diff --git a/README.md b/README.md index b26ffadc..20de2508 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https #### Azure platform -- AKS v1.29 +- AKS v1.30 - System and user [node pool separation](https://learn.microsoft.com/azure/aks/use-system-pools) - [AKS-managed Microsoft Entra ID integration](https://learn.microsoft.com/azure/aks/managed-aad) - Microsoft Entra ID-backed Kubernetes RBAC (*local user accounts disabled*) @@ -43,7 +43,7 @@ Finally, this implementation uses the [ASP.NET Core Docker sample web app](https - [ImageCleaner (Eraser)](https://learn.microsoft.com/azure/aks/image-cleaner) *[AKS-managed add-on]* - [Kubernetes Reboot Daemon](https://learn.microsoft.com/azure/aks/node-updates-kured) - [Secrets Store CSI Driver for Kubernetes](https://learn.microsoft.com/azure/aks/csi-secrets-store-driver) *[AKS-managed add-on]* -- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v2.11/routing/providers/kubernetes-ingress/) +- [Traefik Ingress Controller](https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-ingress/) ![Network diagram depicting a hub-spoke network with two peered VNets and main Azure resources used in the architecture.](https://learn.microsoft.com/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg) diff --git a/cluster-stamp.bicep b/cluster-stamp.bicep index 12b29340..5a89a15a 100644 --- a/cluster-stamp.bicep +++ b/cluster-stamp.bicep @@ -28,7 +28,7 @@ param clusterAuthorizedIPRanges array = [] @description('AKS Service, Node Pool, and supporting services (KeyVault, App Gateway, etc) region. This needs to be the same region as the vnet provided in these parameters. This defaults to the resource group\'s location for higher reliability.') param location string = resourceGroup().location -param kubernetesVersion string = '1.29' +param kubernetesVersion string = '1.30' @description('Domain name to use for App Gateway and AKS ingress.') param domainName string = 'contoso.com' @@ -1137,7 +1137,7 @@ resource paEnforceImageSource 'Microsoft.Authorization/policyAssignments@2024-04 policyDefinitionId: pdEnforceImageSource.id parameters: { allowedContainerImagesRegex: { - // If all images are pull into your ARC instance as described in these instructions you can remove the docker.io & ghcr.io entries. + // If all images are pull into your ACR instance as described in these instructions you can remove the docker.io & ghcr.io entries. value: '${acr.name}\\.azurecr\\.io/.+$|mcr\\.microsoft\\.com/.+$|docker\\.io/library/.+$' } excludedNamespaces: { diff --git a/docs/deploy/07-bootstrap-validation.md b/docs/deploy/07-bootstrap-validation.md index 10e298d0..a487b6b4 100644 --- a/docs/deploy/07-bootstrap-validation.md +++ b/docs/deploy/07-bootstrap-validation.md @@ -10,7 +10,7 @@ GitOps allows a team to author Kubernetes manifest files, persist them in their - Cluster-wide configuration of Azure Monitor for Containers - The workload's namespace named `a0008` -1. Install `kubectl` 1.28 or newer. (`kubectl` supports ±1 Kubernetes version.) +1. Install `kubectl` 1.29 or newer. (`kubectl` supports ±1 Kubernetes version.) ```bash sudo az aks install-cli diff --git a/docs/deploy/09-secret-management-and-ingress-controller.md b/docs/deploy/09-secret-management-and-ingress-controller.md index f5c1689f..3bf08933 100644 --- a/docs/deploy/09-secret-management-and-ingress-controller.md +++ b/docs/deploy/09-secret-management-and-ingress-controller.md @@ -73,7 +73,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi ```bash # Import ingress controller image hosted in public container registries - az acr import --source docker.io/library/traefik:v2.11 -n $ACR_NAME_AKS_BASELINE + az acr import --source docker.io/library/traefik:v3.0 -n $ACR_NAME_AKS_BASELINE ``` 1. Install the Traefik Ingress Controller. diff --git a/workload/traefik.yaml b/workload/traefik.yaml index ce445393..4721004a 100644 --- a/workload/traefik.yaml +++ b/workload/traefik.yaml @@ -7,7 +7,7 @@ metadata: app.kubernetes.io/name: traefik-ingress-ilb app.kubernetes.io/instance: traefik-ingress-ilb --- -#https://raw.githubusercontent.com/traefik/traefik/v2.11/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml +#https://raw.githubusercontent.com/traefik/traefik/v3.0/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: @@ -46,7 +46,6 @@ rules: - update - apiGroups: - traefik.io - - traefik.containo.us resources: - middlewares - middlewaretcps @@ -57,6 +56,7 @@ rules: - tlsoptions - tlsstores - serverstransports + - serverstransporttcps verbs: - get - list @@ -65,7 +65,7 @@ rules: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: - name: traefik-watch-workloads + name: traefik-ingress-controller namespace: a0008 labels: app.kubernetes.io/name: traefik-ingress-ilb @@ -230,10 +230,10 @@ spec: # PRODUCTION READINESS CHANGE REQUIRED # This image should be sourced from a non-public container registry, such as the # one deployed along side of this reference implementation. - # az acr import --source docker.io/library/traefik:v2.11 -n + # az acr import --source docker.io/library/traefik:v3.0 -n # and then set this to - # image: .azurecr.io/library/traefik:v2.11 - - image: docker.io/library/traefik:v2.11 + # image: .azurecr.io/library/traefik:v3.0 + - image: docker.io/library/traefik:v3.0 imagePullPolicy: IfNotPresent name: traefik-ingress-controller resources: @@ -310,4 +310,4 @@ spec: securityContext: fsGroup: 65532 nodeSelector: - agentpool: npuser01 \ No newline at end of file + agentpool: npuser01