Hello Team,

Request you to please provide a high level and low-level architecture diagram for this implementation and also better to provide a deciding factor in design decision eg: why application gateway used here, why used Traefik ingress controller is used?

Just a side note: Network topology diagram which is mentioned in the First page is not available. Please check the below URL:
https://camo.githubusercontent.com/611715e81294cd982921606ca9707d1ee65f4584/68747470733a2f2f646f63732e6d6963726f736f66742e636f6d2f617a7572652f6172636869746563747572652f7265666572656e63652d617263686974656374757265732f636f6e7461696e6572732f616b732f7365637572652d626173656c696e652f696d616765732f7365637572652d626173656c696e652d6172636869746563747572652e706e67

Regards

Azure Policy is not admitting the workload due to the following error:

Error creating: admission webhook "validation.gatekeeper.sh" denied the request: [denied by azurepolicy-container-limits-4d458d56ff116b957e42cd9c53b2d7dfd0584f16f78b2df83e21e35a8807f205] container memory limit <256Mi> is higher than the maximum allowed of <512>

We need to fix this so that folks don't have to disable the policy addon to get to the end of this. Might just be a syntax issue between the policy and the limits defined on the workload.

Hi All,

When I trying to connect to run the command below to check the connection, I got the timeout error.

[azureuser@aksbaseline aks-secure-baseline]$ kubectl -n a0008 run -i --rm --tty curl --image=mcr.microsoft.com/powershell --limits=cpu=200m,memory=128M -- curl -kI https://bu0001a0008-00.aks-ingress.contoso.com -w '%{remote_ip}\n'
If you don't see a command prompt, try pressing enter.

curl: (7) Failed to connect to bu0001a0008-00.aks-ingress.contoso.com port 443: Connection timed out
Session ended, resume using 'kubectl attach curl -c curl -i -t' command when the pod is running
pod "curl" deleted

And I got following error when checking the logs of the traefik pod.

[azureuser@aksbaseline aks-secure-baseline]$ kubectl logs -f traefik-ingress-controller-665bc754f9-rh2kt -n a0008
time="2020-09-05T07:31:59Z" level=info msg="Configuration loaded from file: /config/traefik.toml"
{"ingress":"aspnetapp-ingress","level":"error","msg":"Cannot create service: service not found","namespace":"a0008","providerName":"kubernetes","serviceName":"aspnetapp-service","servicePort":"http","time":"2020-09-05T07:33:43Z"}

I am wondering if anyone got this error and how to fix it?

Thanks,
Neal

Hello Team,

Since Traefik ingress used here out of the box provides HTTPS to microservices by leveraging Let's Encrypt (wildcard certificates support).
Do we also require Cert-manager installed with Traefik ingress just like we do in NGINX?

The Cloud Adoption Framework highly encourages customers to have specific tags on Azure resources. Let's ensure our baseline is populating tags such as:

• ApplicationName : A0008 (and RegionalHub for hub)
• BusinessUnit : BU0001 (and Networking for hub)
• DR : Essential (and Mission-criticial for hub & spoke)
• Env : Dev (and Prod for hub & spoke)

and of course our standard

• MSPnpRef : aks-baseline
• MSPnpRefVersion : 1.0.0

We can add them as parameters to arm templates, but with these as defaults. That will allow us to update Version number easy if we want. We should also strongly recommend that customers provide their own values for tags, and not just deploy with our defaults.

All suggestions above are just that, suggestions. We can figure out what's best for us.

Hello Team,

In this reference architecture, we are having WAF in Spoke vnet

Can you please explain why to have this in Spoke vnet when we can manage it centrally in Hub Vnet. Any considerations on this?

Regards,

We currently reference a couple images from quay.io and docker.io. These should be brought into our ACR instance and referenced that way instead. Update the instructions to include this step and changes.

Opened on behalf of @nitinkhandelwal26

Quote:
While using inner loop script on Bash on VS code with windows machine. I encountered below errors:
Script : aks-secure-baseline/inner-loop-scripts/shell/1-cluster-stamp.sh
Code :

# App Gateway Certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048
-out appgw.crt
-keyout appgw.key
-subj "/CN=bicycle.contoso.com/O=Contoso Bicycle"
openssl pkcs12 -export -out appgw.pfx -in appgw.crt -inkey appgw.key -passout pass:

Is not working.
I also tried on azure devops windows agent with Bash task, that was also giving same error.

But when i used Ubuntu 18.04 LTS to deploy these scripts, there were working fine, same with Azure DevOps agent.

