Azure Kubernetes Service
This deployment guide shows you how to set up an Azure Kubernetes Service (AKS) cluster on which Coder can deploy.
Prerequisites
You must have an Azure account and paid subscription.
Please make sure that you have the
Azure CLI
installed on your machine and that you've logged in (run az login
and follow
the prompts).
Node Considerations
The node type and size that you select impact how you use Coder. When choosing, be sure to account for the number of developers you expect to use Coder, as well as the resources they need to run their workspaces. See our guide on on compute resources for additional information.
If you expect to provision GPUs to your Coder workspaces, you must use an Azure Virtual Machine with support for GPUs. See the Azure documentation for more information.
GPUs are not supported in workspaces deployed as container-based virtual machines (CVMs) unless you're running Coder in a bare-metal Kubernetes environment.
Pod IP Addresses
By default, AKS clusters use kubenet, and a virtual network and subnet are created for you. With kubenet, nodes get an IP address from a virtual network subnet. Network address translation (NAT) is then configured on the nodes, and pods receive an IP address "hidden" behind the node IP. This approach reduces the number of IP addresses that you need to reserve in your network space for pods to use.
Alternatively with Azure Container Networking Interface (CNI), every pod gets an IP address from the subnet and can be accessed directly.
Step 1: Create the resource group
To make subsequent steps easier, start by creating environment variables for the resource group and location that will host your cluster:
RESOURCE_GROUP="<MY_RESOURCE_GROUP_NAME>" LOCATION="<MY_AZURE_LOCATION>"
Create a resource group:
az group create \
--resource-group "$RESOURCE_GROUP" \
--location "$LOCATION"
If this is successful, Azure returns information about your resource group. Pay
attention to the id
field:
"id": "/subscriptions/3afe...d2d/resourceGroups/coderdocs"
You will need the hash provided (i.e., 3afe...d2d
) when creating your cluster.
Step 2: Create the Azure Kubernetes Service cluster
Set two additional environment variables for your cluster name and subscription ID:
CLUSTER_NAME="<MY_CLUSTER_NAME>" SUBSCRIPTION="<MY_SUBSCRIPTION_SHA>"
At this point, you're ready to create your cluster. Please note that:
- You may have to run
az extension add --name aks-preview
- You may need to create a service principal manually using
az ad sp create-for-rbac --skip-assignment
, then setting the--service-principal
and--client-secret
flags - The sample script creates a
Standard_B8ms
instance; depending on your needs, you can choose a larger size instead. See requirements for help estimating your cluster size.
To create the Azure Kubernetes Service Cluster:
az aks create \
--name "$CLUSTER_NAME" \
--resource-group "$RESOURCE_GROUP" \
--subscription "$SUBSCRIPTION" \
--generate-ssh-keys \
--enable-addons http_application_routing \
--enable-cluster-autoscaler \
--location "$LOCATION" \
--max-count 10 \
--min-count 2 \
--node-vm-size Standard_B8ms \
--network-plugin "kubenet" \
--network-policy "azure"
Both options include the use of the
--network-policy "azure"
flag, which creates a Calico cluster. See Network Policies for more information.
This process might take some time (~5-20 minutes), but if you're successful, Azure returns a JSON object with your cluster information.
Step 3: Configure kubectl to point to the cluster
After deploying your AKS cluster, configure kubectl to point to your cluster:
az aks get-credentials --name "$CLUSTER_NAME" --resource-group "$RESOURCE_GROUP"
You should get a message similar to the following if this is successful:
Merged "<YOUR_CLUSTER_NAME>" as current context in /Users/<YOUR_USER>/.kube/config
Access control
You can configure AKS to use both Azure Active Directory (AD) and Kubernetes Role-Based Access Control (RBAC) to limit access to cluster resources based on the user's identity or group membership. You can create groups and users in AD, then define roles to assign to users with role bindings via RBAC.
For more information, see: