Bringing new enterprise-grade capabilities to AKS

Published May 25 2021 10:00 AM 2,734 Views
Microsoft

Every day in Azure, we spend time working with customers who are bringing mission critical enterprise workloads to Kubernetes with AKS. Their requirements drive our roadmap, ensuring that we are balancing the innovative capabilities of the cloud native ecosystem with the requirements of some of the world’s largest companies.

 

AKS for regulated industries

Many AKS customers are subject to the compliance requirements of a specific industry, such as finance, healthcare, or government services. Meeting those requirements can be onerous at the best of times, but it can be even more difficult to do in the context of Kubernetes, where patterns are nascent and flexibility is limited. To help address this challenge, we are announcing AKS for regulated industries, a collection of guidance, benchmarks, and best practices that makes it simpler for customers subject to those constraints to be successful on AKS. This includes a baseline cluster architecture for regulated industries, specific guidance for customers seeking Payment Card Industry (PCI) compliance, and an AKS-specific security benchmark published by the Center of Internet Security (CIS).

 

Enterprise security

In support of that initiative, we are also pleased to announce a series of new product capabilities that will help customers deliver mission critical workloads with Kubernetes on Azure. First, we are excited to become the first cloud provider to offer integrated Kubernetes agent nodes meeting the Federal Information Processing Standards (FIPS) compliance bar, now available in public preview. With a single CLI flag and at no extra charge, AKS customers can now obtain a version of Ubuntu 18.04 that includes the necessary components for their agent nodes to be FIPS compliant. Windows Server-based agent nodes will follow in just a couple of weeks. Speaking of agent nodes, we are also announcing today the general availability of host-based encryption for AKS agent nodes. This capability provides an additional layer of security as OS, temp, and data disks can now be automatically encrypted with either platform or customer-managed keys. Finally, we are pleased to announce the general availability of Azure role-based access control (RBAC) for Kubernetes. This capability allows customers to manage granular access to AKS and Arc-connected Kubernetes clusters at scale leveraging the same framework that they use for all other Azure resources.

 

Planned maintenance support for auto-upgrade

Of course, when it comes to meeting the needs of the enterprise, security is just one piece of the picture. Today, we are excited to announce several other capabilities designed meet the needs of our largest customers. We recently announced previews for cluster auto-upgrade, the ability to have AKS automatically trigger upgrade of your clusters, and planned maintenance, the ability to signal to the service when you would prefer to have potential impactful maintenance operations occur. Now, you can combine those two features with the integration of auto-upgrade with planned maintenance, ensuring that any potential disruptions from a cluster upgrade occur at a time that minimizes business impact.

 

Standardization & innovation

Containerd has become the industry-standard container runtime and it has been deployed by default on Linux nodes in AKS starting with Kubernetes version 1.19. Today, we are pleased to announce that containerd will be available in preview for Windows nodes starting with Kubernetes version 1.20. By adopting containerd, Windows nodes in AKS will offer better performance and stability, and will lay the groundwork for numerous platform capabilities down the line.

 

Finally, we know how important it is for customers to stay up-to-date with the latest innovation happening in the Kubernetes community. That’s why we’re proud to once again lead the way among cloud providers in offering the latest upstream releases in AKS, with the preview of Kubernetes 1.21. This release includes a number of significant improvements, including the graduation of CronJobs and immutable secrets/configmaps to stable. Please give it a try and let us know if you have any trouble by logging an issue on GitHub.

 

This year’s //build conference marks an exciting milestone in the Kubernetes on Azure journey. No longer are customers simply looking for the core capabilities required to make their initial applications run in a cloud native environment. Now they are looking for the guidance and advanced features required to meet the high bar set by their most crucial workloads. Azure is committed to meeting those needs by building a platform that is enterprise-grade, by design. And with the announcement of application services for Kubernetes clusters, we are making it easier than ever for developers to build on top of the platform.

 

