Skip to content

Commit

Permalink
Doc consistency and minor improvements. (#311)
Browse files Browse the repository at this point in the history
* Allow communication with API server via udp/1194.

References:
#223
https://docs.microsoft.com/en-us/azure/firewall/protect-azure-kubernetes-service

* Return IP address instead of res. ID (acc  to doc)

* Minimal user feedback: echo variables to console.

* ifconfig.io to return IPv4 addr for access policy

* Notes for macOS users, having BSD sed.

* Improvement to comment.

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Comment out firewall rule, but add hints.

* Enable FW rule in bicep; remove warning.

* Update references to 'aks-baseline'.

* Get current branch name and pass as parameter.

* Pass domain name as parameter to curl container.

* Optimize docs for pre-existing AAD group.

- Add bash snippet to set pre-existing group.
- Add hints to skip user creation / member adding group has members.

* Hint for single-tenant deployment.

* Make namespace reader group optional.

* Fix: Print correct variable name.

* Only stage intentionally changed file for commit.

* FIx deployment failures on role lookup

* Add some clarification to docs.

* Make saveenv.sh independent of current directory.

* Append suffix to GITOPS variables...

...making sure they are also written to aks_baseline.env by saveenv.sh.

* export GITOPS variables.

* Revert "FIx deployment failures on role lookup"

This reverts commit 9234b57.

* Revert "Only stage intentionally changed file for commit."

This reverts commit fba516b.

* GITOPS variables are just 'local'.

* Update 01-prerequisites.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Update 03-aad.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Update 03-aad.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Update 03-aad.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Update 03-aad.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Update 11-validation.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Update 03-aad.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* Update 03-aad.md

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>

* GITOPS variables are just 'local'.

Co-authored-by: Chad Kittel <chad.kittel@gmail.com>
  • Loading branch information
ulkeba and ckittel authored May 2, 2022
1 parent 3edb913 commit 1195284
Show file tree
Hide file tree
Showing 11 changed files with 158 additions and 135 deletions.
6 changes: 4 additions & 2 deletions 01-prerequisites.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,11 @@ This is the starting point for the instructions on deploying the [AKS Baseline r

> :twisted_rightwards_arrows: If you have forked this reference implementation repo, you'll be able to customize some of the files and commands for a more personalized and production-like experience; ensure references to this git repository mentioned throughout the walk-through are updated to use your own fork.
> Make sure you use HTTPS (and not SSH) to clone the repository. (The remote URL will later be used to configure GitOps using Flux which requires an HTTPS endpoint to work properly.)
```bash
git clone https://github.com/mspnp/aks-secure-baseline.git
cd aks-secure-baseline
git clone https://github.com/mspnp/aks-baseline.git
cd aks-baseline
```

> :bulb: The steps shown here and elsewhere in the reference implementation use Bash shell commands. On Windows, you can use the [Windows Subsystem for Linux](https://docs.microsoft.com/windows/wsl/about) to run Bash.
Expand Down
226 changes: 119 additions & 107 deletions 03-aad.md

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion 04-networking.md
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,7 @@ The following two resource groups will be created and populated with networking
```bash
RESOURCEID_SUBNET_NODEPOOLS=$(az deployment group show -g rg-enterprise-networking-spokes -n spoke-BU0001A0008 --query properties.outputs.nodepoolSubnetResourceIds.value -o json)
echo RESOURCEID_VNET_HUB: $RESOURCEID_SUBNET_NODEPOOLS
echo RESOURCEID_SUBNET_NODEPOOLS: $RESOURCEID_SUBNET_NODEPOOLS

# [This takes about ten minutes to run.]
az deployment group create -g rg-enterprise-networking-hubs -f networking/hub-regionA.bicep -p location=eastus2 nodepoolSubnetResourceIds="${RESOURCEID_SUBNET_NODEPOOLS}"
Expand Down
5 changes: 4 additions & 1 deletion 06-aks-cluster.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,9 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi
```bash
GITOPS_REPOURL=$(git config --get remote.origin.url)
echo GITOPS_REPOURL: $GITOPS_REPOURL

