Azure Day on Kubernetes + KubeCon/CloudNativeCon Europe 2023
Overview
Introduction
This year KubeCon / CloudNativeCon Europe was held in the Netherlands at the RAI conference center in Amsterdam. KubeCon started with the different sponsor hosted and CNCF hosted colocated events like ArgoCon, CiliumCon, Observability day and Azure Day with Kubernetes. Very cool that it was hosted in the Netherlands, felt as home game. In this post I want to give a recap of the Azure Day with Kubernetes and KubeCon with some of the highlights, announcements and interesting sessions that I have attended. Videos of all the colocated events are or will become available in the next days. Watch this channel for the all the talks of KubeCon and other events like KCD.
Azure Day on Kubernetes
Microsoft was one of the sponsors that hosted a colocated event, Azure Day with Kubernetes. This day had a fully packed schedule with lots of information, tips and announcements. I want to thank Jorge Palma, Michael Withrow, Pavneet Signh, Allison Ford, Kaysie Yu and Alvin Li for the updates and presentations. If you want to watch the videos because you missed them or just watch them again, register at https://azuredaywithkubernetes2023.com/.
Azure Kubernetes Service Long Term Support (LTS) Microsoft will offer long time support, 2 years, on Kubernetes starting with version 1.27.1. This an addition on N-2 support which is currently in place. LTS offers the ability to return to the upstream version, also upgrade to the next AKS LTS supported version. LTS version is based on a fork of the upstream EOL. For now supported by Microsoft but aim is to have LTS supported by the community.
Azure Workload Identity (general available) Azure AD Workload Identity is the highly awaited next iteration of Azure AD Pod Identity that enables Kubernetes applications to access Azure cloud resources securely with Azure Active Directory based on annotated service accounts. Azure AD Workload Identity uses Kubernetes primitives to associate managed identities for Azure resources and identities in Azure Active Directory (AAD) with pods.
Azure CNI overlay (general available) Azure CNI overlay addresses performance, scalability and IP exhaustion challenges while using traditional Azure Container Networking Interface (CNI).
Difference between Azure CNI Overlay and Kubenet
| Area | Azure CNI Overlay | Kubenet |
|---|---|---|
| Cluster Scale | 5000 nodes and 250 pods/node | 400 nodes and 250 pods/node |
| Network Configuration | Simple - no additional configuration needed for pod networking | Complex - requires route tables and UDRS on cluster subnet for pod networking |
| Pod connectivity performance | performance on par with VMs in a VNet | Additional hops adds minor latency |
| Network Dataplanes | Azure and Cilium (eBPF) | Azure |
| Kubernetes Network Policies | Azure Network Policies, Calico, Cilium | Calico |
| OS platforms supported | Linux and Windows | Linux only |
Azure CNI Powered by Cilium (public preview) Azure CNI Powered by Cilium combines the robust control plane of Azure CNI with the dataplane of Cilium to provide high-performance networking and security. Cilium Enterpise is now available in the Azure Marketplace.
Azure Kubernetes Fleet Manager (preview) With the increasing growth of applying Azure Kubernetes Service (AKS) in environments, it becomes more difficult for the operations teams to handle these environments in a uniform way. With Fleet Manager you can manage Kubernetes cluster at scale, ease the upgrade proces, centrally manage the policies and manage north-south load balancer orchestrates traffic flow across workloads deployed in multiple member clusters of the fleet. For more information about Fleet manager follow the link or for the road map click here.
Azure Monitor managed service for Prometheus (public preview) Azure Monitor managed service for Prometheus is a component of Azure Monitor Metrics. Azure Monitor managed service for Prometheus allows you to collect and analyze metrics at scale using a Prometheus-compatible monitoring solution, based on the Prometheus project from the Cloud Native Compute Foundation. This fully managed service allows you to use the Prometheus query language (PromQL) to analyze and alert on the performance of monitored infrastructure and workloads without having to operate the underlying infrastructure. For more information about this service follow the link.
AKS service mesh addon for Istio (public preview) The AKS addon for service mesh builds on top of open source Istio and provides additional benefits such as compatibility testing done between Istio with supported versions of AKS, managed external/internal ingresses, and scaling of Istio control plane components. For more information and how to deploy this addon follow the link.
Back up Azure Kubernetes Service using Azure Backup (public preview) Azure Backup now supports Backup for AKS, which is available in public preview. This solution simplifies the backup and restore of containerized applications and data. It allows customers to configure scheduled backup for both cluster state and application data, with fine-grained control. Backup for AKS is aligned with the Container Storage Interface (CSI) to offer Kubernetes-aware backup capabilities.
