OSS updates

01-prerequisites.md

@@ -30,16 +30,13 @@ This is the starting point for the instructions on deploying the [AKS baseline r
 
 1. While the following feature(s) are still in _preview_, please enable them in your target subscription.
 
-   1. [Register the Workload Identity preview feature = `EnableWorkloadIdentityPreview`](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#register-the-enableworkloadidentitypreview-feature-flag)
-
    1. [Register the ImageCleaner (Earser) preview feature = `EnableImageCleanerPreview`](https://learn.microsoft.com/azure/aks/image-cleaner#prerequisites)
 
    ```bash
-   az feature register --namespace "Microsoft.ContainerService" -n "EnableWorkloadIdentityPreview"
    az feature register --namespace "Microsoft.ContainerService" -n "EnableImageCleanerPreview"
 
    # Keep running until all say "Registered." (This may take up to 20 minutes.)
-   az feature list -o table --query "[?name=='Microsoft.ContainerService/EnableWorkloadIdentityPreview' || name=='Microsoft.ContainerService/EnableImageCleanerPreview'].{Name:name,State:properties.state}"
+   az feature list -o table --query "[?name=='Microsoft.ContainerService/EnableImageCleanerPreview'].{Name:name,State:properties.state}"
 
    # When all say "Registered" then re-register the AKS resource provider
    az provider register --namespace Microsoft.ContainerService

05-bootstrap-prep.md

@@ -58,7 +58,7 @@ In addition to ACR being deployed to support bootstrapping, this is where any ot
    echo ACR_NAME_AKS_BASELINE: $ACR_NAME_AKS_BASELINE
 
    # Import core image(s) hosted in public container registries to be used during bootstrapping
-   az acr import --source ghcr.io/kubereboot/kured:1.12.0 -n $ACR_NAME_AKS_BASELINE
+   az acr import --source ghcr.io/kubereboot/kured:1.14.0 -n $ACR_NAME_AKS_BASELINE
    ```
 
    > In this walkthrough, there is only one image that is included in the bootstrapping process. It's included as an reference for this process. Your choice to use Kubernetes Reboot Daemon (Kured) or any other images, including helm charts, as part of your bootstrapping is yours to make.

09-secret-management-and-ingress-controller.md

@@ -58,7 +58,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
 
    ```bash
    # Import ingress controller image hosted in public container registries
-   az acr import --source docker.io/library/traefik:v2.9.6 -n $ACR_NAME_AKS_BASELINE
+   az acr import --source docker.io/library/traefik:v2.10.4 -n $ACR_NAME_AKS_BASELINE
    ```
 
 1. Install the Traefik Ingress Controller.

README.md

@@ -24,7 +24,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 
 #### Azure platform
 
-- AKS v1.26
+- AKS v1.27
   - System and User [node pool separation](https://learn.microsoft.com/azure/aks/use-system-pools)
   - [AKS-managed Azure AD](https://learn.microsoft.com/azure/aks/managed-aad)
   - Azure AD-backed Kubernetes RBAC (_local user accounts disabled_)
@@ -43,7 +43,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https
 - [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) _[AKS-managed add-on]_
 - [Kubernetes Reboot Daemon](https://learn.microsoft.com/azure/aks/node-updates-kured)
 - [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) _[AKS-managed add-on]_
-- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.5/routing/providers/kubernetes-ingress/)
+- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-ingress/)
 
 
 ![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg)

cluster-manifests/cluster-baseline-settings/kured.yaml

@@ -1,4 +1,4 @@
-# Source: https://github.com/kubereboot/charts/tree/kured-4.2.0/charts/kured (1.12.0)
+# Source: https://github.com/kubereboot/charts/tree/kured-5.2.0/charts/kured (1.14.0)
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -81,6 +81,7 @@ metadata:
   name: kured                           # Must match `--ds-name`
   namespace: cluster-baseline-settings  # Must match `--ds-namespace`
 spec:
+  revisionHistoryLimit: 10
   selector:
     matchLabels:
       app.kubernetes.io/name: kured
@@ -118,10 +119,10 @@ spec:
           # PRODUCTION READINESS CHANGE REQUIRED
           # This image should be sourced from a non-public container registry, such as the
           # one deployed along side of this reference implementation.
-          # az acr import --source ghcr.io/kubereboot/kured:1.12.0 -n <your-acr-instance-name>
+          # az acr import --source ghcr.io/kubereboot/kured:1.14.0 -n <your-acr-instance-name>
           # and then set this to
-          # image: <your-acr-instance-name>.azurecr.io/kubereboot/kured:1.12.0
-          image: ghcr.io/kubereboot/kured:1.12.0
+          # image: <your-acr-instance-name>.azurecr.io/kubereboot/kured:1.14.0
+          image: ghcr.io/kubereboot/kured:1.14.0
           imagePullPolicy: IfNotPresent
           securityContext:
             privileged: true # Give permission to nsenter /proc/1/ns/mnt

workload/traefik.yaml

@@ -228,10 +228,10 @@ spec:
         # PRODUCTION READINESS CHANGE REQUIRED
         # This image should be sourced from a non-public container registry, such as the
         # one deployed along side of this reference implementation.
-        # az acr import --source docker.io/library/traefik:v2.9.6 -n <your-acr-instance-name>
+        # az acr import --source docker.io/library/traefik:v2.10.4-n <your-acr-instance-name>
         # and then set this to
-        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.9.6
-      - image: docker.io/library/traefik:v2.9.6
+        # image: <your-acr-instance-name>.azurecr.io/library/traefik:v2.10.4
+      - image: docker.io/library/traefik:v2.10.4
         imagePullPolicy: IfNotPresent
         name: traefik-ingress-controller
         resources: