Category Archives: Azure

Kubernetes and Container Registry

In this blog we are going to show how to set up an Azure Kubernetes Cluster, an Azure Container Registry and run a container on AKS.

I’m presuming we all know what Kubernetes is, because going into that subject will take a few extra episodes of the blog. For more information take a look at the following:
AKS Documentation
ACR Documentation

In this blog we are going to create everything from scratch to setup a new Container Registry and a Kubernetes Cluster.

We need the following items.

  • Resource group
  • Key Vault
  • Service Principle
  • Container Registry
  • Kubernetes Cluster
  • Docker image

We also need to following software installed:
if you have AZ CLI tools installed you can do this via:

az aks install-cli

otherwise it can be downloaded from:

DOCKER Desktop
Can be downloaded from

In the code we’ll be using the newer AZ commands instead of AzureRM. The ARM templates that are used are mostly the default ones provided by Microsoft but we’ve added that creation of some default tags to it.
The ARM templates and source code for this blog can be downloaded from:

First connect to your subscription

$Cred = Get-Credential  
Connect-AzAccount -SubscriptionId "[your sub id]" -Credential $Cred

Now we set some default parameters:

$ResourceGroupName        = 'rdk-akstest'
$ResourceGroupLocation    = 'WestEurope'
$ServicePrincipalName     = 'AKSClusterDemo'
$KeyVaultName             = 'AKSKeyVaultRDK'
$ClusterName              = 'rdkakscluster'
$Owner                    = 'Rex de Koning'
$RegistrySKU              = 'Basic'
$RegistryName             = 'methosregistry'
$DockerEmail              = ''
$AgenVMSize               = 'Standard_DS2_v2'
$KubernetesVersion        = '1.12.8'
$NetworkPlugin            = 'kubenet'
$AgentCount               = 1
$Tags =  @{ Owner="$Owner" };
$ServicePrincipalName += $ResourceGroupName

First we make sure our Resource Group exists:

#Create resource group
$resourceGroup = Get-AzResourceGroup -Name $ResourceGroupName -ErrorAction SilentlyContinue
if(!$resourceGroup) {
    New-AzResourceGroup -Name $resourceGroupName -Location $ResourceGroupLocation -Tag $Tags

After this we create our KeyVault:

$keyVault = Get-AzKeyVault -VaultName $KeyVaultName -Tag $Tags
if (!$keyVault) {
    $keyVault = New-AzKeyVault -VaultName $KeyVaultName -ResourceGroupName $ResourceGroupName -Location $ResourceGroupLocation -EnabledForTemplateDeployment -Tag $Tags

When we have the KeyVault we can create our service principle and store the data in our KeyVault.

In this demo we create a serviceprincipal without defining any fine-grained roles and/or rights. By only supplying the Displayname a serviceprinciple without any specific rights is created and an ApplicationID is generated.

$servicePrincipal = Get-AzADServicePrincipal -DisplayName $ServicePrincipalName
if (!$servicePrincipal) {
    $servicePrincipal = New-AzADServicePrincipal -DisplayName $ServicePrincipalName
    $Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($servicePrincipal.Secret)
    $result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
    Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $servicePrincipal.ApplicationId -SecretValue $servicePrincipal.Secret -Tag $Tags
    $ServicePrincipalSecret = $result
} else {
    $ServicePrincipalSecret = (Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $servicePrincipal.Id).SecretValueText

We can now create our Container Registry, this will also return the admin credentials that are created, and we also store those in our KeyVault:

$CRSParameters = @{
    "registryName"     = $RegistryName
    "registryLocation" = $ResourceGroupLocation
    "registrySku"      = $RegistrySKU
    "adminUserEnabled" = $true
$UserName = ""
$Password = ""
$Server = ""
$CRSDeploy = New-AzResourceGroupDeployment -Name "Deployment" -ResourceGroupName $ResourceGroupName -TemplateFile .\crs.json -TemplateParameterObject $CRSParameters #-Verbose 
$CRSDeploy.Outputs.GetEnumerator() | ForEach-Object {
    $myObject = $_
    switch($_.Key) {
        "registryUsername" { $UserName = $myObject.value.Value; break }
        "registryPassword" { $Password = $myObject.value.Value; break }
        "registryServer"   { $Server   = $myObject.value.Value; break }
        default { break }

$Password = ConvertTo-SecureString -String $Password -AsPlainText -Force
Set-AzKeyVaultSecret -VaultName $KeyVaultName -Name $UserName -SecretValue $Password -Tag $Tags

Now we can create our AKS cluster. For this demo we our only going to create 1 node ( $AgentCount ). Normally you would create at least 3 nodes. Also the serviceprincipal that is used for this deployment has no specific rights as mentioned before. Normally you would create a serviceprincipal with specific rights so that the serviceprincipal has access to the container registry, create a loadbalancer when needed.

