We won’t spend too much time on the presentation of AKS, the service that has been very popular in recent months.
In brief, AKS is Microsoft\u2019s new managed container orchestration service. It is gradually replacing Azure Container service and focuses only on the Cloud Native Computing foundation (CNCF) Kubernetes orchestration engine.
In the last workshop: Create a Kubernetes cluster with Azure AKS using Terraform<\/a>,<\/span> we have discussed the Azure Kubernetes Service (AKS) basics, the Infrastructure as Code (IaC) mechanism with a focus on Hashicorp Terraform and how to deploy a Kubernetes cluster with AKS using Terraform.
With this lab, you\u2019ll go through tasks that will help you master the basic and more advanced topics required to secure Azure AKS Kubernetes cluster at the deployment level based on the following mechanisms and technologies:<\/p>\n\n\n\n
- \u2705Azure AD (AAD)<\/span><\/a><\/li>
- \u2705AKS with Role-Based Access Control (RBAC)<\/span><\/a><\/li>
- \u2705Container Network Interface (C<\/span><\/a>N<\/a><\/span>I)<\/span><\/a><\/li>
- \u2705Azure Network policy<\/a><\/span><\/li>
- \u2705Azure Key Vault<\/a><\/span><\/li><\/ol>\n\n\n\n
\n\n\n\nThis article is part of a series:<\/p>\n\n\n\n
- Secure AKS at the deployment: part 1<\/a><\/li>
- Secure AKS at the deployment: part 2<\/span><\/a><\/li>
- Secure AKS at the deployment: part 3<\/li><\/ul>\n\n\n\n
\n\n\n\nAssumptions and Prerequisites<\/h2>\n\n\n\n
- You have basic knowledge of Azure<\/a><\/li>
- Have basic knowledge of Kubernetes<\/a><\/li>
- You have Terraform <\/span><\/a>installed in your local machine <\/li>
- You have basic experience with Terraform <\/li>
- Azure subscription: Sign up for an Azure account, if you don\u2019t own one already. You will receive USD200 in free credits.<\/li><\/ul>\n\n\n\n
Implement Network Policies to secure AKS at the deployment <\/h2>\n\n\n\n
![\"\"](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2019\/12\/kubernetes-network-policies-overview.png\")
<\/figure><\/div>\n\n\n\nWe saw in the first section the basics and the prerequisites to integrate Azure Active Directory authentication and RBAC management on an AKS cluster. In a second part, we continued our exploration of the use of Azure Active Directory (AAD) to secure AKS.
In this part, we finish our exploration of securing AKS by looking at Kubernetes Network Policies.<\/p>\n\n\n\n1- Network policy options in AKS<\/h3>\n\n\n\n
Azure provides two ways to implement network policy. You choose a network policy option when you create an AKS cluster. The policy option can’t be changed after the cluster is created:<\/p>\n\n\n\n
- Azure\u2019s own implementation, called Azure Network Policies<\/em>.<\/li>
- Calico Network Policies<\/em>, an open-source network and network security solution founded by Tigera<\/a>.<\/li><\/ul>\n\n\n\n
Both implementations use Linux IPTables<\/em> to enforce the specified policies. Policies are translated into sets of allowed and disallowed IP pairs. These pairs are then programmed as IPTable filter rules.<\/p>\n\n\n\n
Differences between Azure and Calico policies and their capabilities<\/strong><\/p>\n\n\n\n
- Calico Network Policies<\/em>, an open-source network and network security solution founded by Tigera<\/a>.<\/li><\/ul>\n\n\n\n
- Have basic knowledge of Kubernetes<\/a><\/li>
- Secure AKS at the deployment: part 2<\/span><\/a><\/li>
- \u2705AKS with Role-Based Access Control (RBAC)<\/span><\/a><\/li>
![\"Secure](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-03-at-03.08.58-1024x114.png\")
<\/figure>\n\n\n\n![\"Secure](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-03-at-03.12.07-1024x75.png\")
<\/figure>\n\n\n\n![\"Second](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-03-at-03.14.33-1024x69.png\")
<\/figure>\n\n\n\n![\"Secure](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-03-at-03.16.33-1-1024x108.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/aymen-segni.com\/wp-content\/uploads\/2020\/01\/Screenshot-2020-01-03-at-03.21.40-1024x139.png\")
<\/figure>\n<\/div><\/div>\n\n\n\n