This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 67%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
Hello,
We want to use AKS as shared resource for multiple application. Each application will have a separate namespace and permission limited to its namespace.
The question is how should we setup the node pool to deploy our applications ? Is it ok to use the default agent node pool with min node count set as '2' and auto scale enabled ? I mean can we go ahead and use the default node pool setup to deploy the applications separated by namespaces and increase the max node count depends on usage.
You can have a user-node pool for sure. But make sure that, you create it with special label
az aks nodepool add \
--resource-group rg \
--cluster-name aks \
--name nodepool2 \
--node-count 2 \
--node-vm-size Standard_DS2_v2 \
--labels "vmsize=small"
Here the label is vmsize=small . Through this label, we’ll be able to specify which nodes the pods should land on.
When we created the node pools, specify --labels option. An example below:
kind: Deployment
apiVersion: apps/v1
metadata:
name: app1
spec:
replicas: 16
selector:
matchLabels:
app: app1
template:
metadata:
labels:
app: app1
spec:
containers:
- name: app1
image: debian:latest
command: ["/bin/bash"]
args: ["-c", "hello world; sleep 30; done"]
nodeSelector:
vmsize: small
Thanks for the above information.
Thanks for reaching Q & A forum.
To ensure your cluster operates reliably, you should run at least 2 (two) nodes in the default node pool, as essential system services are running across this node pool.
System node pools serve the primary purpose of hosting critical system pods such as CoreDNS and tunnelfront. User node pools serve the primary purpose of hosting your application pods.
-----
If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.
Hi- Thanks for the reply.
So I have a system node pool i.e. agent nodepool with 2 nodes.
I can simply add another node pool for the application deployment right ?
While creating a namespace and deploying each application to the namespace or assigning the namespace level permission. Will it require any change with respect to the current process how we create and deploy in the system node pool itself with separate namespaces ?
I mean currently everything is in system node pool so do we need to specify something that the namespace to be created in the new node pool or while deploying the app in a namespace we need to define the nodepool ? In the current scenario we just run the command to create a new space and for deployment we mention in yml which namespace it should deploy and same for assigning azure rbac permission. Is it going to make any difference to the current approach ?
Hi- Thanks for the reply.
So I have a system node pool i.e. agent nodepool with 2 nodes.
I can simply add another node pool for the application deployment right ?
While creating a namespace and deploying each application to the namespace or assigning the namespace level permission. Will it require any change with respect to the current process how we create and deploy in the system node pool itself with separate namespaces ?
I mean currently everything is in system node pool so do we need to specify something that the namespace to be created in the new node pool or while deploying the app in a namespace we need to define the nodepool ? In the current scenario we just run the command to create a new space and for deployment we mention in yml which namespace it should deploy and same for assigning azure rbac permission. Is it going to make any difference to the current approach ?
Adding an additional system node pool or changing which node pool is a system node pool will NOT automatically move system pods. System pods can continue to run on the same node pool even if you change it to a user node pool. If you delete or scale down a node pool running system pods that was previously a system node pool, those system pods are redeployed with preferred scheduling to the new system node pool.
It's recommended to schedule your application pods on user node pools and dedicate system node pools to only critical system pods. This prevents rogue application pods from accidentally killing system pods. Enforce this behavior with the CriticalAddonsOnly=true:NoSchedule taint for your system node pools.
My question is different. In the current setup we only have default agentpool or nodepool which is created at the time of cluster creation. Its a system node pool where the kubeproxy etc runs by default. We have 2 node count as Min and Max 5 . We did not create any user node pool. We just created the namespace and deployed our app there.
But we are thinking of best practices - So as per my understanding we should have atleast 2 nodepool - first the default one to run the system pods etc with min count 2 and add another nodepool as user node pool to deploy out applications.
In this new user nodepool, we will have our application namespace where we will deploy our app and also developer will have access to the application namespace only. So in this approach what could be the possible changes we need to consider for the setup initially.
As currently everything is in the default system node pool so we didn't have to consider it but moving to multiple node pools I am thinking what different it will make with regards to above points which managing the cluster.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 4%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
As per my understanding you really don't have to create a new namespace when adding a new node pool as it has already been created by AKS.
Node pools are only meant for scheduling the Pods. If you want your app pods to run on that specific new node pool that can be handled by various scheduling techniques like taints and tolerations, node affinity etc.
AKS clusters can be shared across multiple tenants in different scenarios and ways. In some cases, diverse applications can run in the same cluster. In other cases, multiple instances of the same application can run in the same shared cluster, one for each tenant. All these types of sharing are frequently described using the umbrella term multitenancy.
For example, the following picture shows the typical SaaS provider model that hosts multiple instances of the same application on the same cluster, one for each tenant. Each application lives in a separate namespace.
In a fully multitenant deployment, a single application serves the requests of all the tenants, and all the Azure resources are shared, including the AKS cluster. In this context, you only have one set of infrastructure to deploy, monitor, and maintain. All the tenants use the resource, as illustrated in the following diagram:
To keep up with the traffic demand that's generated by tenant applications, you can enable the cluster autoscaler to scale the agent nodes of your Azure Kubernetes Service (AKS). Autoscaling helps systems remain responsive in the circumstances where autoscaling is needed. When you enable autoscaling for a node pool, you specify a minimum and a maximum number of nodes based on the expected workload sizes. By configuring a maximum number of nodes, you can ensure enough space for all the tenant pods in the cluster, regardless of the namespace they run in.
When the traffic increases, cluster autoscaling adds new agent nodes to avoid pods going into a pending state, due to a shortage of resources in terms of CPU and memory.
Likewise, when the load diminishes, cluster autoscaling decreases the number of agent nodes in a node pool, based on the specified boundaries, which helps reduce your operational costs.
To reduce the risk of downtimes that may affect tenant applications during cluster or node pool upgrades, schedule AKS Planned Maintenance to occur during off-peak hours. Planned Maintenance allows you to schedule weekly maintenance windows to update the control plane of the AKS clusters that run tenant applications and node pools, which minimizing workload impact. You can schedule one or more weekly maintenance windows on your cluster by specifying a day or time range on a specific day. All maintenance operations will occur during the scheduled windows.
When you share an AKS cluster between multiple teams within an organization, you need to implement the principle of least privilege to isolate different tenants from one another. In particular, you need to make sure that users have access only to their Kubernetes namespaces and resources when using tools, such as kubectl, Helm, Flux, Argo CD, or other types of tools.
----------
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi @Manu Philip
Thanks for the explanation. But it does not answer my query which I mentioned in the last comment. My question is specific to Adding User Node pool in addition to default system node pool