From b78c23d22f911ed36f725912815c1db532b36a2e Mon Sep 17 00:00:00 2001 From: Bernie White Date: Tue, 10 Dec 2024 14:06:58 +1000 Subject: [PATCH] Documentation quality updates (#3208) --- docs/en/rules/Azure.AKS.HttpAppRouting.md | 14 ++++++++++---- src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml | 8 +++++--- src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml | 2 +- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/docs/en/rules/Azure.AKS.HttpAppRouting.md b/docs/en/rules/Azure.AKS.HttpAppRouting.md index 389ba5ad3c..5605f75768 100644 --- a/docs/en/rules/Azure.AKS.HttpAppRouting.md +++ b/docs/en/rules/Azure.AKS.HttpAppRouting.md @@ -1,5 +1,5 @@ --- -reviewed: 2021-12-10 +reviewed: 2024-12-10 severity: Important pillar: Security category: SE:06 Network controls @@ -24,14 +24,18 @@ When exposing application endpoints consider using an ingress controller that su - Encryption in transit over TLS. - Multiple replicas. -Azure provides a production ready ingress controller _Application Gateway Ingress Controller_ (AGIC). +Azure Kubernetes Service provides several ingress controller options including: + +- **Application routing add-on** — an NGINX-based managed ingress controller add-on. +- **Application Gateway Ingress Controller (AGIC)** — an ingress controller which integrates with Application Gateway. +- **Application Gateway for Containers** — is the successor to AGIC that additional features and scale. HTTP application routing add-on (preview) for Azure Kubernetes Service (AKS) will be retired on 03 March 2025. ## RECOMMENDATION Consider disabling the HTTP application routing add-on in your AKS cluster. -Also consider using Application Gateway Ingress Controller (AGIC) instead to protect application endpoints. +Also consider migrating to an alternative ingress controller. ## EXAMPLES @@ -186,5 +190,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = { - [SE:06 Network controls](https://learn.microsoft.com/azure/well-architected/security/networking) - [HTTP application routing](https://learn.microsoft.com/azure/aks/http-application-routing) +- [Migrate from HTTP application routing to the application routing add-on](https://learn.microsoft.com/azure/aks/app-routing-migration) +- [What is Application Gateway for Containers?](https://learn.microsoft.com/azure/application-gateway/for-containers/overview) - [Enable Application Gateway Ingress Controller add-on for an existing AKS cluster](https://learn.microsoft.com/azure/application-gateway/tutorial-ingress-controller-add-on-existing) -- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters#ManagedClusterAutoUpgradeProfile) +- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters) diff --git a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml index 23c5fe6b55..0f9786a0dc 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.AKS.Rule.yaml @@ -166,6 +166,7 @@ metadata: labels: Azure.MCSB.v1/control: ['IM-1', 'PA-1'] Azure.Policy/id: /providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32 + Azure.WAF/progressive: C spec: type: - Microsoft.ContainerService/managedClusters @@ -205,7 +206,7 @@ metadata: ruleSet: 2021_12 Azure.WAF/pillar: Security labels: - Azure.MCSB.v1/control: 'IM-8' + Azure.MCSB.v1/control: IM-8 spec: type: - Microsoft.ContainerService/managedClusters @@ -225,7 +226,7 @@ metadata: ruleSet: 2021_12 Azure.WAF/pillar: Security labels: - Azure.MCSB.v1/control: 'DP-7' + Azure.MCSB.v1/control: DP-7 spec: type: - Microsoft.ContainerService/managedClusters @@ -248,6 +249,7 @@ metadata: Azure.WAF/pillar: Security labels: Azure.MCSB.v1/control: ['NS-1', 'DP-4'] + Azure.WAF/progressive: C spec: type: - Microsoft.ContainerService/managedClusters @@ -270,7 +272,7 @@ metadata: ruleSet: 2021_12 Azure.WAF/pillar: Security labels: - Azure.MCSB.v1/control: 'PV-7' + Azure.MCSB.v1/control: PV-7 spec: type: - Microsoft.ContainerService/managedClusters diff --git a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml index e893e2fb39..7b8e35f16d 100644 --- a/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml +++ b/src/PSRule.Rules.Azure/rules/Azure.Redis.Rule.yaml @@ -45,7 +45,7 @@ metadata: ruleSet: 2020_06 Azure.WAF/pillar: Security labels: - Azure.MCSB.v1/control: 'DP-3' + Azure.MCSB.v1/control: DP-3 Azure.WAF/progressive: C spec: type: