This is the starting point for the instructions on deploying the AKS Baseline reference implementation. There is required access and tooling you'll need in order to accomplish this. Follow the instructions below and on the subsequent pages so that you can get your environment ready to proceed with the AKS cluster creation.
-
An Azure subscription.
The subscription used in this deployment cannot be a free account; it must be a standard EA, pay-as-you-go, or Visual Studio benefit subscription. This is because the resources deployed here are beyond the quotas of free subscriptions.
⚠️ The user or service principal initiating the deployment process must have the following minimal set of Azure Role-Based Access Control (RBAC) roles:- Contributor role is required at the subscription level to have the ability to create resource groups and perform deployments.
- User Access Administrator role is required at the subscription level since you'll be performing role assignments to managed identities across various resource groups.
-
An Azure AD tenant to associate your Kubernetes RBAC Cluster API authentication to.
⚠️ The user or service principal initiating the deployment process must have the following minimal set of Azure AD permissions assigned:- Azure AD User Administrator is required to create a "break glass" AKS admin Active Directory Security Group and User. Alternatively, you could get your Azure AD admin to create this for you when instructed to do so.
- If you are not part of the User Administrator group in the tenant associated to your Azure subscription, please consider creating a new tenant to use while evaluating this implementation. The Azure AD tenant backing your cluster's API RBAC does NOT need to be the same tenant associated with your Azure subscription.
- Azure AD User Administrator is required to create a "break glass" AKS admin Active Directory Security Group and User. Alternatively, you could get your Azure AD admin to create this for you when instructed to do so.
-
Latest Azure CLI installed or you can perform this from Azure Cloud Shell by clicking below.
-
While the following feature(s) are still in preview, please enable them in your target subscription.
-
Register the Azure Event Grid preview feature -
EventgridPreview
-
Register the AKS Extensions preview feature -
AKS-ExtensionManager
-
Register the Kubernetes Configuration preview feature =
fluxConfigurations
-
Register the OIDC Issuer preview feature =
EnableOIDCIssuerPreview
az feature register --namespace "Microsoft.ContainerService" -n "EventgridPreview" az feature register --namespace "Microsoft.ContainerService" -n "AKS-ExtensionManager" az feature register --namespace "Microsoft.KubernetesConfiguration" -n "fluxConfigurations" az feature register --namespace "Microsoft.ContainerService" -n "EnableOIDCIssuerPreview" az feature register --namespace "Microsoft.ContainerService" -n "AKS-AzureDefender" # Keep running until all say "Registered." (This may take up to 20 minutes.) az feature list -o table --query "[?name=='Microsoft.ContainerService/EventgridPreview' || name=='Microsoft.ContainerService/AKS-ExtensionManager' || name=='Microsoft.ContainerService/EnableOIDCIssuerPreview' || name=='Microsoft.KubernetesConfiguration/fluxConfigurations' || name=='Microsoft.ContainerService/AKS-AzureDefender' ].{Name:name,State:properties.state}" # When all say "Registered" then re-register the AKS and related resource providers az provider register --namespace Microsoft.ContainerService az provider register --namespace Microsoft.KubernetesConfiguration
-
-
Clone/download this repo locally, or even better fork this repository.
🔀 If you have forked this reference implementation repo, you'll be able to customize some of the files and commands for a more personalized and production-like experience; ensure references to this git repository mentioned throughout the walk-through are updated to use your own fork.
git clone https://github.com/mspnp/aks-secure-baseline.git cd aks-secure-baseline
💡 The steps shown here and elsewhere in the reference implementation use Bash shell commands. On Windows, you can use the Windows Subsystem for Linux to run Bash.
-
Ensure OpenSSL is installed in order to generate self-signed certs used in this implementation. OpenSSL is already installed in Azure Cloud Shell.
⚠️ Some shells may have theopenssl
command aliased for LibreSSL. LibreSSL will not work with the instructions found here. You can check this by runningopenssl version
and you should see output that saysOpenSSL <version>
and notLibreSSL <version>
.