-
Notifications
You must be signed in to change notification settings - Fork 510
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[FCP] [AAC-AKS] customer facing readme md - Part 2 (#336)
improve README file Co-authored-by: Chad Kittel <chad.kittel@gmail.com>
- Loading branch information
1 parent
4a58721
commit e328804
Showing
11 changed files
with
768 additions
and
54 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
# The Contoso Bicycle Azure AD Admin team has a new organizational challenge | ||
# which is regulating access to the new Secure AKS cluster (Application ID: a0008 under the BU001) | ||
# resources from Azure AD. | ||
# The goal is being able to configure Kubernetes role-based access control (RBAC) | ||
# based on a user's identity or directory group membership. | ||
# Thefore, the team has made the decision of implementing the Azure AD integration with | ||
# AKS-managed Azure AD. | ||
|
||
# The user admin logins into the tenant | ||
az login --allow-no-subscriptions -t $K8S_RBAC_AAD_PROFILE_TENANTID && \ | ||
K8S_RBAC_AAD_PROFILE_TENANT_DOMAIN_NAME=$(az ad signed-in-user show --query 'userPrincipalName' | cut -d '@' -f 2 | sed 's/\"//') | ||
|
||
# They create first the group that is going to map the Kubernetes Cluster Role Admin. | ||
# Once the cluster gets deployed the new group will get the proper Cluster | ||
# Role bindings | ||
K8S_RBAC_AAD_ADMIN_GROUP_OBJECTID=$(az ad group create --display-name add-to-bu0001a000800-cluster-admin --mail-nickname add-to-bu0001a000800-cluster-admin --query objectId -o tsv) | ||
|
||
# Later the App team's admin member requested a Cluster Admin User. Therefore, | ||
# the Azure AD Admin team procceds to the creation of a new user from Azure AD. | ||
AKS_ADMIN_OBJECTID=$(az ad user create --display-name=bu0001a0008-admin --user-principal-name bu0001a0008-admin@${K8S_RBAC_AAD_PROFILE_TENANT_DOMAIN_NAME} --force-change-password-next-login --password bu0001a0008Admin --query objectId -o tsv) | ||
|
||
# Then the recently created user is added to the Kubernetes Cluster Admin group | ||
# from Azure AD | ||
az ad group member add --group add-to-bu0001a000800-cluster-admin --member-id $AKS_ADMIN_OBJECTID | ||
|
||
# Later on the Azure AD Admin team will review the baseline settings of the Secure AKS cluster (Application ID: a0008 under the BU001) | ||
# and edit the file: | ||
# - `aks/security-baseline/cluster-baseline-settings/user-facing-cluster-role-aad-group.yaml` | ||
# to replace the placeholder: | ||
# - `<replace-with-an-aad-group-object-id-for-k8s-admin-clusterrole>` | ||
# using the object id for the recently added Azure AD group. | ||
|
||
# Lastly, the Azure AD respond to the oginal App team's user creation requet by | ||
# opening a PR againts the Secure AKS Cluster (Application ID: a0008 under the BU001) IaaC git repository. | ||
|
||
# At this moment the Azure AD Admin team hands off this process to the networking team | ||
# so they could deliver the required networking assets to lay down a Secure | ||
# AKS cluster (Application ID: a0008 under the BU001) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
File renamed without changes.
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
You can choose to deploy the Secure AKS cluster baseline by executing the following script files. | ||
|
||
> Tip: we recommend to deploy this Reference Implementation using the README.md | ||
> steps, but please feel free to use this deployment path if you find | ||
> this more convinient | ||
### Deploy | ||
|
||
> Important: edit these script files to complete the required values before procedding | ||
```bash | ||
# [This takes thirty minutes to run.] | ||
./0-networking-stamp.sh && \ | ||
./1-cluster-stamp.sh` | ||
### Clean up | ||
```bash | ||
# [This takes twenty minutes to run.] | ||
./deleteResourceGroups.sh | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,122 @@ | ||
# ------------------------------------------------------------ | ||
# Copyright (c) Microsoft Corporation. All rights reserved. | ||
# Licensed under the MIT License (MIT). See License.txt in the repo root # for license information. | ||
# ------------------------------------------------------------ | ||
|
||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: aspnetapp-deployment | ||
namespace: a0008 | ||
labels: | ||
app.kubernetes.io/name: aspnetapp | ||
spec: | ||
replicas: 2 | ||
selector: | ||
matchLabels: | ||
app.kubernetes.io/name: aspnetapp | ||
template: | ||
metadata: | ||
labels: | ||
app.kubernetes.io/name: aspnetapp | ||
spec: | ||
automountServiceAccountToken: false | ||
securityContext: | ||
runAsUser: 10001 | ||
runAsGroup: 3000 | ||
affinity: | ||
podAntiAffinity: | ||
requiredDuringSchedulingIgnoredDuringExecution: | ||
- labelSelector: | ||
matchExpressions: | ||
- key: app.kubernetes.io/name | ||
operator: In | ||
values: | ||
- aspnetapp | ||
topologyKey: "kubernetes.io/hostname" | ||
podAffinity: | ||
preferredDuringSchedulingIgnoredDuringExecution: | ||
- weight: 1 | ||
podAffinityTerm: | ||
labelSelector: | ||
matchExpressions: | ||
- key: app.kubernetes.io/name | ||
operator: In | ||
values: | ||
- traefik-ingress-ilb | ||
topologyKey: "kubernetes.io/hostname" | ||
containers: | ||
- name: aspnetcore-webapp-sample | ||
image: mcr.microsoft.com/dotnet/core/samples:aspnetapp | ||
imagePullPolicy: Always | ||
securityContext: | ||
allowPrivilegeEscalation: false | ||
readOnlyRootFilesystem: true | ||
capabilities: | ||
drop: | ||
- all | ||
env: | ||
- name: ASPNETCORE_URLS | ||
value: "http://*:8080" | ||
- name: COMPlus_EnableDiagnostics | ||
# https://github.com/dotnet/dotnet-docker/issues/940 | ||
value: "0" | ||
nodeSelector: | ||
agentpool: npuser01 | ||
--- | ||
apiVersion: policy/v1beta1 | ||
kind: PodDisruptionBudget | ||
metadata: | ||
name: aspnetapp-pdb | ||
spec: | ||
minAvailable: 75% | ||
selector: | ||
matchLabels: | ||
app: aspnetapp | ||
--- | ||
kind: Service | ||
apiVersion: v1 | ||
metadata: | ||
name: aspnetapp-service | ||
namespace: a0008 | ||
spec: | ||
selector: | ||
app.kubernetes.io/name: aspnetapp | ||
ports: | ||
- name: http | ||
port: 80 | ||
targetPort: 8080 | ||
--- | ||
apiVersion: networking.k8s.io/v1beta1 | ||
kind: Ingress | ||
metadata: | ||
name: aspnetapp-ingress | ||
namespace: a0008 | ||
annotations: | ||
# defines controller implementing this ingress resource: https://docs.microsoft.com/en-us/azure/dev-spaces/how-to/ingress-https-traefik | ||
# ingress.class annotation is being deprecated in Kubernetes 1.18: https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation | ||
# For backwards compatibility, when this annotation is set, precedence is given over the new field ingressClassName under spec. | ||
kubernetes.io/ingress.class: traefik-internal | ||
traefik.ingress.kubernetes.io/router.entrypoints: websecure | ||
traefik.ingress.kubernetes.io/router.tls: "true" | ||
traefik.ingress.kubernetes.io/router.tls.options: default | ||
traefik.ingress.kubernetes.io/router.middlewares: app-gateway-snet@file, gzip-compress@file | ||
spec: | ||
# ingressClassName: "traefik-internal" | ||
tls: | ||
- hosts: | ||
- bu0001a0008-00.aks-ingress.contoso.com | ||
# it is possible to opt for certificate management strategy with dedicated | ||
# certificates for each TLS SNI route. | ||
# In this Rereference Implementation for the sake of simplicity we use a | ||
# wildcard default certificate added at Ingress Controller configuration level which is *.example.com | ||
# secretName: <bu0001a0008-00-example-com-tls-secret> | ||
rules: | ||
- host: bu0001a0008-00.aks-ingress.contoso.com | ||
http: | ||
paths: | ||
- path: / | ||
backend: | ||
serviceName: aspnetapp-service | ||
servicePort: http | ||
--- |
Oops, something went wrong.