mathieu-benoit / myakscluster Goto Github PK
View Code? Open in Web Editor NEWHow to setup a secure Kubernetes cluster on Azure
Home Page: http://alwaysupalwayson.com/private-aks-and-acr/
How to setup a secure Kubernetes cluster on Azure
Home Page: http://alwaysupalwayson.com/private-aks-and-acr/
TODO:
tiller
and associated serviceaccount
setuphelm init
helm registry login
helm chart push
and helm chart pull
helm chart tag
index.yaml
into index.json
helm delete
by helm uninstall
Few more resources:
Some gotchas:
https://vincentlauzon.com/2019/02/21/flex-volume-in-aks/
It looks like FlexVolume won't be GA and its replacement will be CSI:
https://docs.microsoft.com/fr-ca/cli/azure/group/lock?view=azure-cli-latest#az-group-lock-create
az group lock create --lock-type CanNotDelete -n CanNotDelete -g $(rg)
Since Azure CLI version 2.0.66, we could disable the K8S dashboard: https://github.com/MicrosoftDocs/azure-docs-cli/blob/master/docs-ref-conceptual/release-notes-azure-cli.md#june-4-2019 which is a good practice on a security perspective.
https://docs.microsoft.com/en-us/azure/aks/node-updates-kured
kubectl apply -f https://github.com/weaveworks/kured/releases/download/1.2.0/kured-1.2.0-dockerhub.yaml
AGIC is now GA:
Limitations with my current implementation:
kubenet
yetNeed to be positioned in comparison of OPA+AzurePolicy first, what's the orientation from K8S here?
https://www.cncf.io/blog/2019/09/16/5-kubernetes-rbac-mistakes-you-must-avoid/
For users:
For SPs:
https://docs.microsoft.com/en-us/azure/aks/availability-zones
You can only enable availability zones when the cluster is created
Availability zone settings can't be updated after the cluster is created. You also can't update an existing, non-availability zone cluster to use availability zones
You can't disable availability zones for an AKS cluster once it has been created
The node size (VM SKU) selected must be available across all availability zones
Clusters with availability zones enabled require use of Azure Standard Load Balancers for distribution across zones
Volumes that use Azure managed disks are currently not zonal resources. Pods rescheduled in a different zone from their original zone can't reattach their previous disk(s). It's recommended to run stateless workloads that don't require persistent storage that may come across zonal issues.
Supported regions: https://docs.microsoft.com/en-us/azure/availability-zones/az-overview#services-support-by-region
Cross AZ traffic is charged if you have very chatty services you may want to allocate them in one Zone
Prerequisities:
kubenet CNI
otherwise with Azure CNI
route table will have to be created manually like explained in the docUse the associated Helm chart here https://github.com/helm/charts/tree/master/stable/kured instead of having my own custom YAML file.
kubectl run --rm -i -t kube-bench-node --image=sabbour/kube-bench-aks:latest --restart=Never --overrides="{ \"apiVersion\": \"v1\", \"spec\": { \"hostPID\": true } }" -- node --version 1.11
https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal
Important remark: every year you have to update your AKS service principal credentials: https://docs.microsoft.com/en-us/azure/aks/update-credentials
Learnings and Gotchas:
Taints and tolerations are used to logically isolate resources with a hard cut-off - if the pod doesn't tolerate a node's taint, it isn't scheduled on the node. An alternate approach is to use node selectors. You label nodes, such as to indicate locally attached SSD storage or a large amount of memory, and then define in the pod specification a node selector. Kubernetes then schedules those pods on a matching node. Unlike tolerations, pods without a matching node selector can be scheduled on labeled nodes. This behavior allows unused resources on the nodes to consume, but gives priority to pods that define the matching node selector.
Leveraging Managed Identity with AKS instead of Service Principal is more secure for 2 main reasons:
Security advantages:
How to setup it with AKS-Engine (not AKS yet):
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.