GITOPS_CURRENT_BRANCH_NAME=$(git branch --show-current)
echo GITOPS_CURRENT_BRANCH_NAME: $GITOPS_CURRENT_BRANCH_NAME
```

1. Deploy the cluster ARM template.
Expand All @@ -20,7 +23,7 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi

```bash
# [This takes about 18 minutes.]
az deployment group create -g rg-bu0001a0008 -f cluster-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE} clusterAdminAadGroupObjectId=${AADOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE} a0008NamespaceReaderAadGroupObjectId=${AADOBJECTID_GROUP_A0008_READER_AKS_BASELINE} k8sControlPlaneAuthorizationTenantId=${TENANTID_K8SRBAC_AKS_BASELINE} appGatewayListenerCertificate=${APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE} aksIngressControllerCertificate=${AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE} domainName=${DOMAIN_NAME_AKS_BASELINE} gitOpsBootstrappingRepoHttpsUrl=${GITOPS_REPOURL}
az deployment group create -g rg-bu0001a0008 -f cluster-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE} clusterAdminAadGroupObjectId=${AADOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE} a0008NamespaceReaderAadGroupObjectId=${AADOBJECTID_GROUP_A0008_READER_AKS_BASELINE} k8sControlPlaneAuthorizationTenantId=${TENANTID_K8SRBAC_AKS_BASELINE} appGatewayListenerCertificate=${APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE} aksIngressControllerCertificate=${AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE} domainName=${DOMAIN_NAME_AKS_BASELINE} gitOpsBootstrappingRepoHttpsUrl=${GITOPS_REPOURL} gitOpsBootstrappingRepoBranch=${GITOPS_CURRENT_BRANCH_NAME}
```

> Alteratively, you could have updated the [`azuredeploy.parameters.prod.json`](./azuredeploy.parameters.prod.json) file and deployed as above, using `-p "@azuredeploy.parameters.prod.json"` instead of providing the individual key-value pairs.
Expand Down
2 changes: 1 addition & 1 deletion 09-secret-management-and-ingress-controller.md
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
:warning: Deploying the traefik `traefik.yaml` file unmodified from this repo will be deploying your workload to take dependencies on a public container registry. This is generally okay for learning/testing, but not suitable for production. Before going to production, ensure _all_ image references are from _your_ container registry or another that you feel confident relying on.
```bash
kubectl create -f https://raw.githubusercontent.com/mspnp/aks-secure-baseline/main/workload/traefik.yaml
kubectl create -f https://raw.githubusercontent.com/mspnp/aks-baseline/main/workload/traefik.yaml
```
1. Wait for Traefik to be ready.
Expand Down
3 changes: 1 addition & 2 deletions 10-workload.md
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,9 @@ The cluster now has an [Traefik configured with a TLS certificate](./08-secret-m
> You should expect a `403` HTTP response from your ingress controller if you attempt to connect to it _without_ going through the App Gateway. Likewise, if any workload other than the ingress controller attempts to reach the workload, the traffic will be denied via network policies.
```bash
kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}}]' --override-type json
kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}}]' --override-type json --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}"

