-
Notifications
You must be signed in to change notification settings - Fork 0
03 Edge Deployment
Brian edited this page Feb 10, 2026
·
2 revisions
- Overview
- Development Environment
- AKS Edge Essentials
- Azure Arc Connection
- Kubernetes Namespaces
- ACR Pull Secret
- Operational Procedures
The edge deployment consists of three layers:
| Layer | Component | Purpose |
|---|---|---|
| 1 | Windows 10 IoT Enterprise | Host OS from golden image |
| 2 | AKS Edge Essentials (K3s) | Lightweight Kubernetes runtime |
| 3 | Azure Arc | Cloud management plane connectivity |
┌─────────────────────────────────────────────────────────────────────────────────┐
│ EDGE DEPLOYMENT STACK │
├─────────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌───────────────────────────────────────────────────────────────────────────┐ │
│ │ Layer 3: Azure Arc │ │
│ │ • Cloud management plane connectivity │ │
│ │ • GitOps (Flux) for configuration management │ │
│ │ • Centralized monitoring and policy │ │
│ └───────────────────────────────────────────────────────────────────────────┘ │
│ ▲ │
│ ┌───────────────────────────────────────────────────────────────────────────┐ │
│ │ Layer 2: AKS Edge Essentials (K3s) │ │
│ │ • Lightweight Kubernetes runtime │ │
│ │ • Container orchestration │ │
│ │ • Runs in CBL-Mariner Linux VM │ │
│ └───────────────────────────────────────────────────────────────────────────┘ │
│ ▲ │
│ ┌───────────────────────────────────────────────────────────────────────────┐ │
│ │ Layer 1: Windows 10 IoT Enterprise LTSC │ │
│ │ • Host operating system │ │
│ │ • CIS Benchmark hardened │ │
│ │ • Hyper-V hypervisor for K3s VM │ │
│ └───────────────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────────┘
| Property | Value |
|---|---|
| Model | development workstation |
| CPU | Intel Xeon E3-1505M (4 cores, 8 threads) |
| Hypervisor | Hyper-V |
| VM Storage | E:\Factory-VMs\ |
| Property | Value |
|---|---|
| VM Name | IPC-Factory-01 |
| vCPUs | 4 |
| RAM | 8 GB |
| Disk | E:\Factory-VMs\Factory-VMs\IPC-Factory-01.vhdx |
| OS | Windows 10 IoT Enterprise LTSC 2021 |
| Network | Default Switch (NAT) |
| Nested Virtualization | Enabled (required for AKS Edge) |
# On workstation (with VM stopped)
Set-VMProcessor -VMName "IPC-Factory-01" -ExposeVirtualizationExtensions $true# On workstation - Create the Demo VM
$VMName = "IPC-Factory-01"
$VHDPath = "E:\Factory-VMs\Factory-VMs\$VMName.vhdx"
# Create VM
New-VM -Name $VMName `
-MemoryStartupBytes 8GB `
-NewVHDPath $VHDPath `
-NewVHDSizeBytes 60GB `
-Generation 1 `
-SwitchName "Default Switch"
# Configure VM
Set-VMProcessor -VMName $VMName -Count 4
Set-VM -VMName $VMName -AutomaticCheckpointsEnabled $false
# Enable nested virtualization
Set-VMProcessor -VMName $VMName -ExposeVirtualizationExtensions $true
# Start VM
Start-VM -Name $VMNameAKS Edge Essentials is Microsoft's lightweight Kubernetes distribution for Windows IoT devices. It runs K3s (a CNCF-certified Kubernetes distribution) inside a Linux VM managed by Windows.
| Property | Value |
|---|---|
| Kubernetes Distribution | K3s |
| Linux VM | Mariner (CBL-Mariner) |
| Resource Footprint | ~4 GB RAM, ~20 GB disk |
| Container Runtime | containerd |
AKS Edge Essentials installation process:
- Download MSI from
https://aka.ms/aks-edge/k3s-msi - Install with default options
- Deploy single-machine cluster
# On IPC-Factory-01 VM - Download and install AKS Edge
$downloadUrl = "https://aka.ms/aks-edge/k3s-msi"
$installerPath = "$env:TEMP\AksEdge-K3s.msi"
Invoke-WebRequest -Uri $downloadUrl -OutFile $installerPath
Start-Process -FilePath "msiexec.exe" -ArgumentList "/i `"$installerPath`" /qn" -WaitFile: C:\ProgramData\AksEdge\aksedge-config.json (on VM)
{
"SchemaVersion": "1.14",
"Version": "1.0",
"DeploymentType": "SingleMachineCluster",
"Init": {
"ServiceIPRangeSize": 10
},
"Network": {
"InternetDisabled": false
},
"User": {
"AcceptEula": true,
"AcceptOptionalTelemetry": false
},
"Machines": [
{
"LinuxNode": {
"CpuCount": 4,
"MemoryInMB": 4096,
"DataSizeInGB": 20
}
}
]
}# On IPC-Factory-01 VM
Import-Module AksEdge
# Deploy single-machine cluster
New-AksEdgeDeployment -JsonConfigFilePath "C:\ProgramData\AksEdge\aksedge-config.json"
# Wait for deployment (5-10 minutes)Run on IPC-Factory-01 VM:
# Check AKS Edge deployment status
Import-Module AksEdge
Get-AksEdgeDeploymentInfo
# Check Kubernetes nodes
kubectl get nodes
# Expected output:
# NAME STATUS ROLES AGE VERSION
# ipc-factory-01-ledge Ready control-plane,master Xd v1.28.x+k3s1
# Check all pods across namespaces
kubectl get pods -A
# Check cluster info
kubectl cluster-info# Copy kubeconfig from VM to workstation
$VMKubeConfig = "\\IPC-Factory-01\c$\Users\Administrator\.kube\config"
$LocalKubeConfig = "$env:USERPROFILE\.kube\config-ipc-factory"
Copy-Item -Path $VMKubeConfig -Destination $LocalKubeConfig
# Use with kubectl
$env:KUBECONFIG = $LocalKubeConfig
kubectl get nodesAzure Arc extends Azure management capabilities to resources outside Azure—including Kubernetes clusters running on-premises or at the edge.
| Capability | Benefit |
|---|---|
| Single pane of glass | Manage all IPCs from Azure Portal |
| GitOps | Deploy configurations from Git repositories |
| Policy | Apply Azure Policy to edge clusters |
| Monitoring | Stream logs and metrics to Azure Monitor |
| Property | Value |
|---|---|
| Cluster Name | aks-edge-ipc-factory-01 |
| Resource Group | rg-ipc-platform-arc |
| Location | Central US |
| Distribution | AKS Edge Essentials |
| Infrastructure | Windows Hyper-V |
# On workstation (with Azure CLI logged in and kubeconfig configured)
# Login to Azure
az login
# Set subscription
az account set --subscription "<your-subscription-id>"
# Connect cluster to Arc
az connectedk8s connect `
--name "aks-edge-ipc-factory-01" `
--resource-group "rg-ipc-platform-arc" `
--location "centralus" `
--kube-config "$env:USERPROFILE\.kube\config-ipc-factory"From workstation (Azure CLI):
az connectedk8s show `
--name "aks-edge-ipc-factory-01" `
--resource-group "rg-ipc-platform-arc" `
--query "connectivityStatus" -o tsv
# Expected: ConnectedFrom Azure Portal:
- Navigate to: Azure Arc → Kubernetes clusters
- Click on
aks-edge-ipc-factory-01 - Verify Status shows "Connected"
From VM:
# Check Arc agents
kubectl get pods -n azure-arc
# Expected output shows running pods:
# NAME READY STATUS RESTARTS AGE
# clusterconnect-agent-xxx 1/1 Running 0 Xd
# extension-manager-xxx 1/1 Running 0 Xd
# flux-logs-agent-xxx 1/1 Running 0 Xd
# resource-sync-agent-xxx 1/1 Running 0 Xd# Check Arc agent logs
kubectl logs -n azure-arc -l app.kubernetes.io/name=clusterconnect-agent
# Check outbound connectivity
Test-NetConnection -ComputerName "management.azure.com" -Port 443
Test-NetConnection -ComputerName "centralus.his.arc.azure.com" -Port 443
# Force reconnect if needed
az connectedk8s update `
--name "aks-edge-ipc-factory-01" `
--resource-group "rg-ipc-platform-arc"| Namespace | Purpose | Managed By |
|---|---|---|
ipc-workloads |
Business application containers | GitOps |
flux-system |
Flux controllers | Azure Arc |
azure-arc |
Arc connectivity agents | Azure Arc |
kube-system |
Kubernetes core (API, DNS, CNI) | K3s |
# On VM
kubectl create namespace ipc-workloads
# Verify
kubectl get namespaces# kubernetes/workloads/namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: ipc-workloads
labels:
managed-by: flux
environment: pocKubernetes needs credentials to pull images from the private Azure Container Registry.
