Azure Kubernetes Service

Overview

This section presents some pointers on setting up and managing a Kubernetes cluster tailored for WorkflowGen in Azure.

Creating a new cluster

To create a new cluster that supports Linux and Windows workloads, see the Deploy a Windows Server container on an Azure Kubernetes Service (AKS) cluster using Azure CLI Microsoft article, which includes step-by-step instructions on how to create the cluster. Follow all the instructions, including creating a Windows node pool. At the end, you should have at least two nodes: a Linux node and a Windows node.

You can use Microsoft Entra ID (formerly Azure Active Directory) to authenticate and authorize users in the cluster. See the Integrate Microsoft Entra ID with Azure Kubernetes Service (AKS) using the Azure CLI (legacy) Microsoft article for more information.

It's only possible to integrate Microsoft Entra ID with the creation of a new cluster.

Managing Windows and Linux nodes

By default, AKS doesn't restrict further Windows nodes from preventing Linux deployment on them. It's recommended to use taints and tolerations to avoid problems with Linux deployment being scheduled to Windows nodes. The following is an example of how you can use taints and tolerations to manage hybrid deployments.

Taint all Windows nodes

Tainting all Windows nodes will prevent any deployment to Windows nodes from being scheduled except when it has the required toleration. Therefore, for many Linux Helm charts that don't have a node selector, the deployments to Linux nodes will automatically be scheduled. Google Kubernetes Engine does this by default. Execute the following command to taint a Windows node:

kubectl taint nodes "<NODE_NAME>" os=windows:NoSchedule

Replace <NODE_NAME> with the name of the Windows node.

Add tolerations to Windows deployments

To be able to deploy Windows pods to Windows nodes, you have to use a combination of tolerations and node selectors in your deployment specification. For example, consider this WorkflowGen deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: wfgen-webapps
spec:
  replicas: 3
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/name: workflowgen
      app.kubernetes.io/component: webapps
  template:
    metadata:
      labels:
        app.kubernetes.io/name: workflowgen
        app.kubernetes.io/component: webapps
    spec:
      containers:
        - name: wfgen
          image: advantys/workflowgen:7.18.3-win-ltsc2019
          imagePullPolicy: Always
          resources:
            requests:
              memory: "2Gi"
              cpu: "1"
            limits:
              memory: "2Gi"
              cpu: "1"
          ports:
            - name: http
              containerPort: 80
              protocol: TCP
          envFrom:
            - configMapRef:
                name: wfgen-config
          env:
            - name: WFGEN_START_SERVICE
              value: webapps
          livenessProbe:
            periodSeconds: 30
            timeoutSeconds: 5
            initialDelaySeconds: 60
            exec:
              command:
                - powershell
                - C:\healthcheck.ps1
          livenessProbe:
            timeoutSeconds: 5
            initialDelaySeconds: 60
            exec:
              command:
                - powershell
                - -Command
                - if (Test-Path "C:\iislog\W3SVC\*log") { return 0 } else { return 1 }
          volumeMounts:
            - mountPath: C:\wfgen\data
              name: wfgdata
            - mountPath: C:\wfgen\licenses
              readOnly: true
              name: licenses
            - mountPath: C:\secrets
              readOnly: true
              name: secrets
      volumes:
        - name: wfgdata
          persistentVolumeClaim:
            claimName: wfgdata-pvc
        - name: licenses
          secret:
            secretName: wfgen-license-secret
            items:
              # The following must match the name of the license item in 
              # the license secret, e.g. the name of the license file
              - key: WorkflowGen.lic
                path: WorkflowGen.lic
        - name: secrets
            secret:
              secretName: wfgen-sec

In order for it to be scheduled to a Windows node, you would have to add the following to the template's spec:

nodeSelector:
  kubernetes.io/os: windows
tolerations:
  - key: os
    operator: Equal
    value: windows
    effect: NoSchedule

This adds a toleration for the taint that you've just added to the node and tells the Kubernetes scheduler to select a Windows node when scheduling the WorkflowGen pods.

You can also simplify this by creating a RuntimeClass object that holds this information and referencing the runtime class in your Windows deployments:

windows-runtimeclass.yaml
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: windows-1809
handler: 'docker'
scheduling:
  nodeSelector:
    kubernetes.io/os: 'windows'
    kubernetes.io/arch: 'amd64'
    node.kubernetes.io/windows-build: '10.0.17763'
  tolerations:
  - key: os
    operator: Equal
    value: windows
    effect: NoSchedule

Apply this file:

kubectl apply -f windows-runtimeclass.yaml

Then, add the following to the template's spec:

runtimeClass: windows-1809

As you can see, this RuntimeClass also ensures that the deployment will be on a Windows LTSC 2019 (1809) node.

Managing node updates

There are two things that you must consider for update management: the Kubernetes version and the operating system update. For information on upgrading the cluster to a specific Kubernetes version, see Upgrade an Azure Kubernetes Service (AKS) cluster.

Applying security patches and updating operating systems differ for Linux and Windows nodes. To get started with operating system updates, see Apply security and kernel updates to Linux nodes in Azure Kubernetes Service (AKS) for more information. (Don't worry about the title of the article; there's a paragraph about Windows updates in it.)

Automatically scaling node pools

You can use an autoscaler in AKS to automatically scale up the number of nodes in your cluster based on rules to keep up with demands. See Automatically scale a cluster to meet application demands on Azure Kubernetes Service (AKS) for more information. This feature pairs well with the Kubernetes horizontal pod autoscaler. See Horizontal Pod Autoscaler for more information.

You can also use Azure Container Instances to quickly scale up your cluster for a short period of time. See Scaling options for applications in Azure Kubernetes Service (AKS) for more information.

Last updated