Confidential Compute Azure Kubernetes Service can make use of the capabilities offered by confidential compute. Azure Confidential Computing offers next to the encryption of data at rest and data in transit also encryption of data in use. This offers protection against third parties accessing data without consent.
Confidential Containers (CoCo) (preview) Confidential containers on Azure Kubernetes Service (AKS) are leveraging Kata confidential containers and build further on the capabilities offered by confidential compute. More information about this open-source project can be found here. Kata Containers are making use of nested virtualisation. Every pods runs on his own lightweight vm. In this way the application is isolated from the parent VM (AKS node) and from the OS admin of the node.
- Preview support for Kata VM Isolated Containers on AKS for Pod Sandboxing
- Aligning with Kata Confidential Containers to achieve zero trust operator deployments with AKS
For a complete overview of what the AKS product team is working, check the public roadmap
Kubectl OpenAI plugin This project is a kubectl plugin to generate and apply Kubernetes manifests using OpenAI GPT.
Kubernetes Copilot (experimental) Kubernetes Copilot is powered by OpenAI can help in auditing security issues and diagnose problems.
KubeCon Europe 2023
Some nice statistics:
- KubeCon was sold out
- 10.000 attendees
- 58% of the attendees was for the first time at KubeCon
- 159 CNCF projects
- 1300 maintainers, 200k contributors
- 155 ambassadors in 2023
- 406 community groups
- 24 Kubernetes Community Days
Two new certifications were announced:
- Kubernetes and Cloud Security Associate (available in Q3 2023)
- Certified GitOps Associate
For more information regarding the availability for these exams check the links.
KubeCon/ CloudNativeCon Europe 2024 will be in Paris from 19-22 of March.
During KubeCon there was a lot of focus on sustainability. During one of the keynotes,Jorge Palma spoke about Building a Sustainable Carbon-Aware Cloud. Jorge announced the availability of the carbon-aware-keda operator. A recap of the keynote can be found in this blog.
- https://github.com/Azure/sustainability
- https://github.com/Azure/Kubernetes-carbon-intensity-exporter
- https://aka.ms/k8sonazure
Also Kristina Devochko spoke, in the first breakout session after the keynote, about this topic in her talk Be the Change Our Planet Seeks: How YOU Can Contribute to Running Environment-Friendly Workloads on Kubernetes. Kristina showed the current situation in the world by showing graphs and numbers.
She addressed how we as individuals using Kubernetes can play a role in climate change by for instance adopting green coding or lean coding. More information can be found on the site of the Green Software Foundation. Like the shared responsibility applies technical level, it also applies on a sustainability level.
Some other interesing sessions:
- The Next Episode in Workload Isolation: Confidential Containers - Jeremi Piotrowksi, Microsoft
- Adopting Network Policies in Highly Secure Environments - Raymond de Jong, Isovalent
- Gardens and Glaciers: Saving Knowledge Through Succession - Emily Fox, Security Engineer, Apple
- Unlocking Argo CD's Hidden Tools for Chaos Engineering - Featuring VCluster and More - Dan Garfield & Brandon Philips, Codefresh
- Building a Succesful Business in Cloud Native - Liz Rice,Isovalent; Guillermo Rauch, Vercel; Kelsey Hightower, Google; Sheng Liang, Acorn Labs; Tom Manvill, Kasten by Veeam It not only getting stars on Github. The open source software you develop is not the part where will earn a lot of money. You have to create business value.
Frederick Kautz spoke during his session Trust No system: The Unsettling Reality of Zero-Trust about what the buzzword zero-trust means. How do we handle trust in cloud environment? One of the newest technologies to to lookout for is SPIFFE/SPIRE.
Giles Heron from Cisco spoke about Media Streaming Mesh. In his session he talked about the issues that occur when you watch for instance a soccer match via streaming which is then lagging behind broadcast for the more traditional ways of watching. Media mesh on Kubernetes solves this issue.
For me it was an interesting conference. Learned a lot of new things. Met a lot of old and new friends, also reconnected with people that I didn't see for some time. Did a lot of networking with people from Tigera, Codefresh, Aqua, Traefik, Suse, Isovalent, Sysdig, Paolo Alto, Spectro Cloud and VMware. As a result of the number of participants I was not able to always attend the sessions that I had planned for. Luckily I can watch those sessions back when they come available online.