%3CLINGO-SUB%20id%3D%22lingo-sub-2384262%22%20slang%3D%22en-US%22%3EBringing%20new%20enterprise-grade%20capabilities%20to%20AKS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2384262%22%20slang%3D%22en-US%22%3E%3CP%3EEvery%20day%20in%20Azure%2C%20we%20spend%20time%20working%20with%20customers%20who%20are%20bringing%20mission%20critical%20enterprise%20workloads%20to%20Kubernetes%20with%20AKS.%20Their%20requirements%20drive%20our%20roadmap%2C%20ensuring%20that%20we%20are%20balancing%20the%20innovative%20capabilities%20of%20the%20cloud%20native%20ecosystem%20with%20the%20requirements%20of%20some%20of%20the%20world%E2%80%99s%20largest%20companies.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--464191019%22%20id%3D%22toc-hId--464191019%22%3EAKS%20for%20regulated%20industries%3C%2FH2%3E%0A%3CP%3EMany%20AKS%20customers%20are%20subject%20to%20the%20compliance%20requirements%20of%20a%20specific%20industry%2C%20such%20as%20finance%2C%20healthcare%2C%20or%20government%20services.%20Meeting%20those%20requirements%20can%20be%20onerous%20at%20the%20best%20of%20times%2C%20but%20it%20can%20be%20even%20more%20difficult%20to%20do%20in%20the%20context%20of%20Kubernetes%2C%20where%20patterns%20are%20nascent%20and%20flexibility%20is%20limited.%20To%20help%20address%20this%20challenge%2C%20we%20are%20announcing%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fupdates%2Faks-support-for-regulated-industries%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAKS%20for%20regulated%20industries%3C%2FA%3E%2C%20a%20collection%20of%20guidance%2C%20benchmarks%2C%20and%20best%20practices%20that%20makes%20it%20simpler%20for%20customers%20subject%20to%20those%20constraints%20to%20be%20successful%20on%20AKS.%20This%20includes%20a%20baseline%20cluster%20architecture%20for%20regulated%20industries%2C%20specific%20guidance%20for%20customers%20seeking%20Payment%20Card%20Industry%20(PCI)%20compliance%2C%20and%20an%20AKS-specific%20security%20benchmark%20published%20by%20the%20Center%20of%20Internet%20Security%20(CIS).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-2023321814%22%20id%3D%22toc-hId-2023321814%22%3EEnterprise%20security%3C%2FH2%3E%0A%3CP%3EIn%20support%20of%20that%20initiative%2C%20we%20are%20also%20pleased%20to%20announce%20a%20series%20of%20new%20product%20capabilities%20that%20will%20help%20customers%20deliver%20mission%20critical%20workloads%20with%20Kubernetes%20on%20Azure.%20First%2C%20we%20are%20excited%20to%20become%20the%20first%20cloud%20provider%20to%20offer%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fupdates%2Fpreview-aks-support-for-fips-compliant-nodes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eintegrated%20Kubernetes%20agent%20nodes%20meeting%20the%20Federal%20Information%20Processing%20Standards%20(FIPS)%3C%2FA%3E%20compliance%20bar%2C%20now%20available%20in%20public%20preview.%20With%20a%20single%20CLI%20flag%20and%20at%20no%20extra%20charge%2C%20AKS%20customers%20can%20now%20obtain%20a%20version%20of%20Ubuntu%2018.04%20that%20includes%20the%20necessary%20components%20for%20their%20agent%20nodes%20to%20be%20FIPS%20compliant.%20Windows%20Server-based%20agent%20nodes%20will%20follow%20in%20just%20a%20couple%20of%20weeks.%20Speaking%20of%20agent%20nodes%2C%20we%20are%20also%20announcing%20today%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fupdates%2Fgeneral-availability-encryption-at-host-support-in-aks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Egeneral%20availability%20of%20host-based%20encryption%20for%20AKS%20agent%20nodes%3C%2FA%3E.%20This%20capability%20provides%20an%20additional%20layer%20of%20security%20as%20OS%2C%20temp%2C%20and%20data%20disks%20can%20now%20be%20automatically%20encrypted%20with%20either%20platform%20or%20customer-managed%20keys.%20Finally%2C%20we%20are%20pleased%20to%20announce%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fupdates%2Fgeneral-availability-azure-rbac-for-kubernetes-authorization-in-aks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Egeneral%20availability%20of%20Azure%20role-based%20access%20control%20(RBAC)%20for%20Kubernetes%3C%2FA%3E.%20This%20capability%20allows%20customers%20to%20manage%20granular%20access%20to%20AKS%20and%20Arc-connected%20Kubernetes%20clusters%20at%20scale%20leveraging%20the%20same%20framework%20that%20they%20use%20for%20all%20other%20Azure%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-215867351%22%20id%3D%22toc-hId-215867351%22%3EPlanned%20maintenance%20support%20for%20auto-upgrade%3C%2FH2%3E%0A%3CP%3EOf%20course%2C%20when%20it%20comes%20to%20meeting%20the%20needs%20of%20the%20enterprise%2C%20security%20is%20just%20one%20piece%20of%20the%20picture.%20Today%2C%20we%20are%20excited%20to%20announce%20several%20other%20capabilities%20designed%20meet%20the%20needs%20of%20our%20largest%20customers.