# From within the open shell now running on a container inside your cluster
DOMAIN_NAME="contoso.com" # <-- Change to your custom domain value if a different one was used
curl -kI https://bu0001a0008-00.aks-ingress.$DOMAIN_NAME -w '%{remote_ip}\n'
exit
```
Expand Down
31 changes: 18 additions & 13 deletions 11-validation.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,9 @@ This section will help you to validate the workload is exposed correctly and res

1. Browse to the site (e.g. <https://bicycle.contoso.com>).

> :bulb: A TLS warning will be present due to using a self-signed certificate. You can ignore it or import the self-signed cert (`appgw.pfx`) to your user's trusted root store.
> :bulb: Remember to include the protocol prefix `https://` in the URL you type in the address bar of your browser. A TLS warning will be present due to using a self-signed certificate. You can ignore it or import the self-signed cert (`appgw.pfx`) to your user's trusted root store.
Refresh the web page a couple of times and observe the value `Host name` displayed at the bottom of the page. As the Traefik Ingress Controller balances the requests between the two pods hosting the web page, the host name will change from one pod name to the other throughtout your queries.

## Validate reader access to the a0008 namespace. _Optional._

Expand All @@ -48,7 +50,11 @@ Your workload is placed behind a Web Application Firewall (WAF), which has rules

1. Browse to the site with the following appended to the URL: `?sql=DELETE%20FROM` (e.g. <https://bicycle.contoso.com/?sql=DELETE%20FROM>).
1. Observe that your request was blocked by Application Gateway's WAF rules and your workload never saw this potentially dangerous request.
1. Blocked requests (along with other gateway data) will be visible in the attached Log Analytics workspace. Execute the following query to show WAF logs, for example.
1. Blocked requests (along with other gateway data) will be visible in the attached Log Analytics workspace.

Browse to the Application Gateway in the resource group `rg-bu0001-a0008` and navigate to the _Logs_ blade. Execute the following query below to show WAF logs and see that the request was rejected due to a _SQL Injection Attack_ (field _Message_).

> :warning: Note that it may take a couple of minutes until the logs are transferred from the Application Gateway to the Log Analytics Workspace. So be a little patient if the query does not immediatly return results after sending the https request in the former step.
```
AzureDiagnostics
Expand Down Expand Up @@ -77,15 +83,14 @@ Azure Monitor is configured to [scrape Prometheus metrics](https://docs.microsof
- [Traefik](./workload/traefik.yaml) (in the `a0008` namespace)
- [Kured](./cluster-baseline-settings/kured.yaml) (in the `cluster-baseline-settings` namespace)

:bulb: This reference implementation ships with two saved queries (_All collected Prometheus information_ and _Nodes reboot required by kured_) as an example of how you can write your own and manage them via ARM templates.

### Steps

1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
1. Select your Log Analytic Workspace resource.
1. Click _Saved Searches_.

:bulb: This reference implementation ships with some saved queries as an example of how you can write your own and manage them via ARM templates.

1. Type _Prometheus_ in the filter.
1. Select your Log Analytic Workspace resource and open the _Logs_ blade.
1. In the popup _Queries_ select _Legacy category_ in the drop down field in the upper left corner.
1. Select _Prometheus_ in the section list on the left.
1. You are able to select and execute the saved query over the scraped metrics.

## Validate Workload Logs
Expand All @@ -95,7 +100,7 @@ The example workload uses the standard dotnet logger interface, which are captur
### Steps

1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
1. Select your Log Analytic Workspace resource.
1. Select your Log Analytic Workspace resource and open the _Logs_ blade.
1. Execute the following query

```
Expand All @@ -121,13 +126,13 @@ Azure will generate alerts on the health of your cluster and adjacent resources.
An alert based on [Azure Monitor for containers information using a Kusto query](https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-alerts) was configured in this reference implementation.

1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
1. Select _Alerts_, then _Manage Rule Alerts_.
1. There is an alert called "PodFailedScheduledQuery" that will be triggered based on the custom query response.
1. Select _Alerts_, then _Alert Rules_.
1. There is an alert titled "[your cluster name] Scheduled Query for Pod Failed Alert" that will be triggered based on the custom query response.

An [Azure Advisor Alert](https://docs.microsoft.com/azure/advisor/advisor-overview) was configured as well in this reference implementation.

1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
1. Select _Alerts_, then _Manage Rule Alerts_.
1. Select _Alerts_, then _Alert Rules_.
1. There is an alert called "AllAzureAdvisorAlert" that will be triggered based on new Azure Advisor alerts.

A series of metric alerts were configured as well in this reference implementation.
Expand All @@ -151,7 +156,7 @@ If you configured your third-party images to be pulled from your Azure Container
| where OperationName == 'Pull'
```

1. You should see logs for CSI, kured, memcached, and traefik. You'll see multiple for some as the image was pulled to multiple nodes to satisfy ReplicaSet/DaemonSet placement.
1. You should see logs for kured. You'll see multiple for some as the image was pulled to multiple nodes to satisfy ReplicaSet/DaemonSet placement.

