From 07438462486dfa6bfa2f4cb99253847b352c59f1 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Mon, 1 Apr 2024 09:52:42 -0400 Subject: [PATCH 01/16] ImageCleaner GA (no longer preview) AzureLinux AKS 1.29 Traefik 2.11 Other small bug fixes --- 01-prerequisites.md | 14 ----- 07-bootstrap-validation.md | 4 +- ...ecret-management-and-ingress-controller.md | 4 +- README.md | 6 +-- cluster-stamp.bicep | 8 +-- ...gressTlsHostsHaveDefinedDomainSuffix.bicep | 53 +------------------ workload/aspnetapp-ingress-patch.yaml | 2 +- workload/aspnetapp.yaml | 8 +-- workload/kustomization.yaml | 4 +- workload/traefik.yaml | 8 +-- 10 files changed, 21 insertions(+), 90 deletions(-) diff --git a/01-prerequisites.md b/01-prerequisites.md index c4896c10..a8124964 100644 --- a/01-prerequisites.md +++ b/01-prerequisites.md @@ -28,20 +28,6 @@ This is the starting point for the instructions on deploying the [AKS baseline r [![Launch Azure Cloud Shell](https://learn.microsoft.com/azure/includes/media/cloud-shell-try-it/launchcloudshell.png)](https://shell.azure.com) -1. While the following feature(s) are still in *preview*, enable them in your target subscription. - - 1. [Register the ImageCleaner (Earser) preview feature = `EnableImageCleanerPreview`](https://learn.microsoft.com/azure/aks/image-cleaner#prerequisites) - - ```bash - az feature register --namespace "Microsoft.ContainerService" -n "EnableImageCleanerPreview" - - # Keep running until all say "Registered." (This may take up to 20 minutes.) - az feature list -o table --query "[?name=='Microsoft.ContainerService/EnableImageCleanerPreview'].{Name:name,State:properties.state}" - - # When all say "Registered" then re-register the AKS resource provider - az provider register --namespace Microsoft.ContainerService - ``` - 1. Clone/download this repo locally, or even better fork this repository. > :twisted_rightwards_arrows: If you have forked this reference implementation repo, you'll be able to customize some of the files and commands for a more personalized and production-like experience; ensure references to this Git repository mentioned throughout the walk-through are updated to use your own fork. diff --git a/07-bootstrap-validation.md b/07-bootstrap-validation.md index 9b54340d..9080c9f9 100644 --- a/07-bootstrap-validation.md +++ b/07-bootstrap-validation.md @@ -10,7 +10,7 @@ GitOps allows a team to author Kubernetes manifest files, persist them in their - Cluster-wide configuration of Azure Monitor for Containers - The workload's namespace named `a0008` -1. Install `kubectl` 1.27 or newer. (`kubectl` supports ±1 Kubernetes version.) +1. Install `kubectl` 1.28 or newer. (`kubectl` supports ±1 Kubernetes version.) ```bash sudo az aks install-cli @@ -86,4 +86,4 @@ It is recommended to have a clearly defined bootstrapping process that occurs as ### Next step -:arrow_forward: [Prepare for the workload by installing its prerequisites](./08-workload-prerequisites.md) +:arrow_forward: [Prepare for the workload by installing its prerequisites](./08-workload-prerequisites.md) \ No newline at end of file diff --git a/09-secret-management-and-ingress-controller.md b/09-secret-management-and-ingress-controller.md index d4b418f9..9e5c3877 100644 --- a/09-secret-management-and-ingress-controller.md +++ b/09-secret-management-and-ingress-controller.md @@ -58,7 +58,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi ```bash # Import ingress controller image hosted in public container registries - az acr import --source docker.io/library/traefik:v2.10.7 -n $ACR_NAME_AKS_BASELINE + az acr import --source docker.io/library/traefik:v2.11 -n $ACR_NAME_AKS_BASELINE ``` 1. Install the Traefik Ingress Controller. @@ -83,4 +83,4 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi ### Next step -:arrow_forward: [Deploy the Workload](./10-workload.md) +:arrow_forward: [Deploy the Workload](./10-workload.md) \ No newline at end of file diff --git a/README.md b/README.md index fa6c8da8..cad6f344 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https #### Azure platform -- AKS v1.28 +- AKS v1.29 - System and User [node pool separation](https://learn.microsoft.com/azure/aks/use-system-pools) - [AKS-managed Microsoft Entra ID integration](https://learn.microsoft.com/azure/aks/managed-aad) - Microsoft Entra ID-backed Kubernetes RBAC (*local user accounts disabled*) @@ -43,7 +43,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https - [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) *[AKS-managed add-on]* - [Kubernetes Reboot Daemon](https://learn.microsoft.com/azure/aks/node-updates-kured) - [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) *[AKS-managed add-on]* -- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-ingress/) +- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.11/routing/providers/kubernetes-ingress/) ![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg) @@ -152,4 +152,4 @@ Please see our [Contributor guide](./CONTRIBUTING.md). This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact with any additional questions or comments. -With :heart: from Microsoft Patterns & Practices, [Azure Architecture Center](https://aka.ms/architecture). +With :heart: from Microsoft Patterns & Practices, [Azure Architecture Center](https://aka.ms/architecture). \ No newline at end of file diff --git a/cluster-stamp.bicep b/cluster-stamp.bicep index 2a891f75..715d6e34 100644 --- a/cluster-stamp.bicep +++ b/cluster-stamp.bicep @@ -28,7 +28,7 @@ param clusterAuthorizedIPRanges array = [] @description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. This needs to be the same region as the vnet provided in these parameters. This defaults to the resource group\'s location for higher reliability.') param location string = resourceGroup().location -param kubernetesVersion string = '1.28.3' +param kubernetesVersion string = '1.29' @description('Domain name to use for App Gateway and AKS ingress.') param domainName string = 'contoso.com' @@ -1632,7 +1632,7 @@ resource mc 'Microsoft.ContainerService/managedClusters@2024-01-02-preview' = { osDiskSizeGB: 80 osDiskType: 'Ephemeral' osType: 'Linux' - osSKU: 'Ubuntu' + osSKU: 'AzureLinux' minCount: 3 maxCount: 4 vnetSubnetID: targetVirtualNetwork::snetClusterNodes.id @@ -1666,7 +1666,7 @@ resource mc 'Microsoft.ContainerService/managedClusters@2024-01-02-preview' = { osDiskSizeGB: 120 osDiskType: 'Ephemeral' osType: 'Linux' - osSKU: 'Ubuntu' + osSKU: 'AzureLinux' minCount: 2 maxCount: 5 vnetSubnetID: targetVirtualNetwork::snetClusterNodes.id @@ -2321,4 +2321,4 @@ resource agwdiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01 output aksClusterName string = clusterName output aksIngressControllerPodManagedIdentityClientId string = podmiIngressController.properties.clientId -output keyVaultName string = kv.name +output keyVaultName string = kv.name \ No newline at end of file diff --git a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep index e78586bb..1517a42a 100644 --- a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep +++ b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep @@ -84,57 +84,6 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat } defaultValue: { } - schema: { - description: 'A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.' - type: 'object' - properties: { - matchLabels: { - description: 'matchLabels is a map of {key,value} pairs.' - type: 'object' - additionalProperties: { - type: 'string' - } - minProperties: 1 - } - matchExpressions: { - description: 'matchExpressions is a list of values, a key, and an operator.' - type: 'array' - items: { - type: 'object' - properties: { - key: { - description: 'key is the label key that the selector applies to.' - type: 'string' - } - operator: { - description: 'operator represents a key\'s relationship to a set of values.' - type: 'string' - enum: [ - 'In' - 'NotIn' - 'Exists' - 'DoesNotExist' - ] - } - values: { - description: 'values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.' - type: 'array' - items: { - type: 'string' - } - } - } - required: [ - 'key' - 'operator' - ] - additionalProperties: false - } - minItems: 1 - } - } - additionalProperties: false - } } allowedDomainSuffixes: { type: 'Array' @@ -150,4 +99,4 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat output policyId string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.id output policyName string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.displayName -output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description +output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description \ No newline at end of file diff --git a/workload/aspnetapp-ingress-patch.yaml b/workload/aspnetapp-ingress-patch.yaml index a03dc26b..8be11f59 100644 --- a/workload/aspnetapp-ingress-patch.yaml +++ b/workload/aspnetapp-ingress-patch.yaml @@ -3,4 +3,4 @@ value: bu0001a0008-00.aks-ingress.contoso.com - op: replace path: "/spec/rules/0/host" - value: bu0001a0008-00.aks-ingress.contoso.com + value: bu0001a0008-00.aks-ingress.contoso.com \ No newline at end of file diff --git a/workload/aspnetapp.yaml b/workload/aspnetapp.yaml index 5a869b78..36d0b238 100644 --- a/workload/aspnetapp.yaml +++ b/workload/aspnetapp.yaml @@ -99,10 +99,7 @@ metadata: namespace: a0008 annotations: kubernetes.io/ingress.allow-http: "false" - # defines controller implementing this ingress resource: https://learn.microsoft.com/en-us/azure/dev-spaces/how-to/ingress-https-traefik - # ingress.class annotation is being deprecated in Kubernetes 1.18: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation - # For backwards compatibility, when this annotation is set, precedence is given over the new field ingressClassName under spec. - kubernetes.io/ingress.class: traefik-internal + kubernetes.io/spec.ingressClassName: traefik-internal traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.tls.options: default @@ -127,5 +124,4 @@ spec: service: name: aspnetapp-service port: - number: 80 ---- + number: 80--- diff --git a/workload/kustomization.yaml b/workload/kustomization.yaml index 4bddbff2..1aecb0dc 100644 --- a/workload/kustomization.yaml +++ b/workload/kustomization.yaml @@ -4,9 +4,9 @@ kind: Kustomization resources: - aspnetapp.yaml -patchesJson6902: +patches: - target: kind: Ingress name: aspnetapp-ingress version: v1 - path: aspnetapp-ingress-patch.yaml + path: aspnetapp-ingress-patch.yaml \ No newline at end of file diff --git a/workload/traefik.yaml b/workload/traefik.yaml index 85230435..ce445393 100644 --- a/workload/traefik.yaml +++ b/workload/traefik.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: traefik-ingress-ilb app.kubernetes.io/instance: traefik-ingress-ilb --- -#https://raw.githubusercontent.com/traefik/traefik/v2.10/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml +#https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -230,10 +230,10 @@ spec: # PRODUCTION READINESS CHANGE REQUIRED # This image should be sourced from a non-public container registry, such as the # one deployed along side of this reference implementation. - # az acr import --source docker.io/library/traefik:v2.10.7 -n + # az acr import --source docker.io/library/traefik:v2.11 -n # and then set this to - # image: .azurecr.io/library/traefik:v2.10.7 - - image: docker.io/library/traefik:v2.10.7 + # image: .azurecr.io/library/traefik:v2.11 + - image: docker.io/library/traefik:v2.11 imagePullPolicy: IfNotPresent name: traefik-ingress-controller resources: From cc5c1ee6703914d00edf7402f9546ebd8f8cf7a5 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Mon, 1 Apr 2024 15:00:18 -0400 Subject: [PATCH 02/16] mcr image with curl --- 10-workload.md | 2 +- workload/aspnetapp.yaml | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/10-workload.md b/10-workload.md index c28ab8a8..b2681f0c 100644 --- a/10-workload.md +++ b/10-workload.md @@ -47,7 +47,7 @@ The cluster now has an [Traefik configured with a TLS certificate](./09-secret-m > You should expect a `403` HTTP response from your ingress controller if you attempt to connect to it *without* going through the App Gateway. Likewise, if any workload other than the ingress controller attempts to