Techtips

Introduction of the issue [Update July 2023] This issue has been resolved and you should be able to create a Kubernetes resource targeting Azure Kubernetes Service in Azure DevOps Environments in the same way as before. Official documentation has been updated with additional details: Kubernetes resource With release of Kubernetes version 1.24 a new feature gate has come to life which is called LegacyServiceAccountTokenNoAutoGeneration, and it is enabled by default. What this feature does is that Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. You can read more details about this change in release notes: CHANGELOG-1.24 ...

Let’s start today’s tech tip by identifying what a Kubernetes Context is. Kubernetes Context, which is also known as kubectl context, represents a Kubernetes cluster that kubectl command-line tool is currently targeting. You decide which Kubernetes cluster to set as active by modifying currently active context with kubectl config use-context <cluster_name> command. All the configured and available Kubernetes contexts are stored in a kubeconfig file. Kubeconfig file contains a collection of properties for every Kubernetes cluster that respective client is connected to - properties such as Kubernetes cluster name, authentication mechanisms, user/service account, etc. This information is used by kubectl command-line tool to connect to the API server of the respective cluster once it’s set as the active Kubernetes context. ...

Linting tools, aka linters, can help you write better and cleaner code early in the software development lifecycle. Linter is a tool that scans existing and new code for potential errors, bad and insecure patterns and violations of the respective programming language best practices. In most cases you can install a linter as an IDE extension so that you can get notified about potential issues during local development, long before the code is checked in to your source code base. ...

⚠️ Please note that the HTTP Application routing add-on for AKS is now deprecated and will be retired on 3rd of March, 2025. Normally if you were to expose an application running in AKS for external access, you would need multiple bits and pieces to be deployed and configured: Ingress Controller to ensure proper traffic routing and load balancing in an AKS cluster; Certificate management solution for automatic obtaining, provisioning, renewing and using of TLS certificates for applications running in AKS clusters; DNS zone and respective DNS records to expose applications on a specific URL for external access; This can be quite a lot to set up and will in some cases be an overhead for dev/test or playground AKS clusters. That’s when HTTP Application Routing add-on can help you out and do all this work for you! 🚀 ...

One day I was going through Azure Policies for Kubernetes and suddenly saw an alert related to the following policy for one of the AKS clusters: Kubernetes clusters should not grant CAP_SYS_ADMIN security capabilities. What this basically means is that you shouldn’t have any accounts in your cluster that have been assigned a ClusterRole or Role with CAP_SYS_ADMIN capabilities. CAP_SYS_ADMIN is a capability that is available in Linux. It provides a very privileged level of permissions that allows an account that has this capability to perform a range of system administration operations which can potentially be harmful and damaging for the whole system. You can read more about this capability here: capabilities(7) — Linux manual page. ...