Use k8saas from BYOD
Introduction
By default, k8saas is accessible from anywhere, from any device. Of course, based on the security level of each project k8saas is also compatible with other type of access to limit the exposure of application, to limit the laptop access etc...
The purpose of this documentation is to show you with a concrete use case, how to consume the k8saas service.
Tutorial
In this tutorial, you're going to:
- get your k8saas credentials
- deploy a hello world application
- access to your application using a port-forward
- expose your hello world to internet using the All in one application publication service
- test the access from internet
Get your k8saas credentials
Prerequisites:
- azure-cli
- kubectl
- kubelogin (from azure)
Install the following packages
brew update && brew install azure-cli && brew install kubectl && brew install Azure/kubelogin/kubelogin
You are going to receive by email:
- K8SAAS_TENANT_ID: the tenant it
- K8SAAS_SUBSCRIPTION_ID: the id of the subscription where your resources are deployed
- K8SAAS_INSTANCE_NAME: the name of the kubernetes and the resource group
To first get the kubeconfig, run the following command:
# load environment variables
export K8SAAS_TENANT_ID="<K8SAAS_TENANT_ID>"
export K8SAAS_SUBSCRIPTION_ID="<K8SAAS_SUBSCRIPTION_ID>"
export K8SAAS_INSTANCE_NAME="<K8SAAS_INSTANCE_NAME>"
# be authenticated to azure
az login -t $K8SAAS_TENANT_ID
# get k8saas kubeconfig
az aks get-credentials --name $K8SAAS_INSTANCE_NAME --resource-group $K8SAAS_INSTANCE_NAME --subscription $K8SAAS_SUBSCRIPTION_ID
# skip MFA using azure credentials
kubelogin convert-kubeconfig -l azurecli
Once done, you should be able to access to your cluster. Note: by default there is a "customer-namespaces" namespace.
kubectl get pods --namespace customer-namespaces
kubectl get events --namespace customer-namespaces
Note:
- list all namespace is currently forbidden
Deploy a hello world application
Here is a project to start deploying your first application.
Clone the project :
git clone https://gitlab.thalesdigital.io/platform-team-canada/k8saas-innersource/hello-world-k8saas.git
cd hello-world-k8saas/Basic-helloworld
Look at the first file: aks-helloworld-one.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: aks-helloworld-one
spec:
replicas: 1
selector:
matchLabels:
app: aks-helloworld-one
template:
metadata:
labels:
app: aks-helloworld-one
spec:
containers:
- name: aks-helloworld-one
image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
ports:
- containerPort: 80
env:
- name: TITLE
value: "Welcome to Azure Kubernetes Service (AKS)"
---
apiVersion: v1
kind: Service
metadata:
name: aks-helloworld-one
spec:
type: ClusterIP
ports:
- port: 80
selector:
app: aks-helloworld-one
This file is composed of:
- a kubernetes deployment which contains a pod: aks-helloworld-one based on a microsoft image: mcr.microsoft.com/azuredocs/aks-helloworld:v1
- a kubernetes service that exposes the previous container internally
Then deploy your applications :
# this start a hello world pod
kubectl apply -f aks-helloworld-one.yaml --namespace customer-namespaces
# look at your pods
kubectl get pods -n customer-namespaces
NAME READY STATUS RESTARTS AGE
aks-helloworld-one-56c7b8d79d-sm4c6 2/2 Running 0 10m
Access to your application using a port-forward
By default a pod is not accessible from outside the cluster. For development & testing purpose, it's possible to perfom a port-forward using native kubernetes commands.
