Skip to content

Latest commit

 

History

History
84 lines (58 loc) · 6.62 KB

08-workload-prerequisites.md

File metadata and controls

84 lines (58 loc) · 6.62 KB

Workload prerequisites

The AKS Cluster has been bootstrapped, wrapping up the infrastructure focus of the AKS baseline reference implementation. Follow the steps below to import the TLS certificate that the Ingress Controller will serve for Application Gateway to connect to your web app.

Steps

Import the wildcard certificate for the AKS ingress controller to Azure Key Vault

📖 Contoso Bicycle procured a CA certificate, a standard one, to be used with the AKS ingress controller. This one is not EV, as it will not be user facing.

  1. Obtain the Azure Key Vault details and give the current user permissions and network access to import certificates.

    📖 Finally the app team decides to use a wildcard certificate of *.aks-ingress.contoso.com for the ingress controller. They use Azure Key Vault to import and manage the lifecycle of this certificate.

    export KEYVAULT_NAME_AKS_BASELINE=$(az deployment group show --resource-group rg-bu0001a0008 -n cluster-stamp --query properties.outputs.keyVaultName.value -o tsv)
    echo KEYVAULT_NAME_AKS_BASELINE: $KEYVAULT_NAME_AKS_BASELINE
    TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT=$(az role assignment create --role a4417e6f-fecd-4de8-b567-7b0420556985 --assignee-principal-type user --assignee-object-id $(az ad signed-in-user show --query 'id' -o tsv) --scope $(az keyvault show --name $KEYVAULT_NAME_AKS_BASELINE --query 'id' -o tsv) --query 'id' -o tsv)
    echo TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT: $TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT
    
    # If you are behind a proxy or some other egress that does not provide a consistent IP, you'll need to manually adjust the
    # Azure Key Vault firewall to allow this traffic.
    CURRENT_IP_ADDRESS=$(curl -s -4 https://ifconfig.io)
    echo CURRENT_IP_ADDRESS: $CURRENT_IP_ADDRESS
    az keyvault network-rule add -n $KEYVAULT_NAME_AKS_BASELINE --ip-address ${CURRENT_IP_ADDRESS}
  2. Import the AKS ingress controller's wildcard certificate for *.aks-ingress.contoso.com.

    ⚠️ If you already have access to an appropriate certificate, or can procure one from your organization, consider using it for this step. For more information, please take a look at the import certificate tutorial using Azure Key Vault.

    ⚠️ Do not use the certificate created by this script for actual deployments. The use of self-signed certificates are provided for ease of illustration purposes only. For your cluster, use your organization's requirements for procurement and lifetime management of TLS certificates, even for development purposes.

    cat traefik-ingress-internal-aks-ingress-tls.crt traefik-ingress-internal-aks-ingress-tls.key > traefik-ingress-internal-aks-ingress-tls.pem
    az keyvault certificate import -f traefik-ingress-internal-aks-ingress-tls.pem -n traefik-ingress-internal-aks-ingress-tls --vault-name $KEYVAULT_NAME_AKS_BASELINE
  3. Remove Azure Key Vault import certificates permissions and network access for current user.

    The Azure Key Vault RBAC assignment for your user and network allowance was temporary to allow you to upload the certificate for this walkthrough. In actual deployments, you would manage these any RBAC policies via your ARM templates using Azure RBAC for Key Vault data plane and only network-allowed traffic would access your Key Vault.

    az keyvault network-rule remove -n $KEYVAULT_NAME_AKS_BASELINE --ip-address "${CURRENT_IP_ADDRESS}/32"
    az role assignment delete --ids $TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT

Check Azure Policies are in place

📖 The app team wants to apply Azure Policy over their cluster like they do other Azure resources. Their pods will be covered using the Azure Policy add-on for AKS. Some of these audits might end up in the denial of a specific Kubernetes API request operation to ensure the pod's specification is compliant with the organization's security best practices. Moreover data is generated by Azure Policy to assist the app team in the process of assessing the current compliance state of the AKS cluster. The app team is going to assign at the resource group level the Azure Policy for Kubernetes built-in restricted initiative as well as five more built-in individual Azure policies that enforce that pods perform resource requests, define trusted container registries, mandate that root filesystem access is read-only, enforce the usage of internal load balancers, and enforce https-only Kubernetes Ingress objects.

Beyond that, internal governance requires the team to ensure that any public endpoint is exposed through a full-qualified domain name ends with a company-owned domain suffix. To enforce this for all endpoints exposed by the cluster's ingress controller, they define a custom policy using Gatekeeper and leverage the capability to deploy it via Azure Policy to their cluster.

  1. Confirm policies are applied to the AKS cluster

    kubectl get constrainttemplate

    A similar output as the one showed below should be returned

    NAME                                                 AGE
    k8sazurev1blockdefault                               21m
    k8sazurev1blockendpointeditdefaultrole               21m
    … more …            
    k8sazurev3noprivilegeescalation                      21m
    k8sazurev3readonlyrootfilesystem                     21m
    k8scustomingresstlshostshavedefineddomainsuffix      21m
    

Save your work in-progress

# run the saveenv.sh script at any time to save environment variables created above to aks_baseline.env
./saveenv.sh

# if your terminal session gets reset, you can source the file to reload the environment variables
# source aks_baseline.env

Next step

▶️ Configure AKS Ingress Controller with Azure Key Vault integration