Implementation Updates

• Better support for long region names, such as germanywestcentral - #315 (HT: @ulkeba)
• Migrate to WAF Policy to hold WAF configuration - #316 (HT: @ulkeba)
• Updated workload PDB to be an absolute value to better reflect the intent. - #318 (HT: @ulkeba)
• Add Bot Mitigation policy to WAF - #320
• Use latest API version in the SecretProviderClass for the in-cluster cert - #323
• Migrated away from the legacy Log Analytics Workspace-owned queries to a dedicated query pack - #324
• A slew of Azure Policy and Azure Policy for Kubernetes updates - #317
  • Populated description on all of the policy assignments
  • Azure Policy for Kubernetes
    • Tightened up K8sAzureContainerAllowedImages (removed no longer needed entry, added better RegEx escaping)
    • Tightened up K8sAzureContainerLimits (removed cluster-baseline-settings exclusion and adjusted limits)
    • Tightened up K8sAzureReadOnlyRootFilesystem by moving it to a Deny policy
    • Added K8sAzureHostFilesystem and K8sAzureExternalIPs and as a Deny policy
    • Added K8sAzureBlockEndpointEditDefaultRole and K8sAzureBlockDefault as an Audit policy
  • Newly assigned the following Azure Policies
    • Authorized IP ranges should be defined on Kubernetes Services
    • Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
    • Role-Based Access Control (RBAC) should be used on Kubernetes Services
    • Azure Kubernetes Service Clusters should use managed identities
    • Container registries should have anonymous authentication disabled
    • Container registries should have local admin account disabled
• Fixed all bicep warnings - #317 (HT: @akulich)

Walkthrough updates

• Updated (Preview) notes section - #322
• Typo fixes

Misc updates

• Added Gatekeeper Constraint Names to the bicep file for easy cross referencing - #317