1# Kubernetes to Azure Container Apps - Assessment Guide
2 
3## Compatibility Matrix
4 
5### Kubernetes → Container Apps Resource Mapping
6 
7| Kubernetes Concept | Container Apps Equivalent | Supported | Notes |
8|-------------------|--------------------------|-----------|-------|
9| Deployment | Container App | ✅ Yes | One-to-one mapping for stateless workloads |
10| Service (ClusterIP) | Internal ingress | ✅ Yes | Set `ingress.external: false` |
11| Service (LoadBalancer) | External ingress | ✅ Yes | Set `ingress.external: true` |
12| Ingress | Built-in ingress with custom domain | ✅ Yes | Supports TLS, traffic splitting |
13| ConfigMap | Environment variables | ✅ Yes | Inline or from secrets |
14| Secret | Secrets (Key Vault refs preferred) | ✅ Yes | Use managed identity for Key Vault |
15| CronJob | Container Apps Job (scheduled) | ✅ Yes | Cron expression syntax |
16| Job | Container Apps Job (manual/event) | ✅ Yes | One-time or event-triggered |
17| HPA | Built-in scaling rules | ✅ Yes | HTTP, TCP, KEDA-compatible scalers |
18| PersistentVolumeClaim | Azure Files mount | ⚠️ Limited | EmptyDir and Azure Files only; no block storage |
19| DaemonSet | N/A | ❌ No | Consider sidecar containers or external agents |
20| StatefulSet | N/A | ❌ No | Use external state (Cosmos DB, Redis, SQL) |
21| Custom CRDs / Operators | N/A | ❌ No | Evaluate if Dapr components can replace |
22| NetworkPolicy | VNet NSG rules | ⚠️ Limited | Configure at Environment subnet level |
23 
24### Resource Limits
25 
26| Resource | Kubernetes (typical) | Container Apps Maximum | Migration Impact |
27|----------|---------------------|----------------------|------------------|
28| CPU per container | Up to 64+ vCPU | 4 vCPU | Split large containers |
29| Memory per container | Up to 256+ GiB | 8 GiB | Redesign memory-intensive workloads |
30| Replicas per app | 1000+ | 300 per revision | Validate scale requirements |
31| Request timeout | Configurable (hours+) | 240 seconds default | Redesign long-running requests |
32| Startup probe timeout | Configurable | 240 seconds | Optimize startup time |
33| Containers per pod/app | 10+ | Up to 10 sidecars | Init + sidecar containers supported |
34 
35## Unsupported Patterns
36 
37### Critical Blockers
38 
391. **StatefulSets with persistent storage**
40   - **Why**: Container Apps is designed for stateless workloads
41   - **Alternative**: Migrate state to Azure Cosmos DB, Azure SQL, Redis, or Storage
42 
432. **DaemonSets for node-level agents**
44   - **Why**: No node-level access in managed environment
45   - **Alternative**: Use Azure Monitor agents, Dapr components, or sidecar containers
46 
473. **Privileged containers or host networking**
48   - **Why**: Security isolation in managed platform
49   - **Alternative**: Redesign to avoid host-level access
50 
514. **Custom CRDs and Operators**
52   - **Why**: No Kubernetes API server access
53   - **Alternative**: Use Dapr state management, bindings, or Azure PaaS services
54 
555. **Direct Kubernetes API calls from apps**
56   - **Why**: Kubernetes API not exposed
57   - **Alternative**: Use environment variables, service discovery via DNS, or Dapr
58 
59### Storage Considerations
60 
61- **EmptyDir**: Supported (ephemeral storage)
62- **Azure Files**: Supported via volume mounts
63- **Persistent Block Storage**: Not supported (migrate to Azure Blob, SQL, Cosmos DB)
64 
65## Assessment Checklist
66 
67### 1. Workload Inventory
68 
69- List all Deployments, StatefulSets, DaemonSets in target namespaces
70- Identify workload types: API, background worker, CronJob, StatefulSet
71- Document current resource requests/limits (CPU, memory)
72- Note replica counts (min, max, typical)
73 
74### 2. Network Configuration
75 
76- **Service Types**: ClusterIP (internal) vs LoadBalancer (external)
77- **Ingress**: Document hostnames, TLS certificates, path routing rules
78- **Service Mesh**: Document if using Istio, Linkerd (consider migrating to Dapr)
79- **NetworkPolicies**: List egress/ingress rules (map to NSG rules or VNet integration)
80 
81### 3. Storage and State
82 
83- **PersistentVolumeClaims**: List volumes, sizes, access modes (ReadWriteOnce, ReadWriteMany)
84- **StatefulSets**: Document state storage patterns (candidates for external state migration)
85- **EmptyDir/Temp Storage**: Note usage patterns (supported in Container Apps)
86- **ConfigMaps/Secrets**: Count and categorize (migrate inline or to Key Vault)
87 
88### 4. Scaling and Performance
89 
90- **HPA**: Document scaling metrics (CPU, memory, custom metrics)
91- **Min/Max Replicas**: Verify within Container Apps limits (0-300)
92- **Startup Time**: Measure pod startup latency (must be <240s)
93- **Request Patterns**: Long-running requests (>240s) need redesign
94 
95### 5. Dependencies
96 
97- **Internal Services**: List service-to-service calls (use internal DNS in Container Apps)
98- **External Services**: Databases, APIs, message queues, storage
99- **Authentication**: Service accounts, RBAC roles (map to managed identities)
100- **Observability**: Logging, metrics, tracing (migrate to Azure Monitor, App Insights)
101 
102### 6. CI/CD and Deployment
103 
104- **Pipeline Tools**: kubectl, Helm, Kustomize, ArgoCD, Flux
105- **Image Registries**: Docker Hub, GCR, ECR, private registries (migrate to ACR)
106- **Deployment Strategy**: Rolling update, blue/green, canary (Container Apps supports traffic splitting)
107 
108## Complexity Assessment Guidelines
109 
110### Low Complexity
111- Stateless Deployments with ClusterIP or LoadBalancer Services
112- Simple environment variables (no complex ConfigMaps)
113- No persistent storage or external state already in use
114- Standard HTTP/gRPC ingress
115- No service mesh dependencies
116 
117### Medium Complexity
118- Multiple Deployments with inter-service communication
119- ConfigMaps and Secrets requiring Key Vault migration
120- HPA with custom metrics (need KEDA scaler mapping)
121- CronJobs (map to Container Apps Jobs)
122- Ingress with TLS and custom domains
123 
124### High Complexity
125- StatefulSets requiring state migration to external services
126- Service mesh (Istio/Linkerd) requiring Dapr migration
127- Custom CRDs or Operators (need redesign)
128- NetworkPolicies requiring VNet/NSG configuration
129- Large-scale deployments (>100 replicas, need architecture review)
130- Workloads exceeding Container Apps resource limits (>4 vCPU, >8 GiB)
131 
132## Assessment Report Structure
133 
134Generate `k8s-migration-assessment.md` with:
135 
1361. **Executive Summary**: Cluster name, namespace(s), workload count, complexity (Low/Medium/High), estimated timeline, Azure cost
1372. **Current State**: Deployment inventory, resource usage, scaling config, storage usage, networking topology
1383. **Compatibility Analysis**: Supported workloads, blockers, redesign requirements (StatefulSets, DaemonSets, CRDs)
1394. **Azure Target**: Required resources (resource group, Container Apps Environment, ACR, Key Vault, Log Analytics, VNet if needed)
1405. **Migration Plan**:
141   - State migration strategy (databases, caches, storage)
142   - Image migration approach (ACR import, rebuild)
143   - IaC generation plan (Bicep templates per Deployment)
144   - Deployment sequence (dependencies first, then consumers)
1456. **Risk Assessment**: Blockers, feature gaps, performance considerations, downtime estimate
1467. **Validation Tests**: Smoke tests, integration tests, performance benchmarks
147