First, let's talk about what Nmi Azure is. Nmi Azure is a managed Kubernetes service provided by Azure, allowing you to easily deploy and manage containerized applications.
To get started with Nmi Azure for Kubernetes, you'll need to create an Azure account. This will give you access to the Azure portal, where you can manage your resources and deploy your Kubernetes clusters.
The Azure portal is user-friendly and easy to navigate, even for those new to cloud computing. You can create a new resource group, which is a logical container for your resources, and then deploy your Kubernetes cluster within it.
Once you have your Azure account and resource group set up, you can start deploying your Kubernetes clusters.
Setup and Configuration
To get started with nmi Azure, you'll need to set it up and configure it properly. Fortunately, Azure-provided name resolution includes features that make this process easy.
With Azure-provided name resolution, you don't need to configure anything, which is a huge time-saver. You also don't need to create and manage clusters of your own DNS servers because of high availability.
Here are some key features of Azure-provided name resolution:
- You don't need to configure anything.
- You don't need to create and manage clusters of your own DNS servers because of high availability.
- You can use the service with your own DNS servers to resolve both on-premises and Azure hostnames.
- You can use name resolution between VMs and role instances within the same cloud service, without the need for an FQDN.
- You can use name resolution between VMs in virtual networks that use the Resource Manager deployment model, without need for an FQDN.
- You can use hostnames that best describe your deployments, rather than working with autogenerated names.
Creating a User Assigned Identity is also a crucial step in setting up nmi Azure. This can be done through the portal, CLI, or PowerShell.
Features
Setting up Azure name resolution is a breeze thanks to its high availability feature, which means you don't need to create and manage clusters of your own DNS servers.
With Azure name resolution, you can use hostnames that best describe your deployments, rather than working with autogenerated names. This is a game-changer for anyone who's ever struggled with trying to remember a long string of numbers and letters.
You also don't need to configure anything, which makes it super easy to get started. Just sign up and start using it.
Azure name resolution allows you to use the service with your own DNS servers to resolve both on-premises and Azure hostnames. This is a huge advantage for anyone who needs to manage both internal and external DNS.
Here are some key features of Azure name resolution:
- You don't need to configure anything.
- You don't need to create and manage clusters of your own DNS servers because of high availability.
- You can use the service with your own DNS servers to resolve both on-premises and Azure hostnames.
- You can use name resolution between VMs and role instances within the same cloud service, without the need for an FQDN.
- You can use name resolution between VMs in virtual networks that use the Resource Manager deployment model, without need for an FQDN.
- You can use hostnames that best describe your deployments, rather than working with autogenerated names.
Create User Assigned
To create a user assigned identity, you'll need to follow these steps. First, click the "Create resource" button and search for "Managed Identity". Next, click "Create" to begin the process.
There are two types of Managed Identity available in Azure: System Assigned and User Assigned. We'll be using User Assigned identities, as they offer more flexibility.
To create a User Assigned Identity, you can use the portal, CLI, or PowerShell. You can also use the Azure portal, which is the method described in the article.
To create a User Assigned Identity using the portal, click the "Create resource" button and search for "Managed Identity". Then, click "Create" to begin the process.
The lifecycle of a User Assigned Identity is not bound to any specific resource, making it a more flexible option. This is in contrast to System Assigned identities, which are bound to the lifecycle of the resource they're assigned to.
Here are the specific steps to create a User Assigned Identity using the portal:
- Click the "Create resource" button and search for "Managed Identity."
- Click "Create" to begin the process.
- Enter a name for the identity and select a subscription, resource group, and region for this to be in.
- Click "Create" to complete the process.
Security and Permissions
To ensure the security of your AKS cluster, you need to lock down access to Kubernetes identity objects using Kubernetes RBAC to only allow users who are authorized to use them.
This means you should only grant the "Managed Identity Operator" role to the service principal of your AKS cluster, which is the Client ID that you can obtain by running a command in the CLI.
To grant the "Managed Identity Operator" role, you need to locate the Managed Identity you created in the portal, select it, and go to "Access Control (IAM)".
You should then click "Role Assignments", click "Add Role Assignment", select "Managed Identity Operator" from the drop-down, enter the Client ID of the AKS cluster Service Principal in the search box, and click Save.
To further secure your cluster, you should only grant the Managed Identity object in Azure the rights it needs to do its job and nothing more.
Here's a summary of the steps to secure your cluster:
- Use Kubernetes RBAC to limit access to identity objects.
- Grant the "Managed Identity Operator" role only to the AKS cluster service principal.
- Only grant the Managed Identity object in Azure the necessary rights.
Deployment and Management
In an AKS cluster, the Node Management Identity (NMI) plays a crucial role in managing identities.
The NMI runs as a Daemon Set in every node, intercepting outbound calls from pods requesting access tokens and proxying those calls with predefined Managed Identity.
This allows for seamless integration with Azure services, making it a vital component for secure and efficient cluster management.
Managed in Kubernetes
Managed Identity in Kubernetes is a unique challenge due to the dynamic nature of pods and nodes. Typically, multiple applications running in a single cluster have pods launching and exiting frequently in different nodes.
The Node Management Identity (NMI) plays a crucial role in intercepting outbound calls from pods requesting access tokens and proxies those calls with predefined Managed Identity. This ensures that pods can access Azure services securely.
The Managed Identity Controller (MIC) is a central pod that queries the Kubernetes API server for Azure identity mappings corresponding to pods. This allows the MIC to check for identity mappings and provide access tokens to pods.
Node Managed Identity (NMI) pods are deployed as a DaemonSet to ensure one instance is running on every node. NMI is the resource used by pods to access their identity, and it talks to the MIC to retrieve the actual identity.
To deploy a pod that uses Managed Identity, you need to attach a binding to the pod with a specific label. This label is used to attach the binding, which enables the pod to access Azure services securely.
Here's a summary of the components involved in Managed Identity in Kubernetes:
- Node Management Identity (NMI): intercepts outbound calls from pods and proxies access tokens
- Managed Identity Controller (MIC): queries the Kubernetes API server for identity mappings and provides access tokens
- Managed Identity: provides a secure way for pods to access Azure services
Firewall Endpoints
For Azure Commercial, Azure Government, and Microsoft Azure operated by 21Vianet, the firewall endpoints need to be configured with specific suffixes. These suffixes are .com, .us, and .cn respectively.
You'll need to provide access to the following endpoints for each cloud:
- global.handler.control.monitor.azure.com (for Azure Commercial)
- global.handler.control.monitor.azure.us (for Azure Government)
- global.handler.control.monitor.azure.cn (for Microsoft Azure operated by 21Vianet)
If you're using private links on the agent, you'll only need to add the private data collection endpoints (DCEs). These are the endpoints that need to be configured for each cloud:
Note that HTTPS inspection must be disabled for all endpoints.
Bootstrap Pod with Azure Pipeline
You can bootstrap a pod with Azure Pipeline by using a YAML file, specifically the azure-pod-identity-setup-pipeline.yaml file.
This file sets up the necessary components for Azure AD pod identity, including Service Account, custom resource definitions (CRD), Cluster Roles, and bindings.
Triggering the pipeline will deploy the Azure pod Identity, making it ready for use.
To use the pipeline, you'll need to create a user-assigned identity in Azure AD, as was done in the example.
The pipeline will then deploy the Azure Identity definition, which is stored in a file named aad-pod-identity.yaml in the repository.
The pipeline can be triggered on-demand, allowing you to repeat the process as needed.
This approach enables your .NET app to talk to a SQL server using pod identity, as seen in the example application.
Demo and Creation
To start our demo and creation, we'll revisit a previous article where we used the Kubernetes Key Vault Flex Volume project to mount Key Vault secrets as volumes on our pods. We'll replace the Service Principal with Managed Identity, letting Microsoft manage the lifecycle of the identity.
We'll be using user assigned identities, which are created as a standalone object and can be assigned to one or more Azure resources. Their lifecycle is not bound to these objects, making them suitable for our scenario.
To create the user assigned identity, click the create resource button and search for "Managed Identity." Click create, then enter a name for the identity and select a subscription, resource group, and region for this to be in.
Demo Scenario
In this demo scenario, we're going to revisit a previous article where we used the Kubernetes Key Vault Flex Volume project to mount Key Vault secrets as volumes on our pods.
We'll be looking at a simple scenario where we have a pod that needs access to some secrets from Key Vault.
This demo will replace the Service Principal used in the previous article with Managed Identity, letting Microsoft take care of managing the lifecycle of that identity.
To follow along, you may want to start by deploying the Service Principal example from the previous article, so you can then convert it to using Managed Identity.
We'll be using a pod that needs access to some secrets from Key Vault, just like in the previous demo.
Creation
Creation is a crucial step in our demo scenario. We need to create a managed identity to grant access to our Key Vault resource.
To create a managed identity, we can use the Azure portal, CLI, or PowerShell. We'll be using user-assigned identities, as system-assigned identities don't work in this scenario.
There are two types of Managed Identity available in Azure: System Assigned and User Assigned identity. We'll be using User Assigned identity.
Here are the steps to create a User Assigned identity:
- Click the create resource button and search for “Managed Identity.”
- Click create
- Enter a name for the identity and select a subscription, resource group and region for this to be in
- Click create
We'll need to create the identity through the portal, CLI, or PowerShell. The identity will be used to grant access to our Key Vault resource.
Web Apps
If you're using Azure's web app built with App Service and linked to a virtual network, you'll need to set up custom DNS servers to perform name resolution to VMs in the same virtual network.
To get started, enable virtual network integration for your web app, as described in the Azure documentation. This will allow you to link your web app to the virtual network.
If you need to resolve names between virtual networks that aren't linked to the same private zone, you'll need to use custom DNS servers or Azure DNS Private Resolvers on both networks.
To use custom DNS servers, you'll need to set up a DNS forwarder in the target virtual network on a VM that can forward queries to the recursive resolver in Azure (virtual IP 168.63.129.16). You can find an example DNS forwarder in the Azure Quickstart Templates gallery and GitHub.
Here are the steps to set up custom DNS servers:
- Set up a DNS server in your target virtual network on a VM that can forward queries to the recursive resolver in Azure (virtual IP 168.63.129.16).
- Set up a DNS forwarder in the source virtual network on a VM to forward queries to the DNS server in your target virtual network.
- Configure your source DNS server in your source virtual network's settings.
- Enable virtual network integration for your web app to link to the source virtual network.
By following these steps, you'll be able to perform name resolution from your web app to VMs in the same virtual network, and even between different virtual networks that aren't linked to the same private zone.
Frequently Asked Questions
What is nmi in Azure?
In Azure, an NMI (Non-Maskable Interrupt) is a debugging tool that intentionally crashes a Virtual Machine to help diagnose issues. It's used to troubleshoot problems by forcing a crash, allowing for a closer examination of the system's state.
Sources
- https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-network-configuration
- https://moimhossain.com/2020/04/19/azure-ad-pod-identity-password-less-app-containers-in-aks/
- https://samcogan.com/pod-identity-with-kubernetes-in-azure/
- https://www.ais.com/how-to-migrate-and-troubleshoot-file-servers-in-azure/
- https://learn.microsoft.com/en-us/azure/virtual-network/virtual-networks-name-resolution-for-vms-and-role-instances
Featured Images: pexels.com