%20We%20recently%20announced%20previews%20for%20cluster%20auto-upgrade%2C%20the%20ability%20to%20have%20AKS%20automatically%20trigger%20upgrade%20of%20your%20clusters%2C%20and%20planned%20maintenance%2C%20the%20ability%20to%20signal%20to%20the%20service%20when%20you%20would%20prefer%20to%20have%20potential%20impactful%20maintenance%20operations%20occur.%20Now%2C%20you%20can%20combine%20those%20two%20features%20with%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fupdates%2Fpublic-preview-cluster-autoupgrade-now-respects-planned-maintenance-windows%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethe%20integration%20of%20auto-upgrade%20with%20planned%20maintenance%3C%2FA%3E%2C%20ensuring%20that%20any%20potential%20disruptions%20from%20a%20cluster%20upgrade%20occur%20at%20a%20time%20that%20minimizes%20business%20impact.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1591587112%22%20id%3D%22toc-hId--1591587112%22%3EStandardization%20%26amp%3B%20innovation%3C%2FH2%3E%0A%3CP%3EContainerd%20has%20become%20the%20industry-standard%20container%20runtime%20and%20it%20has%20been%20deployed%20by%20default%20on%20Linux%20nodes%20in%20AKS%20starting%20with%20Kubernetes%20version%201.19.%20Today%2C%20we%20are%20pleased%20to%20announce%20that%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fupdates%2Fpublic-preview-aks-support-for-containerd-for-windows-server-containers%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Econtainerd%20will%20be%20available%20in%20preview%20for%20Windows%20nodes%20starting%20with%20Kubernetes%20version%201.20%3C%2FA%3E.%20By%20adopting%20containerd%2C%20Windows%20nodes%20in%20AKS%20will%20offer%20better%20performance%20and%20stability%2C%20and%20will%20lay%20the%20groundwork%20for%20numerous%20platform%20capabilities%20down%20the%20line.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFinally%2C%20we%20know%20how%20important%20it%20is%20for%20customers%20to%20stay%20up-to-date%20with%20the%20latest%20innovation%20happening%20in%20the%20Kubernetes%20community.%20That%E2%80%99s%20why%20we%E2%80%99re%20proud%20to%20once%20again%20lead%20the%20way%20among%20cloud%20providers%20in%20offering%20the%20latest%20upstream%20releases%20in%20AKS%2C%20with%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fupdates%2Fpublic-preview-kubernetes-121-support-in-aks%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Epreview%20of%20Kubernetes%201.21%3C%2FA%3E.%20This%20release%20includes%20a%20number%20of%20significant%20improvements%2C%20including%20the%20graduation%20of%20CronJobs%20and%20immutable%20secrets%2Fconfigmaps%20to%20stable.%20Please%20give%20it%20a%20try%20and%20let%20us%20know%20if%20you%20have%20any%20trouble%20by%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Faks%2Fissues%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Elogging%20an%20issue%20on%20GitHub%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20year%E2%80%99s%20%2F%2Fbuild%20conference%20marks%20an%20exciting%20milestone%20in%20the%20Kubernetes%20on%20Azure%20journey.%20No%20longer%20are%20customers%20simply%20looking%20for%20the%20core%20capabilities%20required%20to%20make%20their%20initial%20applications%20run%20in%20a%20cloud%20native%20environment.%20Now%20they%20are%20looking%20for%20the%20guidance%20and%20advanced%20features%20required%20to%20meet%20the%20high%20bar%20set%20by%20their%20most%20crucial%20workloads.%20Azure%20is%20committed%20to%20meeting%20those%20needs%20by%20building%20a%20platform%20that%20is%20enterprise-grade%2C%20by%20design.%20And%20with%20the%20%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-us%2Fblog%2Fbuild-cloudnative-applications-that-run-anywhere%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Eannouncement%20of%20application%20services%20for%20Kubernetes%20clusters%3C%2FA%3E%2C%20we%20are%20making%20it%20easier%20than%20ever%20for%20developers%20to%20build%20on%20top%20of%20the%20platform.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2384262%22%20slang%3D%22en-US%22%3E%3CP%3EAt%20%2F%2Fbuild%202021%2C%20AKS%20is%20launching%20a%20set%20of%20new%20capabilities%20and%20guidance%20designed%20to%20enable%20the%20world's%20most%20critical%20and%20sensitive%20workloads%20to%20run%20on%20Kubernetes%20in%20Azure%2C%20including%20guidance%20for%20customers%20in%20regulated%20industries%2C%20new%20security%20features%20like%20FIPS-compliant%20agent%20nodes%2C%20and%20support%20for%20the%20industry-standard%20containerd%20runtime%20on%20Windows.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2384262%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Kubernetes%20Service%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Build%202021%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎May 25 2021 11:33 AM
Updated by: