Microsoft AKS updates 2024 - Q1
Within this blog, I want to give an overview of all the feature in Q1 2024 that becomes available in General Availability, Technical Preview or End of Support by Microsoft. This information can be found at Microsoft Azure Updates.
Features that are now supported by Microsoft (GA):
- [General available] Application Gateway for Containers
Application Gateway for Containers is the next evolution of Application Gateway + Application Gateway Ingress Controller, providing application (layer 7) load balancing and dynamic traffic management capabilities for workloads running in a Kubernetes cluster. Application Gateway for Containers achieves near-to-real-time convergence times to reflect add/remove of pods, routes, probes, and other load balancing configuration within Kubernetes yaml configuration. In addition to the numerous improvements announced at public preview, general availability brings several new additions:- Features - Public preview and GA has added support for Custom Health Probes, URL Redirect, URL / Header Rewrite;
- Controller High Availability – Have peace of mind if a node goes down, changes within your cluster will continue to be propagated to the network;
- Gateway API v1 – Bring the familiarity and role based access control provided by Gateway API to your network configuration;
- Additional Region Availability – Take advantage of Application Gateway for Containers in a region closest to you;
- SLA for Production Workloads – Feel confident in running your production workloads with Application Gateway for Containers.
Click here to learn more.
- Features - Public preview and GA has added support for Custom Health Probes, URL Redirect, URL / Header Rewrite;
- [General available] Node Soak Duration for Upgrades
AKS now supports node soak duration for upgrades to help stagger a node upgrade in a controlled manner. Setting a node soak time creates a waiting period between draining a node, proceeding to reimage it, and moving on to the next node. A short duration can minimize application downtime and allows you to complete other tasks, such as checking application health, during the upgrade process. Click here to learn more. - [General available] Capacity Reservations support in AKS
You can now create capacity reservation groups and assign them to node pools. As your workload demands change, you can associate existing capacity reservation groups to node pools to guarantee allocated capacity for your node pools. Click here to learn more. - [General available] Istio-based service mesh add-on for Azure Kubernetes Service
Azure Kubernetes Service (AKS) addon for service mesh based on Istio is now generally available. Istio addresses the challenges developers and operators face with a distributed or microservices architecture and can be used to streamline traffic management, security, and observability for service-to-service communication scenarios. The AKS addon for service mesh builds on top of open source Istio and provides additional benefits such as compatibility testing done between Istio with supported versions of AKS, minor/patch version upgrades, plugin Certificate Authority (CA), managed external/internal ingresses, and scaling of Istio control plane components. Click here to learn more. - [General available] Visual Studio Code extension update for Azure Kubernetes Service (AKS)
Visual Studio Code extension for Azure Kubernetes Service (AKS) has recently been updated to bring new capabilities, features, and improvements. Highlights include a brand-new cluster create experience, reconcile/abort cluster, enhanced networking capabilities such as granular packet capture/tcp dump and more. Click here to learn more. To download the Azure Kubernetes Service VS Code Extension, please visit the marketplace. - [General available] Kube-reserved resource optimization in Azure Kubernetes Service (AKS)
Reserved space contains resources set aside on a node, such as system daemons that back Kubernetes and the operating system itself. If these resources are not allocated sufficient reserved space, pods and system daemons will compete. This competition leads to starvation on the node. Azure Kubernetes Service (AKS) addresses this issue by enforcing a rate at which it reserves space, as detailed by the Kube-reserved flag. This flag shows the resource reservation for Kubernetes system daemons including kubelet, container runtime, and more. Beginning with AKS support of Kubernetes 1.29 in preview, optimized reservation logic reduces Kube-reserved memory by up to 20% depending on the node configuration and will apply to everyone. Click here to learn more. - [General available] Outbound type migration in AKS
AKS uses outbound types to customize egress for a cluster to fit specific scenarios. You can now use Azure CLI to migrate outbound types on existing clusters based on your needs, without having to recreate a cluster. Click here to learn more.
Features that are currently in Public Preview and not yet GA
- [Public Preview] Kubernetes 1.29 support in AKS
AKS now supports the latest Kubernetes 1.29 preview release (mandala) that has some much-awaited features such as ReadWriteOncePod, PersistentVolume access mode, Node volume expansion Secret support for CSI drivers and more. To learn more, click here. - [Public Preview] OS SKU in-place migration for Linux nodes
Today, traditional OS SKU migration involves creating a new node, cordoning and draining existing nodes, and then deleting existing nodes. This can involve a large surge of core count as new nodes are added, as well as manual intervention to cordon and drain. The OS SKU in-place migration feature, now in public preview, allows you to trigger a node image upgrade between one Linux SKU (i.e. Ubuntu) to another (i.e. Azure Linux) on an existing nodepool. To learn more, click here. - [Public Preview] Disable network policy in AKS for migration
You can now use AKS update to temporarily disable your network policy engine for two migration scenarios:- Migration to Azure CNI overlay – Migration to overlay was limited because network policy needed to be disabled before migration could take place;
- Migration to other network policy engines – You can now migrate to other network policy engines. (e.g. Calico to Cilium).
