3 min read
Azure Kubernetes Service in 2022: New Features and Best Practices
Azure Kubernetes Service (AKS) continues to evolve with new features that make managing Kubernetes clusters easier and more efficient. Let’s explore what’s new in AKS for 2022 and best practices for production deployments.
AKS Managed Identity
AKS now supports managed identities natively, eliminating the need for service principals:
resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
name: aksClusterName
location: location
identity: {
type: 'SystemAssigned'
}
properties: {
dnsPrefix: dnsPrefix
kubernetesVersion: '1.22.4'
enableRBAC: true
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: [
adminGroupId
]
}
agentPoolProfiles: [
{
name: 'systempool'
count: 3
vmSize: 'Standard_DS2_v2'
mode: 'System'
enableAutoScaling: true
minCount: 1
maxCount: 5
availabilityZones: ['1', '2', '3']
}
]
}
}Azure AD Workload Identity
The new workload identity feature provides pod-level identity:
apiVersion: v1
kind: ServiceAccount
metadata:
name: workload-identity-sa
namespace: default
annotations:
azure.workload.identity/client-id: "<CLIENT_ID>"
labels:
azure.workload.identity/use: "true"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: my-app
spec:
template:
metadata:
labels:
azure.workload.identity/use: "true"
spec:
serviceAccountName: workload-identity-sa
containers:
- name: my-app
image: myregistry.azurecr.io/my-app:latestGitOps with Flux v2
AKS now supports GitOps with Flux v2 as a cluster extension:
az k8s-extension create --name flux \
--extension-type microsoft.flux \
--scope cluster \
--cluster-name myAKSCluster \
--resource-group myResourceGroup \
--cluster-type managedClustersConfigure a GitOps configuration:
az k8s-configuration flux create \
--name cluster-config \
--cluster-name myAKSCluster \
--resource-group myResourceGroup \
--cluster-type managedClusters \
--scope cluster \
--url https://github.com/myorg/my-repo \
--branch main \
--kustomization name=infra path=./infrastructure prune=true \
--kustomization name=apps path=./apps prune=true dependsOn=["infra"]Azure Policy for AKS
Enforce policies on your AKS clusters:
{
"properties": {
"displayName": "Kubernetes cluster containers should only use allowed images",
"policyType": "BuiltIn",
"mode": "Microsoft.Kubernetes.Data",
"parameters": {
"allowedContainerImagesRegex": {
"type": "String",
"metadata": {
"displayName": "Allowed container images regex"
}
}
},
"policyRule": {
"if": {
"field": "type",
"in": ["Microsoft.ContainerService/managedClusters"]
},
"then": {
"effect": "deny",
"details": {
"constraintTemplate": "k8sazurecontainerallowedimages",
"constraint": "azurecontainerallowedimages"
}
}
}
}
}Monitoring with Container Insights
Enable comprehensive monitoring:
resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
// ... other properties
properties: {
addonProfiles: {
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: logAnalyticsWorkspace.id
}
}
}
}
}Best Practices for 2022
- Use multiple node pools - Separate system and user workloads
- Enable cluster autoscaler - Scale based on demand
- Implement Azure AD integration - Use RBAC for access control
- Deploy across availability zones - Ensure high availability
- Use Azure CNI - Better network performance and features
- Enable Azure Defender - Security monitoring and threat detection
AKS in 2022 is more mature, secure, and easier to manage than ever before.