In one of the next blogs we will explain more about serviceprincipals and rights/role assignment.

$DeployParameters = @{
    "resourceName"                 = "$ClusterName"
    "location"                     = "$ResourceGroupLocation"
    "dnsPrefix"                    = "$ClusterName"
    "agentCount"                   = $AgentCount
    "agentVMSize"                  = "$AgenVMSize"
    "servicePrincipalClientId"     = "$($servicePrincipal.ApplicationId)"
    "servicePrincipalClientSecret" = "$ServicePrincipalSecret"
    "kubernetesVersion"            = "$KubernetesVersion"
    "networkPlugin"                = "$NetworkPlugin"
    "enableRBAC"                   = $true
    "enableHttpApplicationRouting" = $false
    "Owner"                        = "$Owner"
$Deployment = New-AzResourceGroupDeployment -Name "Deployment" -ResourceGroupName $ResourceGroupName -TemplateFile .\aks.json -TemplateParameterObject $DeployParameters

We can also output the created clustername:

$Deployment.Outputs.GetEnumerator() | ForEach-Object {
    Write-Output "$($_.Key) : $($_.value.Value)"

At this time we can begin to work with our cluster. First we need our credentials. We have our normal credentials which we can get via:

# Get AKS Cluster Credentials for kubectl
Import-AzAksCredential -ResourceGroupName $ResourceGroupName -Name $ClusterName -Force

If needed for any reason it is also possible to get the admin user via:

# Get Admin user
#Import-AzAksCredential -ResourceGroupName $ResourceGroupName -Name $ClusterName -Admin -Force

After we imported the AKS credentials we can check if our node(s) are up using:

#Check if our nodes are up
kubectl get nodes --output=wide

When our nodes are up we can start connecting to our container registry, for this we first get the password from the KeyVault

#Get dockerpassword from Vault
$DockerPassword = Get-AzKeyVaultSecret -VaultName $KeyVaultName -Name $UserName

Write-Output "Login to registry"
$DockerPassword.SecretValueText | docker login $server -u $UserName --password-stdin

Now that we have everything in place we can start creating a docker image or re-use an existing one. For now we are going to re-use an existing NGINX Demo docker image which contains Hello World

Write-Output "Download default Hello-World image"
docker pull nginxdemos/hello

Write-Output "Re-tag image"
docker tag nginxdemos/hello $server/hello:1.0

Write-Output "Push Image to CRS"
docker image push $server/hello:1.0

We now re-tagged an existing imaged and pushed it to our own private container registry.

After this it is time to link our AKS Cluster to our Container Registry

#Create secret to Link AKS to CRS
kubectl create secret docker-registry $server --docker-server=$server --docker-username=$UserName --docker-password=$($DockerPassword.SecretValueText) --docker-email=$DockerEmail

We can issue a command to check the contents of the now created secret

#Check the secret
kubectl describe secret

We can create our kubernetes yaml to start our own pods. In this case we fill a variable with the content but it could also be a file.

$yaml = @"
apiVersion: apps/v1beta1
kind: Deployment
  name: my-api
  replicas: 1
        app: my-api
      - name: my-api
        image: $server/hello:1.0
        - containerPort: 80
      - name: $server
apiVersion: v1
kind: Service
  name: my-api
  type: LoadBalancer
  - port: 80
    app: my-api

Now that we have the YAML we can create a deployment to Kubernetes.
For this demo we use the output of $yaml via piping to STDIN as input for kubectl create -f as specified by ‘-‘.

#create deployment using yaml content via STDIN
$yaml | kubectl create -f -

If you would like to use a file with YAML content you can use:

kubectl create -f .\

We can get the deployment status via:

kubectl get service/my-api

When the deployment is ready the external IP will be visible and it can be used to open our demo page in the browser:

in my current case:


So this shows, that in little time and with little effort several services can be spun up in Azure and you can ran your own docker images on an Azure Kubernetes Cluster.

It is also possible to connect to a web-based dashboard for our AKS Cluster. For this we issue the following commands:

#Get Kubernetes Dashboard
kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
kubectl proxy


When first accessing the dashboard it will ask for the .kubeconfig file. Under windows this is: %userprofile%\.kube\config

To clean up the resources we just creates we can issue the following commands:

# Clean up Azure resources
Remove-AzAks -ResourceGroupName $ResourceGroupName -Name $ClusterName -Force
Remove-AzADServicePrincipal -DisplayName $ServicePrincipalName -Force
Remove-AzADApplication -DisplayName $ServicePrincipalName -Force
Remove-AzResourceGroup -Name $ResourceGroupName -Force

The new Az module – Connecting to Azure

With the introduction of the new Az PowerShell module, the merger of the Azure.* and AzureRM.* modules, comes a new way of connecting to Azure.

