Відео

That is correct. Synching the secret will make the secret accessible via the kube api, vs. not syncing which only makes it available within the pod. So, it isnt ideal to sync secrets and it should really only be done if using the volume mount alone isnt possible (ex. 3rd party solutions where you dont have code access). I'd argue that the best option is to use the Key Vault SDK directly where you can, as that also will set you up well for secure key release in confidential compute scenarios.

Custom VNET support is coming soon

We are currently working on the compatibility and expect this to be available sometime mid-2025 (estimate). You can follow the progress on this work item on our public roadmap: github.com/Azure/AKS/issues/4681

Yes of course. There are several open source projects that we will be highlighting for next few weeks. Including Istio, Kaito, Cilium, opencost and several more. Stay tuned here for all of that goodness!

During the Preview, AKS Automatic uses the same pricing as Standard, but we do have plans for a modified approach when this GA's. More details on that part to come. I'd be curious about what you mean by view/operate nodes? The goal is to abstract the infra as much as possible and any node management activities are either automated or available via the API/CLI/Portal/etc. There are some differences between AKS Automatic and GKE Autopilot. The most notable is that you can actually switch back and forth between AKS Automatic and Standard. It's just a separate SKU/flag and not a completely different offering. This allows customers to get started with Automatic as they are learning. If they have any need for custom configurations, they can just switch

The OSM project is archived and the OSM AKS add-on will soon be deprecated. We are advising customers to use the Istio add-on or migrate to it if they are not using it currently. Thanks!

Glad it was helpful!

We're working on this. Hopefully we will have it by GA

Awesome @TheDavidHoerster! Yes, this is experimental for now but do give it a try and reach out with any feedback!

Thanks for the feedback. Great idea on the Karpenter video. I’m reaching out to our PM on this to get something going!

Thanks for the good question. Automatic doesn’t quite scale to zero, but pretty close. There is still a system node pool needed for some base AKS system containers. These are fairly small, but not entirely zero. Automatic does use Node Autoprovision (Karpenter) and this will deploy nodes on-demand and re-balance as needed which will also help reduce resources. AKS also supports stop/start which could help depending on your use case. learn.microsoft.com/en-us/azure/aks/start-stop-cluster

@@theakscommunity Thank you for the answer 🙏. So, it is not exactly like GKE Autopilot (At google cloud), if I understand good, here you always pay for provisioned machines? (Where at google only consumed ressources, not at machine scale). Very interesting! I believe Azure Container Apps is more like GKE Autopilot than Automatic.

@@MrBrouilles It’s different in that we allow you to switch between AKS Automatic and Standard. But you won’t actually pay for the provisioned VM’s when this is GA. In the preview, the billing model looks like Standard, but we’re working on the per pod/usage based model for GA. Stay tuned.

@@MrBrouilles To be clear, I don’t think ACA is really like GKE Autopilot. It’s not a Kubernetes solution, so it’s more like a PaaS offering for microservices than any of the managed K8s services like AKS and GKE

@@theakscommunity thank you for your explanations 🙏

Thanks for that!

Private front-ends are on our roadmap. We can't provide an ETA at this time

​@@theakscommunitycan you link the roadmap so we can subscribe to changes?

This is in the works. I don't have any details on timing, but we will share on this channel as soon as we have a good idea

Please note that OSM has been archived by it's maintainers. openservicemesh.io/blog/osm-project-update We suggest following this guidance to move to the Istio add-on. learn.microsoft.com/en-us/azure/aks/open-service-mesh-istio-migration-guidance We would love to know if there are any obstacles or missing features that would prevent you from moving forward.

@@theakscommunity thanks a lot means osm is legacy now and istio is new solution do you know in AKS which one I should go

@@amitverma7545 We recommend the Istio Add-on for AKS. It's a managed offering, so we take care of the Istio control plane for you.

You have to go through Azure Policy to create your own policies that sync to Gatekeeper on the cluster. learn.microsoft.com/en-us/azure/aks/use-azure-policy#create-and-assign-a-custom-policy-definition

It's not supported in Gov Cloud today,, but it is in our plans. No ETA at this time, but we will be sure to share when we know more

Thanks for the question. AGC has been completely redesigned from the ground up to improve the performance of both the data plane and control plane. The video demonstrates the performance improvements for the control plane. A quick performance test against the frontend will yield improved results for the data plane as well. Please let us know how us that performing for you.

Sounds good. Please let us know how it goes.

The cluster management behavior shown in this video is GA yes. The dataplane part to place workload on member clusters via the hub's apiserver will GA shortly.

Hey @GK-rl5du, thanks for comment & great questions. I'll do my best to answer and let Yosh correct me if I'm off base. 1. Your understanding matches mine. I've been thinking about WASI as an API. And that API defines the interactions between WebAssembly modules and the host system. Much like syscalls do for the container runetimes like ContainerD. An interesting next step would be to dive into the component model. 2. Capabilities are indeed how the wasm module gets access to the host resources and without those it cannot reach the host. From what I've read and heard it’s supposed to be "sandboxed" but idk what's meant by that. I don't yet understand how the isolation is achieved and if the capability creates an isolated instance of the network interface, for example, or if it's shared. Or if even with an isolated instance if it'd be possible to tap other network interfaces. I'll dig into this and ask ppl smarter on the subject than myself and report back. :)

So, I just spoke with Yosh and here's what I learned. The implementation largely depends on the runtime and how it provides the "API" for the capability. But, all things considered it's isolated by the memory on the host machine that the wasm process is running. And all the data sent and received is locked into that address space. In theory, that shouldn't allow any cross contamination for a lack of a better work. However, that's where hyperlight comes in as a runtime and provides vm level isolation at the process level to ensure isolation.

@@joshduffney7954 thanks for all your efforts Josh 🙂 it's beginning to make sense to me. So, without capabilities based security from runtime and additional help from tech like Hyperlight, a wasm module is similar to an OS process (in terms of isolation/security)? My reasoning is, a vanilla OS process is also memory isolated from other OS processes due to the virtue of Virtual Memory. I'll do my own homework too to understand this better. But this is an interesting tech for sure 😊

Hey @joebuydem, thanks watching and subscribing. Glad to hear you found value in the conversation. More Wasm content is in the near future! :)