(Copied from #91)

Hi Team,

I was trying to add user in to Azure key vault access policy but I am facing issue .
I am following the below link: https://github.com/mspnp/aks-secure-baseline/blob/main/07-workload-prerequisites.md

My user format is username@customerdomainname

could you please look into this issue.

Super nit issue, but I think would help in readability.

Subscription functions are not consistent when creating role definition variables. Some return .id others return .subscriptionId. I've submitted a PR to address.

Examples from template

# Returns .subscriptionId
"acrPullRole": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d')]",

# Returns .id
"managedIdentityOperatorRole": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830')]",

Another thing to consider, add a function that takes in the role name (id looking thing) and outputs the resource id for that role. The code could look like this:

Function declaration

"functions": [
        {
            "namespace": "role",
            "members": {
                "resourceId": {
                    "parameters": [
                        {
                            "name": "roleDefinitionId",
                            "type": "string"
                        }
                    ],
                    "output": {
                        "value": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/', parameters('roleDefinitionId'))]",
                        "type": "string"
                    }
                }
            }
        }
    ]

variable assignment

"networkContributorRole": "[role.resourceId('4d97b98b-1d4f-4787-a291-c67834d212e7')]",
"monitoringMetricsPublisherRole": "[role.resourceId('3913510d-42f4-4e42-8a64-420c390055eb')]",
"acrPullRole": "[role.definition('7f951dda-4ed3-4680-a7ca-43fe172d538d')]",
"managedIdentityOperatorRole": "[role.resourceId('f1a07417-d97a-45cb-824c-7a7467783830')]",
"virtualMachineContributorRole": "[role.resourceId('9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]",
"readerRole": "[role.resourceId('acdd72a7-3385-48ef-bd42-f606fba81ae7')]",

I would be happy to submit the PR if this is of interest.

Hello Team,

Looking for Guidance on implementing Service Mesh from Infrastructure point.
Do you have any references or roadmap of this implementation?

Regards,

Hello Team,
we have configured the Alert rule using your code Podfailephase Alert via ARM template cluster stamp.json after that we have configured the Alert with email configuration then we forcefully failed one pod for testing purpose but we are not getting Alert email or any alert notification in portal from podfailedphase alert rule.

could you please help us to figure it out the missing steps.

Hello Team,

After successful previous deployment in 1.17 v of aks cluster, i tried reploying the cluster with newer templates with version 1.18.8 given in template.
But in new template AKS managed internal loadbalancer is not getting created.

Can you please check this issue.

Hello team, though its not focus on workload, but still its better to show helm deployment integration in combination with Flux.
We are new to AKS, Please give one sample here.

Hello Team,
Can you please specify what is XMAS Scale-out and Upgrade Node values in the subnet details table mentioned in
https://github.com/mspnp/aks-secure-baseline/blob/main/networking/topology.md

Regards,
Nitin

The baseline is currently targeting 1.17. 1.18 is in preview and also comes with Ubuntu 18.04 by default. Update the reference implementation to support 1.18. We won't plan on merging this this until 1.18 is GA.

Hi,

Can you please provide some production best practices on refreshing certificate on production system as this is baseline architecture for the production system.
Certificate Rotation is available in Kubernetes from version 1.8, request your secure implementation around this.

Regards,

Deployment is successful, I have created DNS entry but unable to access the website not even by IP.
It throwing 404 error, Any steps to debug the same?

Below is the error:

404 Not Found
Microsoft-Azure-Application-Gateway/v2

Please provide an alternative document for AAD integration because when I click to https://docs.microsoft.com/en-in/azure/aks/managed-aad#before-you-begin
and also this is a preview feature and we don't know when GA of this V2 version will be available.
Request you to provide one sample implementation or documentation till the time AAD V2 is not available.

Do an upgrade pass on AAD pod identity - to 1.6.3 (or whatever is latest)

• Ensure we're pulling from the new mcr.microsoft.com/oss/azure/aad-pod-identity location as well.

Hello Team,

When implementing Traefik URL rewriting in workload deployment:
https://github.com/mspnp/aks-secure-baseline/blob/main/workload/aspnetapp.yaml

    kubernetes.io/ingress.class: traefik-internal
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.options: default
    traefik.ingress.kubernetes.io/router.middlewares: app-gateway-snet@file, gzip-compress@file
    traefik.ingress.kubernetes.io/rewrite-target: / 
spec:
  # ingressClassName: "traefik-internal"
  tls:
  - hosts:
      - services-00.abc.com
        # In this Implementation we use a
        # wildcard default certificate added at Ingress Controller configuration level which is *.example.com
        # secretName: <services-00-example-com-tls-secret>
  rules:
  - host: services-00.abc.com
    http:
      paths:
      - path: /login

my workload which is having /login path at service, it's not working. can you please help...

Hello Team,

Currently, we are using 1.18, and 1.19 will be GA by end of this month.
Any guidance or considerations on the AKS cluster upgrade in a production environment?
Any automation possible using flux on this part?

Hello Team,

Any plan to provide reference implementation on statefulset?

Regards,

In your spoke json, it is hard coded for the service cidr range. It seems like a grey area if this ip space can be reused across different clusters? Overlap with other vnets with which the cluster virtual network peers. If spoke A peers with Spoke B, would that be considered overlapping if set on 2 clusters?
https://docs.microsoft.com/en-us/azure/aks/configure-azure-cni

Kubernetes service address range: This is the set of virtual IPs that Kubernetes assigns to internal services in your cluster. You can use any private address range that satisfies the following requirements:

Must not be within the virtual network IP address range of your cluster
Must not overlap with any other virtual networks with which the cluster virtual network peers
Must not overlap with any on-premises IPs
Must not be within the ranges 169.254.0.0/16, 172.30.0.0/16, 172.31.0.0/16, or 192.0.2.0/24
Although it's technically possible to specify a service address range within the same virtual network as your cluster, doing so is not recommended. Unpredictable behavior can result if overlapping IP ranges are used. For more information, see the FAQ section of this article. For more information on Kubernetes services, see Services in the Kubernetes documentation.

We had done work to make sure we were not getting any Pod Disruption Budget warnings out of Azure Advisor, but we are still getting them on this. Maybe it's out of our control? If so, we could considering list that on one of the final pages of the readme here so customers are not surprised, maybe where we talk about reviewing Azure Advisor Alerts.

Maybe better, we can see if we can resolve the issue so we don't get the AA alert.

Hello Team,

Can you please clarify in this implementation

Why you have used Azure Application Gateway WebApplication Firewall when we have Azure Firewall available in hub vnet,
Cannot we route all incoming traffic to Traefik ingress from Azure firewall using UDR in the Route table?

Request you to please explain What is core logic behind that.

Regards,

Hello Team,

Try to get the pod log using :
kubectl logs csi-secrets-store-9wr95 -n cluster-baseline-settings -c secrets-store
and getting below output:
Error from server: Get https://aks-npuser01-42213062-vmss00000c:10250/containerLogs/cluster-baseline-settings/csi-secrets-store-9wr95/s
ecrets-store: dial tcp 10.10.128.197:10250: i/o timeout

Where in portal its showing like

Don't know why I am unable to fetch logs from any pods, Can you please help me here..

Today we install AAD Pod Identity ourselves to make it available to our workloads. AAD Pod Identity is coming as a managed add-on to eliminate this manual step.

1. Remove the .yaml file from the flux configuration
2. Update the workload deployment steps that use AAD Pod Identity to reference the built-in solution (should be no change in instructions though)
3. Update the main page to move that from the OOS list to the features list

Hi Team,

I am trying to create a cluster with AAD V2 Enable feature but facing below issue.

""The AvailabilityProfile type of agentpool 'npsystem' is set to VirtualMachineScaleSets, but the Kubernetes version is 1.18.4(preview) which doesn't support VMSS."

I have also faced issue while creating cluster with version 1.17 , AKS cluster node pool status was failed.

I am referring link: https://github.com/mspnp/aks-secure-baseline/blob/main/05-aks-cluster.md

Regards,
Rambabu

Our documentation currently lists the AAD-V2 preview requirement of az feature register --namespace "Microsoft.ContainerService" --name "AAD-V2" (and the subsequent provider registration). That feature is rolling out of preview and should no longer be necessary to do. Once the dust has settled on that, update the readme steps to reflect this.

Hi team,

Can we use Let's Encrypt certificate for the standard certificate in production deployment for the ingress controller? or do we need to acquire from a paid CA provider?

For the Azure Application Gateway WAF EV certificate, we will use paid CA certificate providers like entrust.
Q: What is the design consideration for taking an EV certificate here?

Regards,

When deploying the cluster using Github actions flow (05 - aks cluster, option 3) the deployment name is cluster-stamp-cd and not cluster-stamp.