# use the name of the pod in the following command:
kubectl port-forward pods/aks-helloworld-one-56c7b8d79d-sm4c6 -n customer-namespaces 8080:80
Forwarding from 127.0.0.1:8080 -> 80
Forwarding from [::1]:8080 -> 80
Handling connection for 8080
# Now access to your application locally
curl localhost:8080
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="stylesheet" type="text/css" href="/static/default.css">
<title>Welcome to Azure Kubernetes Service (AKS)</title>
<script language="JavaScript">
function send(form){
}
</script>
</head>
<body>
<div id="container">
<form id="form" name="form" action="/"" method="post"><center>
<div id="logo">Welcome to Azure Kubernetes Service (AKS)</div>
<div id="space"></div>
<img src="/static/acs.png" als="acs logo">
<div id="form">
</div>
</div>
</body>
</html>%
Note: You can also perform a port-forward using the service:
kubectl get services -n customer-namespaces
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
aks-helloworld-one ClusterIP 10.0.98.198 <none> 80/TCP 12m
kubectl port-forward services/aks-helloworld-one -n customer-namespaces 8080:80
Forwarding from 127.0.0.1:8080 -> 80
Forwarding from [::1]:8080 -> 80
You just succeed to access to your application without having exposed your application on internet. Now, we're going to expose your application using an ingress. It's like a proxy.
Expose your hello world to internet using the All in one application publication service
Then, look at the second file: hello-world-ingress.yaml
Update the following line:
line 11 & 14: update the url hw-ingress-<VALUE_TO_CHANGE>.demo.<DNS_ZONE>
with:
<VALUE_TO_CHANGE>
: you can use a small hash or a random world<DNS_ZONE>
: use this pattern<instance_name_without_k8saas_before>.<REGION>
.k8saas.thalesdigital.io
You can get the DNS_ZONE from the grafana URL (provided at the creation of your cluster)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hello-world-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-staging
spec:
ingressClassName: nginx
tls:
- hosts:
- hw-ingress-<VALUE_TO_CHANGE>.demo.<DNS_ZONE>
secretName: tls-secret
rules:
- host: hw-ingress-<VALUE_TO_CHANGE>.demo.<DNS_ZONE>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: aks-helloworld-one
port:
number: 80
Once the file modify:
kubectl apply -f hello-world-ingress.yaml -n customer-namespaces
ingress.networking.k8s.io/hello-world-ingress created
# all look at the ingress
kubectl get ingress -n customer-namespaces -w
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
NAME CLASS HOSTS ADDRESS PORTS AGE
hello-world-ingress <none> hw-ingress-rbo-sandbox.demo.eu.k8saas.thalesdigital.io 80, 443 12s
hello-world-ingress <none> hw-ingress-rbo-sandbox.demo.eu.k8saas.thalesdigital.io 20.36.107.4 80, 443 12s
TADA ! Your application is exposed on HTTPS using a generated certificate (not valid because using letencrypt-staging. Use letencrypt-prod to get a valid certificate)
Let test few command:
nslookup hw-ingress-rbo-sandbox.demo.eu.k8saas.thalesdigital.io
Server: 192.168.2.1
Address: 192.168.2.1#53
Non-authoritative answer:
Name: hw-ingress-rbo-sandbox.demo.eu.k8saas.thalesdigital.io
Address: 20.36.107.4
The domain and the ip are both public.
Test the access from internet
Now you should access to your application from any where.
From a terminal:
curl -k https://hw-ingress-rbo-sandbox.demo.eu.k8saas.thalesdigital.io
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link rel="stylesheet" type="text/css" href="/static/default.css">
<title>Welcome to Azure Kubernetes Service (AKS)</title>
<script language="JavaScript">
function send(form){
}
</script>
</head>
<body>
<div id="container">
<form id="form" name="form" action="/"" method="post"><center>
<div id="logo">Welcome to Azure Kubernetes Service (AKS)</div>
<div id="space"></div>
<img src="/static/acs.png" als="acs logo">
<div id="form">
</div>
</div>
</body>
</html>%
From a browser:
Put the url of your application in your favorite browser: https://hw-ingress-<VALUE_TO_CHANGE>.demo.<DNS_ZONE>
Next Steps
- Secure your application using azure bastion
- Deploy an application using an azure managed database