When we get a list of the available commands to do something with an AzAccount, you’ll end up with the following:

As you can see, there are now Connect-/Disconnect-AzAccount and Login-/Logout-AzAccount cmdlets. So if you want to connect to Azure and use PowerShell cmdlets to manage your environment, which one do you use?

If you use either Connect-AzAccount or Login-AzAccount, you’ll end up with the following message:

For this, one would require user interaction. Would that not negate the whole concept of automation?

One of our customers contacted me with the request if we could automate this. His idea was that we would write something that could read the url and code, utilize a browser and through that automate the login.

Although I love billing customers, I don’t like to bill them unnecessarily. I decided to educate them instead:

The solution is already available

The solution is simply by using the cmdlet the way it is intended to be used. For an interactive environment, you can simply go to that website and fill in the code. When you require the cmdlet to be used in an automated process / script, you can use the cmdlets’ parameters to tweak its behavior so that it works in automation

If you look at help of the cmdlets, you’ll notice that it has quite a few parameters that you can use. Amongst those is the -Credential parameter:

Big fat note:
This approach doesn’t work with Microsoft accounts or accounts that have two-factor authentication enabled.

But what if you’re using an account with Multi Factor Authentication?

Well, let me introduce you to Service Principals and Managed Identities.
Service principals are non-interactive Azure accounts. Like other user accounts, their permissions are managed with Azure Active Directory. By granting a service principal only the permissions it needs, your automation scripts stay secure.

If you want to know how you can create Azure Service Pricipals, take a look here.

Next to the Service Principal, the Connect-AzAccount cmdlet also requires you to provide its application ID, sign-in credentials, and the tenant ID associate with it:

Manage identities are a subset of Service Principals, and have therefor the same constraints.
They are assigned to resources that run in Azure. You can use them for sign-in, and acquire an app-only access token to access other resources. Managed identities are only available on resources running in an Azure cloud.

Working around Azure Tagging Limits – Using JSON formats.

Have you ever ran into the hard-limit in Azure for the amount of tags allowed on asingle resource, or resource group even?
When you work in a large organisation that wants to track everything this mightbe one of the things happening to you.

Let’s dig a bit into the actual limits of tagging currently in azure.

  • Each resource or resource group can have a maximum of 15 tag name/value pairs
  • The tag name is limited to 512 characters
  • The tag value is limited to 256 characters.
  • For storage accounts, the tag name is limited to 128 characters, and the tag value is limited to 256 characters.
  • Tags can’t be applied to classic resources such as Cloud Services.
  • Tag names can’t contain these characters: <, >, %, &, \, ?, /

So this means we can have a Maximum of 15 tag name/value pairs on a resource/resource group.
This means if you want to tag for example: Owner, Team, Manager, CostCenter, Environment,BackupType, Expirationdate, MaintenanceWindow, etc. You will run out of those tags pretty quickly.

Luckily looking at the rest of the limitations: The tag value is limited to 256 characters! (that is a lot of characters!), and tag names cannot contain a few set of characters.

Since we don’t spot curly braces in the ‘cannotcontain’ list, why not start using JSON in as tag value’s to concatenate tags?

“Team”: “Solution Architects”,
“BackupType”: “FullBackup”,
“Manager”: “Danny den Braver”,
“ExpirationDate”: “None”,
“MaintenanceWindow”: {
“Days”: [
“Hours”: “12:00-20:00”
“Environment”: “Development”,
“Owner”: “Danny den Braver”,
“CostCenter”: “12345”

Now let’sput this into practise on how we could do this leveraging powershell(specifically as I like splatting more than writing native JSON)

Let’sfirst build our hashtable and convert it to JSON

$ServerDetails = @{
Owner = ‘Danny den Braver’
Team = ‘Solution Architects’
Manager = ‘Danny den Braver’
CostCenter = ‘12345’
Environment = ‘Development’
BackupType = ‘FullBackup’
ExpirationDate = ‘None’
MaintenanceWindow = @{
Days = ‘Saturday’,’Sunday’
Hours = ’12:00-20:00′

$ServerDetailsJSON = $ServerDetails | convertto-json

Now we can add it as a tag value to ourenvironment

$Tags = @{
‘ServerDetails’ = $ServerDetailsJSON

Set-AzureRmResourceGroup -Name db-personal-rg-01 -Tag $Tags

Thisis what it will look like inside the portal:

Thisis what it will look like from PowerShell:

Hopefullythis will give you enough room for moving ahead using Tags within Azure.