This causes one of the following steps to break:

7. Obtain the Azure Key Vault details and give the current user permissions to import certificates.
   KEYVAULT_NAME=$(az deployment group show --resource-group rg-bu0001a0008 -n cluster-stamp --query properties.outputs.keyVaultName.value -o tsv)

Either the deployment name should be changed in GH Action flow, or the doc need to note this.

https://github.com/mspnp/aks-secure-baseline/blob/main/inner-loop-scripts/shell/1-cluster-stamp.sh#L126-L148
https://github.com/mspnp/aks-secure-baseline/blob/main/workload/traefik.yaml#L281-L286

Why would I want to mount my TLS cert that is only used by my ingress?

Would it not be better to use http://akv2k8s.io to sync the TLS cert to K8s?

At the time this was opened, 0.0.9 is the current production version. But when this task is picked up evaulate any newer version as well.

it is being reported that the kubectl get constrainttemplate does not return any resource so we want to clarify what would be the "correct" response to that command.
Originally posted by @ckittel in #13 (comment)

Latest Azure AD Addon has been released, upgrade to 1.7.0 (or whatever is newer once this is picked up)

https://github.com/Azure/aad-pod-identity/releases/tag/v1.7.0

This doc includes instructions for base64 encoding certificates using bas64 -w. The -w option is not available on macOS and would rather be -b 0 which is also the command default so can be omitted.

https://github.com/mspnp/aks-secure-baseline/blob/main/02-ca-certificates.md

Hi Team,

I have several points which are not clear/explained from the documentation available at aka.ms/architecture/aks-baseline:

Q What are the considerations you took for this case study in choosing the Traefik ingress controller with Azure Application Gateway when we have AGIC available which have integrated WAF?.
Q: Why you defined workload-level ingress rather than cluster-level ingress? if we define cluster-level ingress then any special considerations do we need to make? - require guidance.

Regards,

Hello Team,

I just encountered one warning in CSI logs
kubectl logs csi-secrets-store-9wr95 -n cluster-baseline-settings -c secrets-store

Though it's not an issue and doesn't know how it will impact the CSI store. just to bring into your notice..

The LA name for the network template is not globally unique. Generate one in the default hub that can be also infered from the spoke. If it cannot be infered, then we'll need to pass that information into the spoke -- but let's try to make a unique string that uses the subscription+resource group+region for the regional hub.

Hi Team,

I have deployed the full solution in my environment but I am not able to see the cluster if I login using AD user as bu0001a0008-admin .

could you please suggest how can i get access or any additional configuration needs to be done.

after add IAM role manually , i am able to access the cluster.

Create a branch that replaces the k8s AAD Group based auth to Azure RBAC mapped access. This shouldn't land until GA, but we can have it tested and ready to go ahead of GA.

Ensure the following configuration is validated and accounted for:

• ContainerD
• Default Custom Node Config placeholder
• Ephemeral OS disk
• AutoUpgrade = False (if available in API by that time)

The location parameter default value is set as eastus2. Consider updating with the expression [resourcegroup().location].

https://github.com/mspnp/aks-secure-baseline/blob/main/cluster-stamp.json#L43

Understood that the allowed values are limited to availability set enable regions, I can confirm that the ARM validation API will evaluate the expression and enforce the allowed values.

We have this initiative set to Audit, and we have four failures in our cluster. Can we clean up our exclusions or policy defination to bring us back in line with our expected stance?

Hi Team,

I have deployed cluster with workload successfully but I am unable to access application running on cluster.
I have followed the below link:
https://github.com/mspnp/aks-secure-baseline/blob/main/10-validation.md

please find the Attached screenshot.

Deployment failed. Correlation ID: b6887f5f-84ef-4374-ac6e-b25a25b57392. {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n "error": {\r\n "code": "RoleAssignmentUpdateNotPermitted",\r\n "message": "Tenant ID, application ID, principal ID, and scope are not allowed to be updated."\r\n }\r\n}"
}
]
}
]
}
}

I am experiencing a high deployment failure rate due to principal not found during deployment. Sometime the deployment is successful, other times it fails. After a failure, I can re-deploy the tempalte, which will then succeed.

I know that we once had 'replication' latency on managed service identities, which would cause similar issues. However as I understand it, this was fixed with the role assignment resource of version 2018-09-01-preview which is being used here. ARM tempalte dependencies are in place and look good.

I wonder if this is isolated to myself or if others are seeing similar issues?

There are several "kubectl --watch" command in the script 1-cluster-stamp.sh and "set -e" will break the script with Ctrl-C.

Hello Team,

If our cost model is to charge the customer based on API incoming requests or the number of hits then would it be wise to include API management between App Gateway and Ingress controller? or any other components that can be used for this purpose? Request you to please provide Guidance or Suggestions on this.

Regards,