Research for industry use-cases of Azure Kubernetes Service

Basics of Kubernetes

As application development moves towards a container-based approach, the need to orchestrate and manage resources is important. Kubernetes is the leading platform that provides the ability to provide reliable scheduling of fault-tolerant application workloads. Azure Kubernetes Service (AKS) is a managed Kubernetes offering that further simplifies container-based application deployment and management

Basic benefits of Kubernetes include:

• Run distributed systems resiliently
• Automatically mount a storage system
• Automated rollouts and rollbacks
• Self-healing
• Secret and configuration management

Key Terms

API Server: Exposes the underlying Kubernetes API. This is how various management tools interact with the Kubernetes cluster

Controller Manager: Watches the state of the cluster through the API server and when necessary makes changes attempting to move the current state towards the desired state.

Etcd: Highly available key-value store which maintains the Kubernetes cluster state.

Scheduler: Schedules unassigned pods to nodes. Determines the most optimal node run your pod

Node: A physical or virtual machine which is where Kubernetes runs your containers.

Kube-proxy: A network proxy that proxies requests to Kubernetes services and their backend pods

Pods: One or more containers logically grouped. Usually, they need to share the same resources.

Kubler: Agent that processes orchestration requests and handles starting pods that have been assigned to its node by the scheduler

Why Use Kubernetes?

When running containers in a production environment, containers need to be managed to ensure they are operating as expected to ensure there is no downtime.

• Container Orchestration: Without container orchestration, If a container was to go down and stop working, an engineer would need to know the container has failed and manually start a new one. Wouldn’t it be better if this was handled automatically by its own system? Kubernetes provides a robust declarative framework to run your containerized applications and services resiliently.
• Cloud Agnostic: Kubernetes has been designed and built to be used anywhere (public/private/hybrid clouds)
• Prevents Vendor Lock-In: Your containerized application and Kubernetes manifests will run the same way on any platform with minimal changes
• Increase Developer Agility and Faster Time-to-Market: Spend less time scripting deployment workflows and focus on developing. Kubernetes provides a declarative configuration that allows engineers to define how their service is to be run by Kubernetes, Kubernetes will then ensure the state of the application is maintained
• Cloud Aware: Kubernetes understands and supports some various clouds such as Google Cloud, Azure, AWS. This allows Kubernetes to instantiate various public cloud-based resources, such as instances, VMs, load balancers, public IPs, storage..etc.

Basics of Azure Kubernetes Services

Azure Kubernetes Service (AKS) is a fully-managed service that allows you to run Kubernetes in Azure without having to manage your own Kubernetes clusters. Azure manages all the complex parts of running Kubernetes, and you can focus on your containers. Basic features include:

• Pay only for the nodes (VMs)
• Easier cluster upgrades
• Integrated with various Azure and OSS tools and services
• Kubernetes RBAC and Azure Active Directory Integration
• Enforce rules defined in Azure Policy across multiple clusters
• Kubernetes can scale your Nodes using cluster autoscaler
• Expand your scale even greater by scheduling your containers on Azure Container Instances

Azure Kubernetes Best Practices

Cluster Multi-Tenancy

• Logically isolate clusters to separate teams and projects to try to minimize the number of physical AKS clusters you deploy
• A namespace allows you to isolate inside of a Kubernetes cluster
• Same best practices with hub-spoke but you do it within the Kubernetes cluster itself

Scheduling and Resource Quotas

• Enforce resource quotas — Plan out and apply resource quotas at the namespace level
• Plan for availability
• Define pod disruption budgets
• Limit resource-intensive applications — Apply taints and tolerations to constrain resource-intensive applications to specific nodes

Cluster Security

Azure AD and Kubernetes RBAC integration

• Bind your Kubernetes RBAC roles with Azure AD Users/Groups
• Grant your Azure AD users or groups access to Kubernetes resources within a namespace or across a cluster

Kubernetes Cluster Updates

• Kubernetes releases updates at a quicker pace than more traditional infrastructure platforms. These updates usually include new features, and bug or security fixes.
• AKS supports four minor versions of Kubernetes
• Upgrading AKS clusters are as simple as executing an Azure CLI command. AKS handles a graceful upgrade by the safe cordon and draining old nodes to minimize disruption to running applications. Once new nodes are up and containers are running, old nodes are deleted by AKS.

Node Patching

Linux

AKS automatically checks for kernel and security updates on a nightly basis and if available AKS will install them on Linux nodes. If a reboot is required, AKS will not automatically reboot the node, a best practice for patching Linux nodes is to leverage the cured (Kubernetes Reboot Daemon) which looks for the existence of /var/run/reboot-required file (created when a reboot is required) and will automatically reboot during a predefined scheduled time.

Windows

The process for patching Windows nodes is slightly different. Patches aren’t applied daily like Linux nodes. Windows nodes must be updated by performing an AKS upgrade which creates new nodes on the latest base Windows Server image and patches.

Pod Identities

If your containers require access to the ARM API, there is no need to provide fixed credentials that must be rotated periodically. Azure’s pod identities solution can be deployed to your cluster which allows your containers to dynamically acquire access to Azure API and services through the use of Managed Identities (marked Azure MSI in the diagram below).

Limit container access

Avoid creating applications and containers that require escalated privileges or root access.

Monitoring

As AKS is already integrated with other Azure services, you can use Azure Monitor to monitor containers in AKS.

• Toggled based implementation, can be enabled after the fact or enforced via Azure Policy
• Multi and Cluster specific views
• Integrates with Log Analytics
• Ability to query historic data
• Analyze your Cluster, Nodes, Controllers, and Containers
• Alert on Cluster & Container performance by writing customizable Log Analytics search queries
• Integrate Application logging and exception handling with Application Insights

Real-Life Example

Logicworks is a Microsoft Azure Gold Partner that helps companies migrate their applications to Azure. In the example below, one of our customers was looking to deploy and scale their public-facing web application on AKS to solve the following business use case:

• Achieve portability across on-prem and public clouds
• Accelerate containerized application development
• Unify development and operational teams on a single platform
• Take advantage of native integration into the Azure ecosystem to easily achieve:
• Enterprise-Grade Security
• Azure Active Directory integration
• Track, validate, and enforce compliance across Azure estate and AKS clusters
• Hardened OS images for nodes
• Operational Excellence
• Achieve high availability and fault tolerance through the use of availability zones
• Elastically provision computes capacity without needing to automate and manage the underlying infrastructure.
• Gain insight into and visibility into your AKS environment through automatically configured control plane telemetry, log aggregation, and container health

The customer’s architecture includes a lot of the common best practices to ensure we can meet the customers business and operational requirements:

Cluster Multi-Tenancy

SDLC environments are split across two clusters isolating Production from lower-level SDLC environments such as dev/stage. The use of namespaces provides the same operation benefits while saving cost and operational complexity by not deploying an AKS cluster per SDLC environment.

Scheduling and Resource Quotas

Since multiple SDLC environments and other applications share the same cluster, scheduling and resource quotas must be established to ensure applications and the services they depend on get the resources required for operation. When combined with cluster autoscaler we can ensure that our applications get the resources they need and that compute infrastructure is scaled in when they need it.

Azure AD integration

Leverages Azure AD to authenticate/authorize users to access and initiate CRUD (create, update, and delete) operations against AKS clusters. AAD integration makes it convenient and easy to unify layers of authentication (Azure and Kubernetes) and provide the right personnel with the level of access they require to meet their responsibilities while adhering to the principle of least privilege

Pod Identities

Instead of hardcoding static credentials within our containers, Pod Identity is deployed into the default namespace and dynamically assigns Managed Identities to the appropriate pods determined by a label. This provides our example application with the ability to write to Cosmos DB and our CI/CD pipelines the ability to deploy containers to production and stage clusters.

Ingress Controller

Ingress controllers bring traffic into the AKS cluster by creating ingress rules and routes, providing application services with reverse proxying, traffic routing/load balancing, and TLS termination. This allows us to evenly distribute traffic across our application services to ensure scalability and meet reliability requirements.

Monitoring

Naturally, monitoring the day-to-day performance and operations of our AKS clusters is key to maintaining uptime and proactively solving potential issues. Using AKS’ toggle-based implementation, application services hosted on the AKS cluster can easily be monitored and debugged using Azure Monitor.

USE CASE OF (AKS)

The lending industry in India has long been dependent on traditional processes for business development, data acquisition, verification, and validation. This meant cumbersome processes that required many personal visits and ultimately led to the underutilization of time and resources.

Paisabazaar was already in the process of digitizing lending processes when COVID-19 hit India. The pandemic accelerated the company’s endeavour to digitally replicate its end-to-end lending process to create a seamless remote experience for both customers and lenders. The company was able to achieve this through the creation of a digital stack — Paisabazaar Stack — that disburses loans and issues credit cards using Microsoft Azure, AI Builder, Azure Machine Learning, Azure Cognitive Services, and Azure Kubernetes Service (AKS).

Paisabazaar was founded in 2014 to make personal finance easy and convenient. The platform simplifies personal finance for its customers through technology-driven innovations. As one of India’s foremost marketplaces for financial products, the company has more than 130 partners and has served over 22 million customers across 1,250 cities and towns within the country. It is also India’s largest marketplace for lending products and one of the fastest-growing fintech firms with a compound annual growth rate of more than 80 per cent.

Overcoming physical restrictions to meet changing needs

Paisabazaar was in the process of developing digital systems to serve the needs of the lending market when COVID-19 hit. It aimed to simplify complex financial processes by making them digital to match buyers with lenders and make the lending process more seamless.

However, certain regulatory requirements and traditional practices stood in the way. Traditional lending processes were largely dependent on physical visits to verify customers’ incomes and employment, and it required physical checks. This data was also prone to human errors.

“With the pandemic-induced lockdown, one of the most highly impacted industries was lending. This happened because almost the entire industry was largely underprepared in terms of having the digital infrastructure to tackle a situation where there are complete restrictions on physical movements. It has become amply clear that the future of lending is in completely paperless and presence-less loans,” says Mukesh Sharma, CTO, Paisabazaar.

The company had been trying to create a digital ecosystem for lending partners, banks, and non-banking financial companies (NBFCs). But when COVID-19 struck, digitization became a critical need as physical contact was limited. As a technology-driven fintech firm, Paisabazaaar started to digitally recreate the fundamental process of lending, encompassing the complete end-to-end value chain, through a stack. Microsoft was the preferred choice for this project as Paisabazaar had been using Azure for two years and believed in the capabilities of Microsoft products to empower organizations through technology infrastructure.

Embracing a new normal through digitization

COVID-19 gave a push to presence-less lending and during this period, Paisabazaar enabled end-to-end, digital processes. By working with partner banks, customers can now procure loans through the Paisabazaar platform, with disbursals taking place within 24 hours.

The company implemented several Microsoft solutions to make this possible:

• KYC verification: The digital KYC module is part of the Paisabazaar Stack. It includes KYC verification and video KYC that uses Cognitive Services. The applicants can verify their identities, locations, and liveness, which ensures that they are real people and not bots.
• Income and employment validation: The income of the applicant is validated, and employment is verified digitally by the stack. Bank statements are analyzed digitally using AI to determine the financial health and provide results to Paisabazaar’s lending partners. This enables faster decision making, and customers can provide self-attested proof of income, such as bank statements and salary slips, digitally.
• Repayment agreements: Paisabazaar uses the stack to fast track the National Automated Clearing House process, streamline verification of bank account details, and set up repayment instructions through the digital mandate on behalf of its partner lenders.

Chance of Approval is a feature Paisabazaar developed long before COVID-19, using Azure Kubernetes Service. It enables the company to use a predictive algorithm model to provide customized lending solutions. It matches factors from a customer’s profile, such as income, credit score, or age, with the various lending criteria of different lenders, and shows the customer the odds of getting the application approved.

The lending industry’s supply in the first quarter of 2020 had become almost negligible, but the company used this time to ideate, develop, and implement the stack to become ready for the future.

Transforming lending with an end-to-end digitization stack

By July, the company started having conversations with its partners and lending became easier, as they too were looking for digital solutions. Paisabazaar was ready with a solution, which made it easier for its partners to resume business. The company received very favourable responses from the lenders and were able to drive adoption of the platform with its partners.

“We are seeing very encouraging signs across all our products and are moving the chain forward and educating the customers on the new process,” says Gaurav Aggarwal, Director & Head of Unsecured Loans, Paisabazaar.

The company now offers its entire end-to-end digitization stack to banks and NBFCs on its platform. In the fourth quarter of 2020, the company is working to get back to pre-COVID business numbers. The responses from customers, as well as partners, has been overwhelming. According to Aggarwal, the benefits of the stack far extend its role as a countermeasure against COVID-19. The real win for the company is the change the stack has brought to the traditional lending ecosystem.

Sharma adds, “Our philosophy at Paisabazaar is to make financial transactions, and the interactions around them, easy and convenient. We see technology, along with data, as a great enabler towards that goal. Our work with Microsoft has helped us bring industry-leading initiatives to end customers. We will continue to work with Microsoft to come up with technology-led solutions to bring ease to the customer’s lives.”