To learn more, click here.
- Migration to Azure CNI overlay – Migration to overlay was limited because network policy needed to be disabled before migration could take place;
- [Public Preview] Disable network policy in AKS for migration
You can now use AKS update to temporarily disable your network policy engine for two migration scenarios:- Migration to Azure CNI overlay – Migration to overlay was limited because network policy needed to be disabled before migration could take place;
- Migration to other network policy engines – You can now migrate to other network policy engines. (e.g. Calico to Cilium).
To learn more, click here.
- Migration to Azure CNI overlay – Migration to overlay was limited because network policy needed to be disabled before migration could take place;
- [Public Preview] AKS support for node soak duration for upgrades
Azure Kubernetes Service (AKS) now supports node soak duration to help stagger node upgrades in a controlled manner and minimize application downtime during an upgrade. The period can range from a default of 0 to a maximum of 30 minutes. Node soak time works together with the max surge and node drain timeout properties available in the node pool to deliver more refined control of upgrade speed and application availability. To learn more, click here. - [Public Preview] Regional Disaster Recovery by Azure Backup for AKS
In today's dynamic landscape, safeguarding containerized workloads and application data is paramount. That's why Azure Backup for AKS provides comprehensive protection for your AKS clusters, enabling scheduled backups and seamless restoration in scenarios like Operational Recovery, Accidental Deletion, and Application Migration. Now, Microsoft is excited to highlight a key addition: the Regional Disaster Recovery Capability, available in public preview. With this feature, you can proactively prepare for and mitigate the impact of regional disasters by:- Recovering AKS clusters from backups stored in a secondary region, leveraging Azure Paired Regions, ensuring business continuity even in the face of regional disruptions;
- Storing Backup Copies offsite, adhering to the 3-2-1 backup strategy, and having the resilience to restore them in case of tenant compromise.
- Retaining data for extended periods to meet compliance requirements in regulated industries, ensuring data integrity and security.
By embracing Azure Backup for AKS, you empower your organization with advanced disaster recovery capabilities, enhancing resilience and ensuring uninterrupted operations. To learn more, click here.
- Recovering AKS clusters from backups stored in a secondary region, leveraging Azure Paired Regions, ensuring business continuity even in the face of regional disruptions;
- [Public Preview] AKS cluster control plane metrics in managed Prometheus
AKS cluster control plane metrics in managed Prometheus is a new feature that automatically scrapes the control plane – API server and etcd metrics and send them to a Azure Monitor workspace via managed Prometheus. With this, you are able monitor the API server traffic and load along with the etcd size, object count to understand the state of the control plane and tune Kubernetes application client behavior to optimize for performance and reliability. AKS clusters with managed Prometheus get these new metrics automatically once the subscription has been enabled for the preview feature. To learn more, click here. - [Public Preview] Istio add-on for AKS now supports plug-in certificate authority (CA)
In the Istio-based service mesh add-on (currently in public preview) for Azure Kubernetes Service, by default the Istio certificate authority (CA) generates a self-signed root certificate and key and uses them to sign the workload certificates. To protect the root CA key, you should use a root CA, which runs on a secure machine offline. You can use the root CA to issue intermediate certificates to the Istio CAs that run in each cluster. The Istio add-on now allows you to bring your own certificates and keys for Istio CA. An Istio CA can sign workload certificates using the administrator-specified certificate and key and distribute an administrator-specified root certificate to the workloads as the root of trust. To learn more, click here. - [Public Preview] Upgrade support in Istio add-on for AKS
Istio add-on for AKS now allows upgrading the minor version of Istio using canary upgrade process. When an Istio upgrade is initiated, the control plane of the new (canary) revision is deployed alongside the old (stable) revision's control plane. Workload pods can then be restarted while using monitoring tools to track the health of workloads during this process. If no issues are observed with the health of workloads, upgrade can be completed so that only the new Istio revision remains on the cluster. Otherwise, you can roll back to the previous revision of Istio. This feature is currently in public preview. To learn more, click here. - [Public Preview] Disable Secure Shell (SSH) support in AKS
Secure Shell (SSH) is currently on by default for AKS provisioned nodes, and you must disable SSH manually. This public preview feature allows you to disable or enable SSH. This gives you the ability to secure your cluster and reduce the attack surface. To learn more, click here. - [Public Preview] Node OS API options feature for AKS
Node OS API options feature for AKS is now in public preview. This feature allows those without Kubernetes API access to get private IP & name information of a node in a nodepool using the ARM API. This is useful in situations such as when you need Node API for troubleshooting. To learn more, click here.
Features that are retired
- [Retired] None