reach the workload, the traffic will be denied via network policies. ```bash - kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}},{"op":"add","path":"/spec/containers/0/securityContext","value":{"readOnlyRootFilesystem": true}}]' --override-type json --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}" + kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/devcontainers/base --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}},{"op":"add","path":"/spec/containers/0/securityContext","value":{"readOnlyRootFilesystem": true}}]' --override-type json --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}" # From within the open shell now running on a container inside your cluster curl -kI https://bu0001a0008-00.aks-ingress.$DOMAIN_NAME -w '%{remote_ip}\n' diff --git a/workload/aspnetapp.yaml b/workload/aspnetapp.yaml index 36d0b238..346f805e 100644 --- a/workload/aspnetapp.yaml +++ b/workload/aspnetapp.yaml @@ -99,7 +99,10 @@ metadata: namespace: a0008 annotations: kubernetes.io/ingress.allow-http: "false" - kubernetes.io/spec.ingressClassName: traefik-internal + # defines controller implementing this ingress resource: https://learn.microsoft.com/en-us/azure/dev-spaces/how-to/ingress-https-traefik + # ingress.class annotation is being deprecated in Kubernetes 1.18: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + # For backwards compatibility, when this annotation is set, precedence is given over the new field ingressClassName under spec. + kubernetes.io/ingress.class: traefik-internal traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.tls.options: default @@ -124,4 +127,5 @@ spec: service: name: aspnetapp-service port: - number: 80--- + number: 80 +--- \ No newline at end of file From edebe2768fda718fe72279e33f21115f60605887 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Mon, 1 Apr 2024 15:00:18 -0400 Subject: [PATCH 03/16] mcr image with curl --- 10-workload.md | 2 +- aspnetapp-ingress-patch.yaml | 6 ++++++ workload/aspnetapp.yaml | 8 ++++++-- 3 files changed, 13 insertions(+), 3 deletions(-) create mode 100644 aspnetapp-ingress-patch.yaml diff --git a/10-workload.md b/10-workload.md index c28ab8a8..b2681f0c 100644 --- a/10-workload.md +++ b/10-workload.md @@ -47,7 +47,7 @@ The cluster now has an [Traefik configured with a TLS certificate](./09-secret-m > You should expect a `403` HTTP response from your ingress controller if you attempt to connect to it *without* going through the App Gateway. Likewise, if any workload other than the ingress controller attempts to reach the workload, the traffic will be denied via network policies. ```bash - kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}},{"op":"add","path":"/spec/containers/0/securityContext","value":{"readOnlyRootFilesystem": true}}]' --override-type json --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}" + kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/devcontainers/base --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}},{"op":"add","path":"/spec/containers/0/securityContext","value":{"readOnlyRootFilesystem": true}}]' --override-type json --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}" # From within the open shell now running on a container inside your cluster curl -kI https://bu0001a0008-00.aks-ingress.$DOMAIN_NAME -w '%{remote_ip}\n' diff --git a/aspnetapp-ingress-patch.yaml b/aspnetapp-ingress-patch.yaml new file mode 100644 index 00000000..a03dc26b --- /dev/null +++ b/aspnetapp-ingress-patch.yaml @@ -0,0 +1,6 @@ +- op: replace + path: "/spec/tls/0/hosts/0" + value: bu0001a0008-00.aks-ingress.contoso.com +- op: replace + path: "/spec/rules/0/host" + value: bu0001a0008-00.aks-ingress.contoso.com diff --git a/workload/aspnetapp.yaml b/workload/aspnetapp.yaml index 36d0b238..346f805e 100644 --- a/workload/aspnetapp.yaml +++ b/workload/aspnetapp.yaml @@ -99,7 +99,10 @@ metadata: namespace: a0008 annotations: kubernetes.io/ingress.allow-http: "false" - kubernetes.io/spec.ingressClassName: traefik-internal + # defines controller implementing this ingress resource: https://learn.microsoft.com/en-us/azure/dev-spaces/how-to/ingress-https-traefik + # ingress.class annotation is being deprecated in Kubernetes 1.18: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation + # For backwards compatibility, when this annotation is set, precedence is given over the new field ingressClassName under spec. + kubernetes.io/ingress.class: traefik-internal traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.tls.options: default @@ -124,4 +127,5 @@ spec: service: name: aspnetapp-service port: - number: 80--- + number: 80 +--- \ No newline at end of file From dada7d37d33f5eb3b6cf12b7b6f66e1251ee68fb Mon Sep 17 00:00:00 2001 From: Jason Bouska <82831332+skabou@users.noreply.github.com> Date: Wed, 3 Apr 2024 14:35:01 -0400 Subject: [PATCH 04/16] Delete aspnetapp-ingress-patch.yaml --- aspnetapp-ingress-patch.yaml | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 aspnetapp-ingress-patch.yaml diff --git a/aspnetapp-ingress-patch.yaml b/aspnetapp-ingress-patch.yaml deleted file mode 100644 index a03dc26b..00000000 --- a/aspnetapp-ingress-patch.yaml +++ /dev/null @@ -1,6 +0,0 @@ -- op: replace - path: "/spec/tls/0/hosts/0" - value: bu0001a0008-00.aks-ingress.contoso.com -- op: replace - path: "/spec/rules/0/host" - value: bu0001a0008-00.aks-ingress.contoso.com From 3567e166543dcefcfc4672ce9d590408ad660ed4 Mon Sep 17 00:00:00 2001 From: Jason Bouska <82831332+skabou@users.noreply.github.com> Date: Thu, 4 Apr 2024 11:01:57 -0400 Subject: [PATCH 05/16] Delete nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep --- ...gressTlsHostsHaveDefinedDomainSuffix.bicep | 102 ------------------ 1 file changed, 102 deletions(-) delete mode 100644 nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep diff --git a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep deleted file mode 100644 index 1517a42a..00000000 --- a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep +++ /dev/null @@ -1,102 +0,0 @@ -targetScope = 'subscription' - -/*** RESOURCES ***/ - -resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorization/policyDefinitions@2021-06-01' = { - scope: subscription() - name: 'K8sCustomIngressTlsHostsHaveDefinedDomainSuffix' - properties: { - policyType: 'Custom' - mode: 'Microsoft.Kubernetes.Data' - displayName: 'Kubernetes cluster ingress TLS hosts must have defined domain suffix' - description: 'Kubernetes cluster ingress TLS hosts must have defined domain suffix' - policyRule: { - if: { - field: 'type' - in: [ - 'Microsoft.ContainerService/managedClusters' - ] - } - then: { - effect: '[parameters(\'effect\')]' - details: { - templateInfo: { - sourceType: 'Base64Encoded' - content: 'YXBpVmVyc2lvbjogdGVtcGxhdGVzLmdhdGVrZWVwZXIuc2gvdjFiZXRhMQpraW5kOiBDb25zdHJhaW50VGVtcGxhdGUKbWV0YWRhdGE6CiAgbmFtZTogazhzY3VzdG9taW5ncmVzc3Rsc2hvc3RzaGF2ZWRlZmluZWRkb21haW5zdWZmaXgKc3BlYzoKICBjcmQ6CiAgICBzcGVjOgogICAgICBuYW1lczoKICAgICAgICBraW5kOiBrOHNjdXN0b21pbmdyZXNzdGxzaG9zdHNoYXZlZGVmaW5lZGRvbWFpbnN1ZmZpeAogICAgICB2YWxpZGF0aW9uOgogICAgICAgIG9wZW5BUElWM1NjaGVtYToKICAgICAgICAgIHR5cGU6IG9iamVjdAogICAgICAgICAgcHJvcGVydGllczoKICAgICAgICAgICAgYWxsb3dlZERvbWFpblN1ZmZpeGVzOgogICAgICAgICAgICAgIHR5cGU6IGFycmF5CiAgICAgICAgICAgICAgaXRlbXM6CiAgICAgICAgICAgICAgICB0eXBlOiBzdHJpbmcKICB0YXJnZXRzOgogICAgLSB0YXJnZXQ6IGFkbWlzc2lvbi5rOHMuZ2F0ZWtlZXBlci5zaAogICAgICByZWdvOiB8CiAgICAgICAgcGFja2FnZSBrOHNjdXN0b21pbmdyZXNzdGxzaG9zdHNoYXZlZGVmaW5lZGRvbWFpbnN1ZmZpeAoKICAgICAgICB2aW9sYXRpb25beyJtc2ciOiBtc2csICJkZXRhaWxzIjoge319XSB7CiAgICAgICAgICBhbGxvd2VkRG9tYWluU3VmZml4ZXMgOj0gaW5wdXQucGFyYW1ldGVycy5hbGxvd2VkRG9tYWluU3VmZml4ZXMKICAgICAgICAgIGFsbERlZmluZWRIb3N0cyA6PSB7biB8IG4gOj0gaW5wdXQucmV2aWV3Lm9iamVjdC5zcGVjLnRsc1tfXS5ob3N0c1tfXX0KICAgICAgICAgIG1hdGNoZWRIb3N0cyA6PSB7IHsiaG9zdCI6IGgsICJtYXRjaGVkRG9tYWlucyI6IGR9IHwKICAgICAgICAgICAgaCA6PSBhbGxEZWZpbmVkSG9zdHNbX10gOwogICAgICAgICAgICBkIDo9IHsgbiB8IG4gOj0gYWxsb3dlZERvbWFpblN1ZmZpeGVzW19dIDsgZW5kc3dpdGgoaCwgbil9CiAgICAgICAgICB9CiAgICAgICAgICB1bm1hdGNoZWRIb3N0cyA6PSB7IGggfAogICAgICAgICAgICBoIDo9IG1hdGNoZWRIb3N0c1t4XS5ob3N0IDsgCiAgICAgICAgICAgIGQgOj0gbWF0Y2hlZEhvc3RzW3hdLm1hdGNoZWREb21haW5zIDsgCiAgICAgICAgICAgIGNvdW50KGQpID09IDAKICAgICAgICAgIH0KICAgICAgICAgIGNvdW50KHVubWF0Y2hlZEhvc3RzKSA+IDAKICAgICAgICAgIG1zZyA6PSBzcHJpbnRmKCJUTFMgaG9zdCBtdXN0IGhhdmUgb25lIG9mIGRlZmluZWQgZG9tYWluIHN1ZmZpeGVzLiBWYWxpZCBkb21haW4gbmFtZXMgYXJlICV2OyBkZWZpbmVkIFRMUyBob3N0cyBhcmUgJXY7IGluY29tcGxpYW50IGhvc3RzIGFyZSAldi4iLCBbYWxsb3dlZERvbWFpblN1ZmZpeGVzLCBhbGxEZWZpbmVkSG9zdHMsIHVubWF0Y2hlZEhvc3RzXSkKICAgICAgICB9' - } - apiGroups: [ - 'networking.k8s.io' - ] - kinds: [ - 'Ingress' - ] - namespaces: '[parameters(\'namespaces\')]' - excludedNamespaces: '[parameters(\'excludedNamespaces\')]' - labelSelector: '[parameters(\'labelSelector\')]' - values: { - allowedDomainSuffixes: '[parameters(\'allowedDomainSuffixes\')]' - } - } - } - } - parameters: { - effect: { - type: 'String' - metadata: { - displayName: 'Effect' - description: '\'audit\' allows a non-compliant resource to be created or updated, but flags it as non-compliant. \'deny\' blocks the non-compliant resource creation or update. \'disabled\' turns off the policy.' - } - allowedValues: [ - 'audit' - 'Audit' - 'deny' - 'Deny' - 'disabled' - 'Disabled' - ] - defaultValue: 'audit' - } - excludedNamespaces: { - type: 'Array' - metadata: { - displayName: 'Namespace exclusions' - description: 'List of Kubernetes namespaces to exclude from policy evaluation.' - } - defaultValue: [ - 'kube-system' - 'gatekeeper-system' - 'azure-arc' - ] - } - namespaces: { - type: 'Array' - metadata: { - displayName: 'Namespace inclusions' - description: 'List of Kubernetes namespaces to only include in policy evaluation. An empty list means the policy is applied to all resources in all namespaces.' - } - defaultValue: [] - } - labelSelector: { - type: 'Object' - metadata: { - displayName: 'Kubernetes label selector' - description: 'Label query to select Kubernetes resources for policy evaluation. An empty label selector matches all Kubernetes resources.' - } - defaultValue: { - } - } - allowedDomainSuffixes: { - type: 'Array' - metadata: { - displayName: 'List of compliant domain suffixes' - description: 'List of compliant domain suffixes' - } - } - } - } -} - - -output policyId string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.id -output policyName string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.displayName -output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description \ No newline at end of file From 1e34410a88091f00a046ea46800a236fbf0552b6 Mon Sep 17 00:00:00 2001 From: Jason Bouska <82831332+skabou@users.noreply.github.com> Date: Thu, 4 Apr 2024 11:06:01 -0400 Subject: [PATCH 06/16] Update nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep --- nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep index d1bc2c61..e78586bb 100644 --- a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep +++ b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep @@ -150,4 +150,4 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat output policyId string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.id output policyName string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.displayName -output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description \ No newline at end of file +output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description From 4ed7a7e3a1ff880e45e848cfd36884d60dffacc0 Mon Sep 17 00:00:00 2001 From: Jason Bouska <82831332+skabou@users.noreply.github.com> Date: Thu, 4 Apr 2024 11:06:49 -0400 Subject: [PATCH 07/16] Delete .gitignore --- .gitignore | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 .gitignore diff --git a/.gitignore b/.gitignore deleted file mode 100644 index a9223f01..00000000 --- a/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -# Ignore certificate and key files -*.crt -*.key -*.pfx -*.pem -aks_baseline.env -/.vs/* \ No newline at end of file From 8b017f0a3543ff3c4cc7cbc7c020ebf3caa9a581 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:11:18 -0400 Subject: [PATCH 08/16] restore .gitignore --- .gitignore | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..a9223f01 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +# Ignore certificate and key files +*.crt +*.key +*.pfx +*.pem +aks_baseline.env +/.vs/* \ No newline at end of file From 9a5e18337122e2a900406d26c74b9be695167aa5 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:11:18 -0400 Subject: [PATCH 09/16] restore .gitignore --- .gitignore | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..fc115329 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +# Ignore certificate and key files +*.crt +*.key +*.pfx +*.pem +aks_baseline.env \ No newline at end of file From ebc9e71f04f5c4510078df53440e1fed4f64dca7 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:36:32 -0400 Subject: [PATCH 10/16] Revert "correction" This reverts commit 7bd81103d03e91848283b40e9bd352eaeec56260, reversing changes made to 9a5e18337122e2a900406d26c74b9be695167aa5. --- .gitignore | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.gitignore b/.gitignore index d8a7eca9..fc115329 100644 --- a/.gitignore +++ b/.gitignore @@ -3,12 +3,4 @@ *.key *.pfx *.pem -aks_baseline.env -/.vs/aks-baseline/FileContentIndex/13b1486e-30ea-4f29-822a-598327db286e.vsidx -/.vs/aks-baseline/FileContentIndex/669c8c33-ac49-45a2-a870-99edcec636f9.vsidx -/.vs/aks-baseline/FileContentIndex/e9c9eac0-08fe-47fa-a682-33110cc52f18.vsidx -/.vs/aks-baseline/v17/.wsuo -/.vs/aks-baseline/FileContentIndex/5b9436cd-3dfb-4a94-9b96-9d682f029c74.vsidx -/.vs/aks-baseline/FileContentIndex/c70bcf31-ef8f-44d9-a028-e6ee2b008b9d.vsidx -/.vs/aks-baseline/FileContentIndex/d31399c2-7706-457d-b8e4-c7fbfc9e99aa.vsidx -/.vs/aks-baseline/v17/DocumentLayout.json +aks_baseline.env \ No newline at end of file From 6f1acb18f8dbdee6c7aae0877a5454d70542fa78 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:36:42 -0400 Subject: [PATCH 11/16] Revert "restore .gitignore" This reverts commit 9a5e18337122e2a900406d26c74b9be695167aa5. --- .gitignore | 6 ------ 1 file changed, 6 deletions(-) delete mode 100644 .gitignore diff --git a/.gitignore b/.gitignore deleted file mode 100644 index fc115329..00000000 --- a/.gitignore +++ /dev/null @@ -1,6 +0,0 @@ -# Ignore certificate and key files -*.crt -*.key -*.pfx -*.pem -aks_baseline.env \ No newline at end of file From 83aeb40088851e8e80fcd147a0873355fdbecbad Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:37:20 -0400 Subject: [PATCH 12/16] Revert "Delete .gitignore" This reverts commit 4ed7a7e3a1ff880e45e848cfd36884d60dffacc0. --- .gitignore | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..a9223f01 --- /dev/null +++ b/.gitignore @@ -0,0 +1,7 @@ +# Ignore certificate and key files +*.crt +*.key +*.pfx +*.pem +aks_baseline.env +/.vs/* \ No newline at end of file From 62ac51cf45ba84804a558eb6e71dd1c6de4b1355 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:37:27 -0400 Subject: [PATCH 13/16] Revert "Update nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep" This reverts commit 1e34410a88091f00a046ea46800a236fbf0552b6. --- nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep index e78586bb..d1bc2c61 100644 --- a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep +++ b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep @@ -150,4 +150,4 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat output policyId string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.id output policyName string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.displayName -output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description +output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description \ No newline at end of file From 56e6705f634ddb9e5e59cc35b65798d72d436f72 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:37:39 -0400 Subject: [PATCH 14/16] Revert "restore nested_K8s..." This reverts commit 6dab026412089b97ffbe4f05651c5266a3efd26a, reversing changes made to 0e5f541762b32a51bf53ffb842706ba5957495cb. --- .gitignore | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitignore b/.gitignore index a9223f01..8c3833c8 100644 --- a/.gitignore +++ b/.gitignore @@ -4,4 +4,3 @@ *.pfx *.pem aks_baseline.env -/.vs/* \ No newline at end of file From 6aea1a3660ae5831c950bcb9e1edf181ba009ad9 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:38:00 -0400 Subject: [PATCH 15/16] Revert "Merge branch 'main' of https://github.com/skabou/aks-baseline" This reverts commit 0e5f541762b32a51bf53ffb842706ba5957495cb, reversing changes made to a836d43b468a1f3dd6d508fdfe7e9ddf283d019f. --- ...gressTlsHostsHaveDefinedDomainSuffix.bicep | 51 ------------------- 1 file changed, 51 deletions(-) diff --git a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep index d1bc2c61..1517a42a 100644 --- a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep +++ b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep @@ -84,57 +84,6 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat } defaultValue: { } - schema: { - description: 'A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.' - type: 'object' - properties: { - matchLabels: { - description: 'matchLabels is a map of {key,value} pairs.' - type: 'object' - additionalProperties: { - type: 'string' - } - minProperties: 1 - } - matchExpressions: { - description: 'matchExpressions is a list of values, a key, and an operator.' - type: 'array' - items: { - type: 'object' - properties: { - key: { - description: 'key is the label key that the selector applies to.' - type: 'string' - } - operator: { - description: 'operator represents a key\'s relationship to a set of values.' - type: 'string' - enum: [ - 'In' - 'NotIn' - 'Exists' - 'DoesNotExist' - ] - } - values: { - description: 'values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.' - type: 'array' - items: { - type: 'string' - } - } - } - required: [ - 'key' - 'operator' - ] - additionalProperties: false - } - minItems: 1 - } - } - additionalProperties: false - } } allowedDomainSuffixes: { type: 'Array' From 24fbe48596e1f126e7a5ae9a71621002404eeae2 Mon Sep 17 00:00:00 2001 From: Jason Bouska Date: Thu, 4 Apr 2024 11:41:42 -0400 Subject: [PATCH 16/16] Restore nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep --- ...gressTlsHostsHaveDefinedDomainSuffix.bicep | 53 ++++++++++++++++++- 1 file changed, 52 insertions(+), 1 deletion(-) diff --git a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep index 1517a42a..e78586bb 100644 --- a/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep +++ b/nested_K8sCustomIngressTlsHostsHaveDefinedDomainSuffix.bicep @@ -84,6 +84,57 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat } defaultValue: { } + schema: { + description: 'A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all resources.' + type: 'object' + properties: { + matchLabels: { + description: 'matchLabels is a map of {key,value} pairs.' + type: 'object' + additionalProperties: { + type: 'string' + } + minProperties: 1 + } + matchExpressions: { + description: 'matchExpressions is a list of values, a key, and an operator.' + type: 'array' + items: { + type: 'object' + properties: { + key: { + description: 'key is the label key that the selector applies to.' + type: 'string' + } + operator: { + description: 'operator represents a key\'s relationship to a set of values.' + type: 'string' + enum: [ + 'In' + 'NotIn' + 'Exists' + 'DoesNotExist' + ] + } + values: { + description: 'values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty.' + type: 'array' + items: { + type: 'string' + } + } + } + required: [ + 'key' + 'operator' + ] + additionalProperties: false + } + minItems: 1 + } + } + additionalProperties: false + } } allowedDomainSuffixes: { type: 'Array' @@ -99,4 +150,4 @@ resource pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix 'Microsoft.Authorizat output policyId string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.id output policyName string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.displayName -output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description \ No newline at end of file +output policyDescription string = pdK8sCustomIngressTlsHostsHaveDefinedDomainSuffix.properties.description