| title | description | services | ms.topic | ms.date |
|---|---|---|---|---|
Best practices for Azure Kubernetes Service (AKS) |
Collection of the cluster operator and developer best practices to build and manage applications in Azure Kubernetes Service (AKS) |
container-service |
article |
03/09/2021 |
Cluster operator and developer best practices to build and manage applications on Azure Kubernetes Service (AKS)
Building and running applications successfully in Azure Kubernetes Service (AKS) require understanding and implementation of some key considerations, including:
- Multi-tenancy and scheduler features.
- Cluster and pod security.
- Business continuity and disaster recovery.
The AKS product group, engineering teams, and field teams (including global black belts [GBBs]) contributed to, wrote, and grouped the following best practices and conceptual articles. Their purpose is to help cluster operators and developers understand the considerations above and implement the appropriate features.
As a cluster operator, work together with application owners and developers to understand their needs. You can then use the following best practices to configure your AKS clusters as needed.
Multi-tenancy
- Best practices for cluster isolation
- Includes multi-tenancy core components and logical isolation with namespaces.
- Best practices for basic scheduler features
- Includes using resource quotas and pod disruption budgets.
- Best practices for advanced scheduler features
- Includes using taints and tolerations, node selectors and affinity, and inter-pod affinity and anti-affinity.
- Best practices for authentication and authorization
- Includes integration with Azure Active Directory, using Kubernetes role-based access control (Kubernetes RBAC), using Azure RBAC, and pod identities.
Security
- Best practices for cluster security and upgrades
- Includes securing access to the API server, limiting container access, and managing upgrades and node reboots.
- Best practices for container image management and security
- Includes securing the image and runtimes and automated builds on base image updates.
- Best practices for pod security
- Includes securing access to resources, limiting credential exposure, and using pod identities and digital key vaults.
Network and storage
- Best practices for network connectivity
- Includes different network models, using ingress and web application firewalls (WAF), and securing node SSH access.
- Best practices for storage and backups
- Includes choosing the appropriate storage type and node size, dynamically provisioning volumes, and data backups.
Running enterprise-ready workloads
- Best practices for business continuity and disaster recovery
- Includes using region pairs, multiple clusters with Azure Traffic Manager, and geo-replication of container images.
As a developer or application owner, you can simplify your development experience and define require application performance needs.
- Best practices for application developers to manage resources
- Includes defining pod resource requests and limits, configuring development tools, and checking for application issues.
- Best practices for pod security
- Includes securing access to resources, limiting credential exposure, and using pod identities and digital key vaults.
To help understand some of the features and components of these best practices, you can also see the following conceptual articles for clusters in Azure Kubernetes Service (AKS):
- Kubernetes core concepts
- Access and identity
- Security concepts
- Network concepts
- Storage options
- Scaling options
If you need to get started with AKS, see the AKS quickstart using the Azure CLI, using Azure PowerShell, or using the Azure portal.