Secret Name: acr-pull-secret
Namespace: ipc-workloads
Type: kubernetes.io/dockerconfigjson
# Get ACR password first
$ACR_PASSWORD = az acr credential show --name <your-acr-name> --query "passwords[0].value" -o tsv
# On VM - Create the secret
kubectl create secret docker-registry acr-pull-secret `
--namespace ipc-workloads `
--docker-server=<your-acr-name>.azurecr.io `
--docker-username=<your-acr-name> `
--docker-password=$ACR_PASSWORDkubectl get secrets -n ipc-workloads
# Expected:
# NAME TYPE DATA AGE
# acr-pull-secret kubernetes.io/dockerconfigjson 1 XdAll workload deployments must reference this secret:
spec:
template:
spec:
imagePullSecrets:
- name: acr-pull-secret
containers:
- name: my-container
image: <your-acr-name>.azurecr.io/my-image:latestUses Kubernetes Secret for ACR authentication (imagePullSecrets):
imagePullSecrets:
- name: acr-pull-secretUse Arc agent's Managed Identity with AcrPull role assignment:
- No secrets in cluster
- No credential rotation required
- Automatic token refresh
- Audit logging via Azure AD
-
Implementation: Assign
AcrPullrole to the Arc Connected Machine identity.
# 1. On workstation - Start the VM
Start-VM -Name "IPC-Factory-01"
# 2. Wait 2 minutes for Windows to boot
# 3. On VM - Start AKS Edge Linux node (if not auto-starting)
Import-Module AksEdge
Start-AksEdgeNode -NodeType Linux
# 4. Wait 60 seconds, then verify
kubectl get nodes
kubectl get pods -n ipc-workloads# 1. On VM - Stop AKS Edge gracefully
Import-Module AksEdge
Stop-AksEdgeNode -NodeType Linux
# 2. Wait for completion
# 3. On workstation - Stop the VM
Stop-VM -Name "IPC-Factory-01"# On VM - Full status check
Write-Host "=== Node Status ===" -ForegroundColor Cyan
kubectl get nodes
Write-Host "`n=== Workload Pods ===" -ForegroundColor Cyan
kubectl get pods -n ipc-workloads
Write-Host "`n=== Flux Status ===" -ForegroundColor Cyan
kubectl get gitrepositories -n flux-system
Write-Host "`n=== Arc Status ===" -ForegroundColor Cyan
kubectl get pods -n azure-arc | Select-Object -First 5# Node resource usage
kubectl top nodes
# Pod resource usage
kubectl top pods -n ipc-workloads
# Detailed node info
kubectl describe node ipc-factory-01-ledge# Logs for a specific pod
kubectl logs -n ipc-workloads <pod-name>
# Follow logs in real-time
kubectl logs -n ipc-workloads <pod-name> -f
# Logs for all pods with a label
kubectl logs -n ipc-workloads -l app=health-monitor# Restart a deployment (rolling restart)
kubectl rollout restart deployment/<deployment-name> -n ipc-workloads
# Check rollout status
kubectl rollout status deployment/<deployment-name> -n ipc-workloads# Delete all workloads (Flux will recreate them)
kubectl delete all --all -n ipc-workloads
# Force Flux to reconcile immediately
kubectl annotate gitrepository ipc-platform-config -n flux-system `
reconcile.fluxcd.io/requestedAt="$(Get-Date -Format o)" --overwrite
# Watch pods come back up
kubectl get pods -n ipc-workloads -wEnd of Edge Deployment Section
Previous: 02-Golden-Image-Pipeline.md
Next: 04-GitOps-Configuration.md