public IP addresses, storage accounts, and VMs.
  • Network Performance and Latency: Support for network performance and latency issues, regardless of whether AKS engine uses the kubenet or Azure CNI networking plugin.
  • AKS Base Image Issues: Support for issues related to the AKS base image used by AKS engine in disconnected environments.

These support boundaries are designed to give you confidence in the underlying platform and core functionalities, while empowering you to manage and secure your Kubernetes applications effectively, potentially using Azure Stack scanning tools to monitor and enhance your security posture.

Areas Outside AKS Engine Support

It’s equally important to understand the areas where Microsoft does not provide technical support for AKS engine on Azure Stack Hub. These unsupported areas include:

  • AKS Engine on Azure: Using AKS engine directly on public Azure is not supported under this policy.
  • Azure Stack Hub Kubernetes Marketplace Item: The Kubernetes Marketplace item for Azure Stack Hub, intended for quick demos and testing, is not supported for production environments.
  • Unsupported AKS Engine Cluster Definition Options and Add-ins: Several specific add-ins and cluster definition options are not supported. These include:
    • Unsupported Add-ins: Microsoft Entra Pod Identity, ACI Connector, Blobfuse Flex Volume, Cluster Autoscaler, Container Monitoring, KeyVault Flex Volume, NVIDIA Device Plugin, Rescheduler, SMB Flex Volume.
    • Unsupported Cluster Definition Options:
      • Under KubernetesConfig: cloudControllerManagerConfig, enableDataEncryptionAtRest, enableEncryptionWithExternalKms, enablePodSecurityPolicy, etcdEncryptionKey, useInstanceMetadata, useManagedIdentity, azureCNIURLLinux, azureCNIURLWindows.
      • Under masterProfile: availabilityZones.
      • Under agentPoolProfiles: availabilityZones, singlePlacementGroup, scaleSetPriority, scaleSetEvictionPolicy, acceleratedNetworkingEnabled, acceleratedNetworkingEnabledWindows.
  • Kubernetes Configuration Changes Outside etcd: Modifications to Kubernetes configurations that are not persisted through the etcd configuration store, such as static pods running on cluster nodes.
  • General Kubernetes Usage Questions: Microsoft Support does not provide guidance on general Kubernetes usage, such as creating custom ingress controllers, deploying application workloads, or using third-party or open-source software, including Azure Stack scanning tools or other security solutions.
  • Third-Party Open-Source Projects: Support excludes third-party open-source projects not integral to the AKS engine deployed Kubernetes cluster, such as Kubeadm, Kubespray, Native, Istio, Helm, or Envoy.
  • Third-Party Software: This explicitly includes third-party software like security scanning tools and networking devices or software. While Azure Stack scanning tools are valuable for security, their direct operation and integration are outside of Microsoft’s support scope.
  • Multicloud or Multivendor Deployments: Issues related to federated multicloud solutions are not supported.
  • Unsupported Network Customizations: Network customizations beyond those listed in the supported areas are not covered.
  • Non-HA Production Environments: Production environments are expected to use highly available Kubernetes clusters with a minimum of three masters and three agent nodes. Less robust configurations are not supported for production deployments.

This list clarifies that while the AKS engine provides a robust platform, users are responsible for the higher-level aspects of their Kubernetes deployments, including application management, security configurations, and potentially the integration and use of Azure Stack scanning tools to ensure the security and compliance of their applications.

Security, Patching, and User Responsibility

When security vulnerabilities are identified in AKS engine or the Kubernetes provider for Azure Stack Hub, Microsoft commits to providing patches or upgrade guidance to mitigate these issues. Applying these patches is crucial and may sometimes require cluster downtime, including reboots, for which customers will be notified. It is the user’s responsibility to apply these patches in accordance with Microsoft’s directions to maintain a secure cluster. Failure to apply patches leaves the cluster vulnerable. In this context, Azure Stack scanning tools can play a vital role in identifying vulnerabilities and ensuring timely application of patches, although the tools themselves are outside the direct support scope.

Kubernetes Marketplace Item: Convenience vs. Production Readiness

The Kubernetes Marketplace item on Azure Stack Hub offers a streamlined approach to deploying Kubernetes clusters via a user portal template, indirectly utilizing the AKS engine. This method simplifies setup for demonstrations, testing, and development. However, it is explicitly not designed or supported for production workloads. For production environments, direct AKS engine deployment and management are recommended, aligning with supported configurations and security best practices, where Azure Stack scanning tools can be more effectively integrated and managed by the user.

Preview Features: Not for Production

Features in preview or behind feature flags are released for extended testing and user feedback and should be considered pre-release or beta. These features are not intended for production environments. They may undergo significant changes, including functionality adjustments, bug fixes, and behavioral modifications, potentially leading to instability and downtime. Consequently, preview features are not supported by Microsoft. Production workloads should rely only on generally available, supported features to ensure stability and maintainability, and any security assessments, including the use of Azure Stack scanning tools, should focus on these stable configurations.

Next Steps

To further your understanding and utilization of AKS engine on Azure Stack Hub, refer to the AKS engine on Azure Stack Hub overview. This resource provides additional details and guidance for effectively managing your Kubernetes clusters in a hybrid cloud environment. Remember to consider your responsibilities in securing and maintaining your self-managed clusters, potentially leveraging Azure Stack scanning tools as part of your security strategy.

Alt text for image: Azure Stack Hub Architecture Diagram showing integrated system components including compute, storage, and network resources managed through a unified portal, emphasizing the hybrid cloud infrastructure for on-premises Azure services and consistent Azure experience.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *