Releases: mspnp/aks-baseline
Releases · mspnp/aks-baseline
v1.30.0.0
v1.29.0.0
Implementation updates
- Fixes "Warning simplify-json-null: Simplify json('null') to null" war… by @pcgeek86 in #381
- Fix pattern link by @ckittel in #384
- OSS updates by @v-fearam in #387
- container-insights-agent-config by @v-fearam in #388
- AAD -> Microsoft Entra ID by @ckittel in #389
- Extensions refreshed by @ferantivero in #402
- Aligned resources to resource group location by @ckittel in #404
- Implemented Node OS security patches, Deprecated Kured by @ferantivero in #403
- Added secure decorator to x509 private keys by @ferantivero in #407
- Updated AKS to v1.29 by @skabou in #409
- Updated Traefik to v2.11 by @skabou in #409
- Moved from Ubuntu to AzureLinux by @skabou in #409
- Small content adjustments by @skabou in #410
New Contributors
- @pcgeek86 made their first contribution in #381
- @daveRendon made their first contribution in #399
- @skabou made their first contribution in #409
Full Changelog: v1.26.0.0...v1.29.0.0
v1.26.0.0
Implementation updates
- Updated to container insights Log Schema v2 - #365
- Updated AKS (1.25.5 -> 1.26.0) - #374
- Moved WAF bot policy from 0.1 to 1.0 - #374
- Added an alert in case cluster log sink hits a daily data cap - #374
- Migrated two alerts to actually alert off of the pushed metric alert as configured by the azmon agent. - #374
Walkthrough updates
v1.25.2.1
Implementation updates
- Updated kured (1.11.0 -> 1.12.0) - #362
- Updated traefik (2.8.1 -> 2.9.6) - #362
- Updated Azure Monitor's configuration with latest upstream - #362
- Enabled the "Notifications controller" on the Flux extension deployment to reduce the logging noise around its absence. - #362
Walkthrough updates
v1.25.2.0
Implementation Updates
- Updated to AKS 1.25.2 - #357
- Friends don't let friends blindly use defaults (add more defaults/intents to the AKS bicep template) - #357
- Update Kured to 1.11.0 - #357 (including updates to address no longer coming from GitHub and separation from weaveworks)
- Enabled ImageCleaner (Eraser) - #357
- Changed
tenantId
->tenantID
inSecretProviderClass
to address the deprecation of that field - #357 - Disable Azure storage drivers, no workloads in this deployment use them (don't bring extra baggage into the cluster) - #357
- Fixed an issue with Flux configuration that was presenting a challenge for the Azure Portal view - #355
Walkthrough updates
v1.24.6.0
Implementation Updates
- Updated to AKS 1.24.6 - #326
- Migrated from Azure AD Pod Identity to Azure AD Workload Identity, with managed identity support - #326
- Fixed a couple of bicep linter warnings - #326
- Updated the
AzureBastionSubnet
size to the recommended size of/26
instead of/27
(which was the old recommendation) - #353
Walkthrough updates
v1.24.0.1
Implementation Updates
- Introduced a custom Azure Policy for Kubernetes policy as an example. This example enforces an Ingress choice for domain. - #345 (HT: @ulkeba)
- Removed the GitHub Actions starter workflow in favor of the collaboration with the https://github.com/Azure/aks-baseline-automation repo. - #348
Walkthrough updates
- Updated docs.microsoft.com URLs to learn.microsoft.com to follow the rebranding. - #347
v1.24.0.0
Implementation Updates
- OSS Updates
- Updated OMS agent config file with new configuration values from upstream. - #339
- Added new OMS alertable metric for job completion threshold - #339
- Enabled Azure Subnet IP usage metric collection in OMS - #339
- Move to AKS 1.24.0 (from 1.23.5) - #337
Walkthrough updates
v1.23.5.1
Implementation Updates
- Better support for long region names, such as
germanywestcentral
- #315 (HT: @ulkeba) - Migrate to WAF Policy to hold WAF configuration - #316 (HT: @ulkeba)
- Updated workload PDB to be an absolute value to better reflect the intent. - #318 (HT: @ulkeba)
- Add Bot Mitigation policy to WAF - #320
- Use latest API version in the
SecretProviderClass
for the in-cluster cert - #323 - Migrated away from the legacy Log Analytics Workspace-owned queries to a dedicated query pack - #324
- A slew of Azure Policy and Azure Policy for Kubernetes updates - #317
- Populated
description
on all of the policy assignments - Azure Policy for Kubernetes
- Tightened up
K8sAzureContainerAllowedImages
(removed no longer needed entry, added better RegEx escaping) - Tightened up
K8sAzureContainerLimits
(removedcluster-baseline-settings
exclusion and adjusted limits) - Tightened up
K8sAzureReadOnlyRootFilesystem
by moving it to aDeny
policy - Added
K8sAzureHostFilesystem
andK8sAzureExternalIPs
and as aDeny
policy - Added
K8sAzureBlockEndpointEditDefaultRole
andK8sAzureBlockDefault
as anAudit
policy
- Tightened up
- Newly assigned the following Azure Policies
- Authorized IP ranges should be defined on Kubernetes Services
- Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
- Role-Based Access Control (RBAC) should be used on Kubernetes Services
- Azure Kubernetes Service Clusters should use managed identities
- Container registries should have anonymous authentication disabled
- Container registries should have local admin account disabled
- Populated
- Fixed all bicep warnings - #317 (HT: @akulich)
Walkthrough updates
- Updated (Preview) notes section - #322
- Typo fixes
Misc updates
- Added Gatekeeper Constraint Names to the bicep file for easy cross referencing - #317
v1.23.5.0
Implementation Updates
- Updated OSS components - #313
- Moved to AKS 1.23 - #313
- Added OIDC issuer profile URL to outputs to support easier workload identity adoption - #313
- Made the namespace reader auth configuration more clearly optional. - #311 (HT: @ulkeba)
Walkthrough updates
- Added some additional
echo
statements to help anchor folks on what values are being stored in variables - #311 - Added clearer instructions for those users that already have existing Azure AD objects they plan on using for cluster RBAC - #311
- Adjustments to the "try it out" parts of the walkthrough based on Azure portal updates. - #311