Deploying Microservices API using Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS) is a managed Kubernetes service that simplifies deploying, managing, and scaling microservices.
🚀 Step-by-Step Guide to Deploy Microservices on AKS
We will deploy a .NET 8 microservices-based API on AKS using Azure Container Registry (ACR) and Kubernetes manifests.
1️⃣ Prerequisites
✅ Azure Subscription
✅ Azure CLI installed (az)
✅ Docker installed
✅ kubectl installed (az aks install-cli)
✅ .NET 8 installed
2️⃣ Build and Containerize Your .NET API
Create a Dockerfile for your microservice (e.g., OrderService).
📌 Dockerfile
# Use the official .NET runtime as the base image
FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
WORKDIR /app
EXPOSE 80
# Build the application
FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
WORKDIR /src
COPY ["OrderService/OrderService.csproj", "OrderService/"]
RUN dotnet restore "OrderService/OrderService.csproj"
COPY . .
WORKDIR "/src/OrderService"
RUN dotnet publish -c Release -o /app/publish
# Create final runtime image
FROM base AS final
WORKDIR /app
COPY --from=build /app/publish .
ENTRYPOINT ["dotnet", "OrderService.dll"]
📌 Build and Push Docker Image
# Log in to Azure
az login
# Create a resource group
az group create --name MyResourceGroup --location eastus
# Create Azure Container Registry (ACR)
az acr create --resource-group MyResourceGroup --name MyACR --sku Basic
# Login to ACR
az acr login --name MyACR
# Tag and push the image
docker build -t myacr.azurecr.io/orderservice:v1 .
docker push myacr.azurecr.io/orderservice:v1
3️⃣ Deploy to Azure Kubernetes Service (AKS)
📌 Create an AKS Cluster
# Create an AKS cluster
az aks create --resource-group MyResourceGroup --name MyAKSCluster --node-count 2 --enable-addons monitoring --generate-ssh-keys
# Get AKS credentials
az aks get-credentials --resource-group MyResourceGroup --name MyAKSCluster
📌 Create Kubernetes Deployment & Service
Deployment YAML (orderservice-deployment.yaml)
apiVersion: apps/v1
kind: Deployment
metadata:
name: orderservice
spec:
replicas: 2
selector:
matchLabels:
app: orderservice
template:
metadata:
labels:
app: orderservice
spec:
containers:
- name: orderservice
image: myacr.azurecr.io/orderservice:v1
ports:
- containerPort: 80
env:
- name: ASPNETCORE_ENVIRONMENT
value: "Production"
---
apiVersion: v1
kind: Service
metadata:
name: orderservice-service
spec:
selector:
app: orderservice
ports:
- protocol: TCP
port: 80
targetPort: 80
type: LoadBalancer
📌 Apply the Kubernetes Manifest
kubectl apply -f orderservice-deployment.yaml
4️⃣ Verify and Test the Deployment
📌 Check Pod Status
kubectl get pods
📌 Get Service IP
kubectl get service orderservice-service
- Note the EXTERNAL-IP.
- Open a browser and visit
http://EXTERNAL-IP/api/orders.
5️⃣ Auto-Scaling and Monitoring
📌 Enable Auto-Scaling
kubectl autoscale deployment orderservice --cpu-percent=50 --min=1 --max=5
📌 Enable Monitoring
az aks enable-addons --resource-group MyResourceGroup --name MyAKSCluster --addons monitoring
✅ Summary
1️⃣ Containerized the .NET API
2️⃣ Pushed the image to Azure Container Registry
3️⃣ Created an AKS cluster
4️⃣ Deployed microservices using Kubernetes YAML
5️⃣ Exposed the service using LoadBalancer
6️⃣ Enabled Auto-Scaling & Monitoring
Would you like a Helm-based deployment for better scalability? 🚀
What is FGA (Fine-Grained Authorization)?
Fine-Grained Authorization (FGA) is an access control model that provides highly detailed permission management, allowing specific access rules based on users, roles, resources, and conditions. It is commonly used for multi-tenant applications and zero-trust security models.
How FGA Works with Azure Kubernetes Service (AKS)?
When using AKS, Fine-Grained Authorization ensures that only authorized users, services, and workloads can access Kubernetes resources. This is achieved through RBAC (Role-Based Access Control), OPA (Open Policy Agent), and Azure AD integration.
🚀 Implementing FGA in AKS
1️⃣ Enforce Access Control with Kubernetes RBAC
Kubernetes RBAC (Role-Based Access Control) is the built-in method to restrict access to AKS resources.
📌 Define a Role for a Microservice
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: mynamespace
name: orderservice-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
📌 Assign Role to a Service Account
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: orderservice-binding
namespace: mynamespace
subjects:
- kind: ServiceAccount
name: orderservice-sa
namespace: mynamespace
roleRef:
kind: Role
name: orderservice-role
apiGroup: rbac.authorization.k8s.io
✅ This ensures that only the orderservice microservice can access specific pods.
2️⃣ Use Open Policy Agent (OPA) for Advanced FGA
OPA is a policy engine that enforces custom rules for AKS.
📌 Deploy OPA as an Admission Controller
kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/master/deploy/gatekeeper.yaml
📌 Example Policy: Allow Only Specific Users to Deploy Pods
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sAllowedUsers
metadata:
name: restrict-users
spec:
enforcementAction: deny
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
parameters:
allowedUsers:
- "alice@example.com"
- "bob@example.com"
✅ Only Alice and Bob can deploy new pods in AKS.
3️⃣ Enforce FGA with Azure AD (AAD) and AKS
🔹 Azure AD RBAC allows users to access AKS resources based on their roles.
📌 Assign Fine-Grained Permissions to Users
az aks update --resource-group MyResourceGroup --name MyAKSCluster --enable-aad
az role assignment create --assignee alice@example.com --role "Azure Kubernetes Service RBAC Reader" --scope /subscriptions/{subscriptionId}/resourceGroups/MyResourceGroup/providers/Microsoft.ContainerService/managedClusters/MyAKSCluster
✅ Alice now has read-only access to AKS.
🔑 Summary
✅ RBAC: Restrict microservice access
✅ OPA: Enforce custom access policies
✅ Azure AD: Role-based user authentication
Would you like a real-world example of integrating OPA with a .NET API on AKS? 🚀
No comments:
Post a Comment