We won’t spend too much time on the presentation of AKS, the service that has been very popular in recent months.
In brief, AKS is Microsoft\u2019s new managed container orchestration service. It is gradually replacing Azure Container service and focuses only on the Cloud Native Computing foundation (CNCF) Kubernetes orchestration engine.
In the last workshop: Create a Kubernetes cluster with Azure AKS using Terraform<\/a>,<\/span> we have discussed the Azure Kubernetes Service (AKS) basics, the Infrastructure as Code (IaC) mechanism with a focus on Hashicorp Terraform and how to deploy a Kubernetes cluster with AKS using Terraform.
With this lab, you\u2019ll go through tasks that will help you master the basic and more advanced topics required to secure Azure AKS Kubernetes cluster at the deployment level based on the following mechanisms and technologies:<\/p>\n\n\n\n
- \u2705Azure AD (AAD)<\/span><\/a><\/li>
- \u2705AKS with Role-Based Access Control (RBAC)<\/span><\/a><\/li>
- \u2705Container Network Interface (C<\/span><\/a>N<\/a><\/span>I)<\/span><\/a><\/li>
- \u2705Azure Network policy<\/a><\/span><\/li>
- \u2705Azure Key Vault<\/a><\/span><\/li><\/ol>\n\n\n\n
\n\n\n\nThis article is part of a series:<\/p>\n\n\n\n
- Secure AKS at the deployment: part 1<\/li>
- Secure AKS at the deployment: part 2<\/span><\/a><\/li>
- Secure AKS at the deployment: part 3<\/span><\/a><\/li><\/ul>\n\n\n\n
\n\n\n\nAssumptions and Prerequisites<\/h2>\n\n\n\n
- You have basic knowledge of Azure<\/a><\/li>
- Have basic knowledge of Kubernetes<\/a><\/li>
- You have Terraform <\/span><\/a>installed in your local machine <\/li>
- You have basic experience with Terraform <\/li>
- Azure subscription: Sign up for an Azure account, if you don\u2019t own one already. You will receive USD200 in free credits.<\/li><\/ul>\n\n\n\n
Implement Azure AD to secure AKS at the deployment <\/h2>\n\n\n\n
![\"Integrate](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/azure-active-directory.jpg\")
<\/figure><\/div>\n\n\n\nIn order to secure AKS at the deployment level, Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (AAD) for user authentication. In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.<\/p>\n\n\n\n
1- Azure networks solutions and AKS deployment <\/h3>\n\n\n\n
The default deployment of AKS proposed by Azure<\/a><\/span> hides a lot of things that are happening in the background.
Indeed, we do not know where the cluster is deployed or how the network is configured. By default, the network plugin used is kubenet<\/a><\/span>, which is good for testing but does not allow us to test all the possibilities of AKS.<\/p>\n\n\n\nIn this part, let’s take a few assumptions:<\/p>\n\n\n\n
- The underlying Azure network is already in place<\/li>
- We will use Azure CNI for our AKS cluster<\/li><\/ul>\n\n\n\n
Provisioning an Azure Virtual Network<\/a><\/span> (Vnet) is an essential step before deploying the AKS cluster. The main reason is closely related to the choice of the CNI. With CNI Azure<\/a><\/span>, Kubernetes nodes but also pods rely on the private IP addresses of the VNet and more specifically of the target subnet for deployment.<\/p>\n\n\n\n
Theoretically, to deploy an AKS cluster capable of hosting an appropriate number of workloads (i.e. pods), the network design should be meticulously carried out in order to provide sufficient IP address space for the AKS cluster.
Azure documentation gives us the following formula to calculate the minimum size of the target subnet for an AKS cluster, according to the number of workloads:<\/p>\n\n\n\n(number of nodes + 1) + ((number of nodes + 1) * maximum pods per node that you configure)<\/em><\/p>\n\n\n\n
Example for a 50 node cluster:
(51) + (51 * 30 (default)) = 1,581<\/code> (\/21 or larger)<\/p>\n\n\n\nExample for a 50 node cluster that also includes provision to scale up an additional 10 nodes:
(61) + (61 * 30 (default)) = 1,891<\/code> (\/21 or larger)<\/p>\n\n\n\n\u2139\ufe0f Note
<\/strong>The maximum number of pods per node configured to 30 by default with Azure CNI. Fortunately, this is a soft limit that can be changed to 110 pods per node, either at the of deployment level, or after deployment with az cli for example.<\/p>\n\n\n\nWith Azure CNI, we can also use Network Policies in Kubernetes.
Since we want to secure the Azure AKS Kubernetes cluster at its deployment, network policies are required.<\/p>\n\n\n\n2- Integrate AKS with Azure AD <\/h3>\n\n\n\n
Prerequisites<\/h4>\n\n\n\n
Since AKS is a service managed by Microsoft, it provides an interesting features such as integration with Azure Active Directory.
For a company already using Azure AD as a source of identity, either from synchronization with an LDAP on premise, or in Cloud Native mode, the possibility of using Azure AD directly to authenticate AKS users is a big advantage.
In addition, because of Azure AD\u2019s ability to force Multi Factor Authentication (MFA) or not, a user with MFA enabled will be forced to use their authentication device to access AKS. Although a little more restrictive, the use of MFA is to be taken as a good practice.<\/p>\n\n\n\nAuthentication details<\/h4>\n\n\n\n
Azure AD authentication is provided to AKS clusters that have OpenID Connect. OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol.
For more information about OpenID Connect, see Authorize access to web applications using OpenID Connect and Azure AD<\/a>.
Without going into too much detail here, let’s summarize how it works:<\/p>\n\n\n\n\n1- AAD App Server<\/strong>
An application registered with AAD is required. This application, called a server application, is associated with the AKS cluster and is used to retrieve group memberships from AAD users.
To be able to perform this function, the application needs to have rights on the Microsoft Graph API:
– Application access: Read directory data
-Delegated permissions: Sign in and read user profile and Read Directory data
Through this application and the associated Service Principal (SP), the AKS cluster becomes able to verify the identity of the authenticating user.
2- AAD App client <\/strong>
A second application, \u201cNative App\u201d, qualified client, accessing the first application is required. <\/p>\n<\/div><\/div>\n\n\n\nCreate Azure AD server component<\/h4>\n\n\n\n
This section shows you how to create the required Azure AD components. You can also complete these steps using the Azure porta<\/a>l<\/a>.<\/span>
For the complete sample script used in this lab, see Azure CLI samples – AKS integration with Azure AD<\/a><\/span>.<\/span><\/a><\/p>\n\n\n\n
- Have basic knowledge of Kubernetes<\/a><\/li>
- Secure AKS at the deployment: part 3<\/span><\/a><\/li><\/ul>\n\n\n\n
- \u2705AKS with Role-Based Access Control (RBAC)<\/span><\/a><\/li>
![\"secure](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-27-at-21.33.43-1024x111.png\")
<\/figure>\n\n\n\n![\"secure](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-27-at-21.21.04-1024x201.png\")
<\/figure>\n\n\n\n![\"Create](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-27-at-21.41.49-1024x230.png\")
<\/figure>\n\n\n\n![\"Permission\"](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-27-at-21.51.31-1024x112.png\")
<\/figure>\n\n\n\n![\"az](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-27-at-21.57.55-1024x79.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-27-at-21.58.24-1024x79.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/Screenshot-2019-12-27-at-22.14.58-1024x295.png\")
<\/figure>\n\n\n\n