Entra ID Integration for Operators and Workloads
The presentation demonstrates how to configure Azure Kubernetes Service with Microsoft Entra ID (formerly Azure Active Directory) integration for both cluster operators and workload identities. Operators gain kubectl access through Entra ID groups and role-based access control, eliminating the need for shared credentials. Workload identity integration enables pods to authenticate to Azure resources using managed identities and federated identity credentials, connecting Kubernetes service accounts to Azure managed identities. This approach removes the need to embed secrets or certificates within the cluster, with pods accessing services like Key Vault, Cosmos DB, and Azure Container Registry through role assignments on the managed identity.
Private Networking and Key Vault Integration
The session covers implementing private networking for AKS clusters by disabling public endpoints on Azure services and connecting them through private endpoints. The configuration requires provisioning a private DNS zone specific to each service type, linking it to the virtual network, and creating private endpoints that connect the subnet to the target resource. For Key Vault integration specifically, the AKS cluster requires the Key Vault extension enabled, followed by provisioning a secret provider class within Kubernetes that references the specific Key Vault and enumerates required secrets. Pods then mount these secrets as volumes, exposing them as environment variables accessible to application code without managing credentials directly.
Availability Zone Resiliency and Maintenance
The presentation addresses designing for failure through availability zone resiliency across both AKS node pools and supporting Azure services. Node pools can be configured with a zones attribute specifying distribution across multiple availability zones, with AKS making best-effort placement. For guaranteed presence in each zone, the recommended approach involves creating single-zone node pools for each availability zone and distributing workloads across them. Azure Policy provides validation through a preview initiative that scans resources for zone-resilient configuration. The session also covers maintenance plans for automatic updates to both Kubernetes system components and node operating systems, with configurable frequency, intervals, and node update limits to maintain security compliance while controlling availability impact.
