The AKS Cluster has been enrolled in GitOps management, wrapping up the infrastructure focus of the AKS Baseline reference implementation. Follow the steps below to import the TLS certificate that the Ingress Controller will serve for Application Gateway to connect to your web app.
📖 Contoso Bicycle procured a CA certificate, a standard one, to be used with the AKS Ingress Controller. This one is not EV, as it will not be user facing.
-
Obtain the Azure Key Vault details and give the current user permissions and network access to import certificates.
📖 Finally the app team decides to use a wildcard certificate of
*.aks-ingress.contoso.comfor the ingress controller. They use Azure Key Vault to import and manage the lifecycle of this certificate.export KEYVAULT_NAME_AKS_BASELINE=$(az deployment group show --resource-group rg-bu0001a0008 -n cluster-stamp --query properties.outputs.keyVaultName.value -o tsv) TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT=$(az role assignment create --role a4417e6f-fecd-4de8-b567-7b0420556985 --assignee-principal-type user --assignee-object-id $(az ad signed-in-user show --query 'objectId' -o tsv) --scope $(az keyvault show --name $KEYVAULT_NAME_AKS_BASELINE --query 'id' -o tsv) --query 'id' -o tsv) # If you are behind a proxy or some other egress that does not give a static IP, you'll need to manually adjust the Azure Key Vault firewall to # allow this traffic. CURRENT_IP_ADDRESS=$(curl -s https://ifconfig.io) az keyvault network-rule add -n $KEYVAULT_NAME_AKS_BASELINE --ip-address ${CURRENT_IP_ADDRESS}
-
Import the AKS Ingress Controller's Wildcard Certificate for
*.aks-ingress.contoso.com.⚠️ If you already have access to an appropriate certificate, or can procure one from your organization, consider using it for this step. For more information, please take a look at the import certificate tutorial using Azure Key Vault.⚠️ Do not use the certificate created by this script for actual deployments. The use of self-signed certificates are provided for ease of illustration purposes only. For your cluster, use your organization's requirements for procurement and lifetime management of TLS certificates, even for development purposes.cat traefik-ingress-internal-aks-ingress-tls.crt traefik-ingress-internal-aks-ingress-tls.key > traefik-ingress-internal-aks-ingress-tls.pem az keyvault certificate import -f traefik-ingress-internal-aks-ingress-tls.pem -n traefik-ingress-internal-aks-ingress-tls --vault-name $KEYVAULT_NAME_AKS_BASELINE
-
Remove Azure Key Vault import certificates permissions and network access for current user.
The Azure Key Vault RBAC assignment for your user and network allowance was temporary to allow you to upload the certificate for this walkthrough. In actual deployments, you would manage these any RBAC policies via your ARM templates using Azure RBAC for Key Vault data plane and only network-allowed traffic would access your Key Vault.
az keyvault network-rule remove -n $KEYVAULT_NAME_AKS_BASELINE --ip-address "${CURRENT_IP_ADDRESS}/32" az role assignment delete --ids $TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT
📖 The app team wants to apply Azure Policy over their cluster like they do other Azure resources. Their pods will be covered using the Azure Policy add-on for AKS. Some of these audits might end up in the denial of a specific Kubernetes API request operation to ensure the pod's specification is compliance with the organization's security best practices. Moreover data is generated by Azure Policy to assist the app team in the process of assessing the current compliance state of the AKS cluster. The app team is going to assign at the resource group level the Azure Policy for Kubernetes built-in restricted initiative as well as five more built-in individual Azure policies that enforce that pods perform resource requests, define trusted container registries, mandate that root filesystem access is read-only, enforce the usage of internal load balancers, and enforce https-only Kubernetes Ingress objects.
-
Confirm policies are applied to the AKS cluster
kubectl get constrainttemplate
A similar output as the one showed below should be returned
NAME AGE k8sazureallowedcapabilities 21m k8sazureallowedseccomp 21m … more … k8sazurereadonlyrootfilesystem 21m k8sazurevolumetypes 21m
# run the saveenv.sh script at any time to save environment variables created above to aks_baseline.env
./saveenv.sh
# if your terminal session gets reset, you can source the file to reload the environment variables
# source aks_baseline.env