The AKS cluster has been bootstrapped, wrapping up the infrastructure focus of the AKS baseline reference implementation. Follow the steps in this article to import the TLS certificate that the ingress controller will serve so that Application Gateway can connect to your web app.
📖 Contoso Bicycle procured a standard CA certificate to be used with the AKS ingress controller. This one is not EV, because it won't be user-facing.
-
Obtain the Azure Key Vault details, then give the current user the permissions and network access to import certificates.
📖 The workload team decides to use a wildcard certificate of
*.aks-ingress.contoso.comfor the ingress controller. They use Azure Key Vault to import and manage the lifecycle of this certificate.export KEYVAULT_NAME_AKS_BASELINE=$(az deployment group show --resource-group rg-bu0001a0008 -n cluster-stamp --query properties.outputs.keyVaultName.value -o tsv) echo KEYVAULT_NAME_AKS_BASELINE: $KEYVAULT_NAME_AKS_BASELINE TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT=$(az role assignment create --role a4417e6f-fecd-4de8-b567-7b0420556985 --assignee-principal-type user --assignee-object-id $(az ad signed-in-user show --query 'id' -o tsv) --scope $(az keyvault show --name $KEYVAULT_NAME_AKS_BASELINE --query 'id' -o tsv) --query 'id' -o tsv) echo TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT: $TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT # If you are behind a proxy or some other egress that does not provide a consistent IP, you'll need to manually adjust the # Azure Key Vault firewall to allow this traffic. CURRENT_IP_ADDRESS=$(curl -s -4 https://ifconfig.io) echo CURRENT_IP_ADDRESS: $CURRENT_IP_ADDRESS az keyvault network-rule add -n $KEYVAULT_NAME_AKS_BASELINE --ip-address ${CURRENT_IP_ADDRESS}
-
Import the AKS ingress controller's wildcard certificate for
*.aks-ingress.contoso.com.⚠️ If you already have access to an appropriate certificate, or can procure one from your organization, consider using it for this step. For more information, take a look at the import certificate tutorial using Azure Key Vault.⚠️ Do not use the certificate created by this script for actual deployments. The use of self-signed certificates are provided for ease of illustration purposes only. For your cluster, use your organization's requirements for procurement and lifetime management of TLS certificates, even for development purposes.cat traefik-ingress-internal-aks-ingress-tls.crt traefik-ingress-internal-aks-ingress-tls.key > traefik-ingress-internal-aks-ingress-tls.pem az keyvault certificate import -f traefik-ingress-internal-aks-ingress-tls.pem -n traefik-ingress-internal-aks-ingress-tls --vault-name $KEYVAULT_NAME_AKS_BASELINE
-
Remove Azure Key Vault import certificates permissions and network access for current user.
The Azure Key Vault RBAC assignment for your user and network allowance was temporary to allow you to upload the certificate for this walkthrough. In actual deployments, you would manage these any RBAC policies via your ARM templates using Azure RBAC for Key Vault data plane and only network-allowed traffic would access your Key Vault.
az keyvault network-rule remove -n $KEYVAULT_NAME_AKS_BASELINE --ip-address "${CURRENT_IP_ADDRESS}/32" az role assignment delete --ids $TEMP_ROLEASSIGNMENT_TO_UPLOAD_CERT
📖 The workload team wants to apply Azure Policy over their cluster like they do other Azure resources. Their pods will be covered using the Azure Policy add-on for AKS. Some of these audits might end up in the denial of a specific Kubernetes API request operation to ensure the pod's specification is compliant with the organization's security best practices. Moreover data is generated by Azure Policy to assist the workload team in the process of assessing the current compliance state of the AKS cluster.
At the resource group level, the workload team is going to assign these policies:
- The Azure Policy for Kubernetes built-in restricted initiative.
- Five more built-in individual Azure policies that enforce that pods perform resource requests, define trusted container registries, mandate that root filesystem access is read-only, enforce the usage of internal load balancers, and enforce HTTPS-only Kubernetes Ingress objects.
Beyond that, internal governance requires the team to ensure that any public endpoint is exposed through a fully qualified domain name that ends with a company-owned domain suffix. To enforce this requirement for all endpoints exposed by the cluster's ingress controller, they define a custom policy using Gatekeeper and use the capability to deploy it via Azure Policy to their cluster.
-
Confirm policies are applied to the AKS cluster
kubectl get constrainttemplate
A similar output as the one showed below should be returned
NAME AGE k8sazurecustomcontainerallowedimages 21m k8sazurev1blockdefault 21m k8sazurev1blockendpointeditdefaultrole 21m … more … k8sazurev3noprivilegeescalation 21m k8sazurev3readonlyrootfilesystem 21m k8scustomingresstlshostshavedefineddomainsuffix 21m
# run the saveenv.sh script at any time to save environment variables created above to aks_baseline.env
./saveenv.sh
# if your terminal session gets reset, you can source the file to reload the environment variables
# source aks_baseline.env