Skip to content

The goal of this repo is to have a baseline secure AKS setup with private Kubernetes API and egress traffic lockdown

License

Notifications You must be signed in to change notification settings

amit-schnitzer/sec-base-aks

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

23 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Security Baseline AKS

The goal of this repo is to have a baseline secure AKS setup with private Kubernetes API and egress traffic lockdown

Architecture Diagram

Architecture

Out of Scope

  • In-cluster Security (Network Policies, OPA, mTLS, etc)
  • Secure CI/CD pipelines
  • Container Security (AppArmor, seccomp)

How to start

Download and Install Terraform

Download a proper package for your operating system from here. Alternatively, you can use Azure Cloud Shell, that has Terraform binary pre-installed.

Download and Install Azure CLI

Follow the instructions for your operating system here. Alternatively, you can use Azure Cloud Shell, that has Azure CLI binary pre-installed.

Clone this repo and go to a terraform directory

git clone https://github.com/akamenev/sec-base-aks
cd sec-base-aks/terraform

Templates structure:

terraform
├── acr.tf          # contains ACR deployment with ACR Firewall Rules
├── akscni.tf       # contains AKS deployment with DNS Private Zone Link
├── firewall.tf     # contains Azure Firewall deployment with Network and Application rules and Route Table
├── jumpbox.tf      # contains Jumpbox VM deployment
├── logs.tf         # contains Azure Log Analytics deployment
├── providers.tf    # contains required Terraform Providers (azurerm)
├── variables.tf    # contains required variables
└── vnet.tf         # contains Resource Group and Virtual Network deployments

Login to Azure with Azure CLI and Set the Environment Variables

az login

export TF_VAR_cluster_name="sec-aks"               # Name of a cluster
export TF_VAR_username="aksadmin"                  # Username for a jumpbox and cluster user
export TF_VAR_resource_group_name="sec-aks"        # Resource group name
export TF_VAR_location="WestEurope"                # Location 
export TF_VAR_ssh_public_key="~/.ssh/id_rsa.pub"   # Location of ssh key to use
export TF_VAR_dns_prefix="sec-aks"                 # DNS prefix for a cluster
export TF_VAR_kubernetes_version="1.15.7"          # Cluster version
export TF_VAR_acr_name="secureacr"                 # Name of container registry

Initialize Terraform and apply the template

terraform init
terraform apply

Delete the environment

terraform destroy

Useful links for further security enhancement

About

The goal of this repo is to have a baseline secure AKS setup with private Kubernetes API and egress traffic lockdown

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • HCL 100.0%