## Next step

Expand Down
4 changes: 2 additions & 2 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,13 @@ If your issue appears to be a bug, and hasn't been reported, open a new issue. H
* **Related Issues** - has a similar issue been reported before?
* **Suggest a Fix** - if you can't fix the bug yourself, perhaps you can point to what might be causing the problem (line of code or commit)

You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/mspnp/aks-secure-baseline/issues/new].
You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/mspnp/aks-baseline/issues/new].

### <a name="submit-pr"></a> Submitting a Pull Request (PR)

Before you submit your Pull Request (PR) consider the following guidelines:

* Search the repository (<https://github.com/mspnp/aks-secure-baseline/pulls>) for an open or closed PR
* Search the repository (<https://github.com/mspnp/aks-baseline/pulls>) for an open or closed PR
that relates to your submission. You don't want to duplicate effort.

* Make your changes in a new git fork:
Expand Down
4 changes: 2 additions & 2 deletions cluster-stamp.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -1495,7 +1495,7 @@ resource mcAadAdminGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authori
dependsOn: []
}

resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && !(empty(a0008NamespaceReaderAadGroupObjectId)) && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
scope: nsA0008
name: guid('aad-a0008-reader-group', mc.id, a0008NamespaceReaderAadGroupObjectId)
properties: {
Expand All @@ -1507,7 +1507,7 @@ resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Author
dependsOn: []
}

resource maAadA0008ReaderGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
resource maAadA0008ReaderGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && !(empty(a0008NamespaceReaderAadGroupObjectId)) && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
scope: mc
name: guid('aad-a0008-reader-group-sc', mc.id, a0008NamespaceReaderAadGroupObjectId)
properties: {
Expand Down
4 changes: 2 additions & 2 deletions inner-loop-scripts/shell/1-cluster-stamp.sh
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-subj "/CN=*.aks-ingress.contoso.com/O=Contoso Aks Ingress"
AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64=$(cat traefik-ingress-internal-aks-ingress-tls.crt | base64 | tr -d '\n')

# WARNING: Below hasn't yet been updated for Azure Key Vault RBAC support that came in https://github.com/mspnp/aks-secure-baseline/releases/tag/v1.21.2.2
# WARNING: Below hasn't yet been updated for Azure Key Vault RBAC support that came in https://github.com/mspnp/aks-baseline/releases/tag/v1.21.2.2

# AKS Cluster Creation. Advance Networking. AAD identity integration. This might take about 10 minutes
# Note: By default, this deployment will allow unrestricted access to your cluster's API Server.
Expand Down Expand Up @@ -82,7 +82,7 @@ echo ""
echo "# Creating AAD Groups and users for the created cluster"
echo ""

# unset errexit as per https://github.com/mspnp/aks-secure-baseline/issues/69
# unset errexit as per https://github.com/mspnp/aks-baseline/issues/69
set +e
echo $'Ensure Flux has created the following namespace and then press Ctrl-C'
kubectl get ns a0008 --watch
Expand Down
6 changes: 4 additions & 2 deletions saveenv.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,12 @@
# the page they are created on. Then a user can source this file to restore those environment
# variables if their shell session is reset for some reason.

cat > aks_baseline.env << EOF
DIR_NAME=$(dirname "$0")

cat > $DIR_NAME/aks_baseline.env << EOF
#!/bin/bash
$(env | sed -n "s/\(.*_AKS_BASELINE=\)\(.*\)/export \1'\2'/p" | sort)
EOF

cat aks_baseline.env
cat $DIR_NAME/aks_baseline.env

0 comments on commit 1195284

Please sign in to comment.