From b2da8c0a5e1aaef5a9807826bd26913c801f28ee Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Fri, 9 Aug 2024 06:59:00 +0000 Subject: [PATCH 01/11] Added SSH Posture Control audit policy Signed-off-by: Jan Egil Ring --- .../bicep/mgmt/policyAzureArc.bicep | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index f4cda24560..e929590c97 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -14,6 +14,7 @@ param resourceTags object = { param azureUpdateManagerArcPolicyId string = '/providers/Microsoft.Authorization/policyDefinitions/bfea026e-043f-4ff4-9d1b-bf301ca7ff46' param azureUpdateManagerAzurePolicyId string = '/providers/Microsoft.Authorization/policyDefinitions/59efceea-0c96-497e-a4a1-4eb2290dac15' +param sshPostureControlAzurePolicyId string = '/providers/Microsoft.Authorization/policyDefinitions/a8f3e6a6-dcd2-434c-b0f7-6f309ce913b4' param tagsRoleDefinitionId string = '/subscriptions/${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' @@ -203,3 +204,19 @@ resource updateManagerAzurePolicyLinux 'Microsoft.Authorization/policyAssignmen } } } + +resource sshPostureControlAudit 'Microsoft.Authorization/policyAssignments@2024-04-01' = { + name: '(ArcBox) Enable SSH Posture Control audit' + location: azureLocation + scope: resourceGroup() + properties:{ + displayName: '(ArcBox) Enable SSH Posture Control audit' + description: 'Enable SSH Posture Control in audit mode' + policyDefinitionId: sshPostureControlAzurePolicyId + parameters: { + IncludeArcMachines: { + value: true + } + } + } +} From 3f34e2b2331a87d9ded7ddc89c9c2dc7681ea6d7 Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Fri, 9 Aug 2024 07:06:08 +0000 Subject: [PATCH 02/11] Update value of IncludeArcMachines parameter in SSH Posture Control audit policy Signed-off-by: Jan Egil Ring --- azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep index e929590c97..f63be1df56 100644 --- a/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep +++ b/azure_jumpstart_arcbox/bicep/mgmt/policyAzureArc.bicep @@ -215,7 +215,7 @@ resource sshPostureControlAudit 'Microsoft.Authorization/policyAssignments@2024 policyDefinitionId: sshPostureControlAzurePolicyId parameters: { IncludeArcMachines: { - value: true + value: 'true' } } } From 6d5fed555f5a680cd2702fb760f40aed377755ab Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 10:43:19 +0000 Subject: [PATCH 03/11] Add auto-shutdown functionality to client VM deployment Signed-off-by: Jan Egil Ring --- .../bicep/clientVm/clientVm.bicep | 26 +++++++++++++++++++ azure_jumpstart_arcbox/bicep/main.bicep | 9 +++++++ 2 files changed, 35 insertions(+) diff --git a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep index 5b30aa58ea..837e4e4017 100644 --- a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep +++ b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep @@ -113,6 +113,11 @@ param vmsDiskSku string = 'Premium_LRS' @description('Use this parameter to enable or disable debug mode for the automation scripts on the client VM, effectively configuring PowerShell ErrorActionPreference to Break. Default is false.') param debugEnabled bool = false +param autoShutdownEnabled bool = false +param autoShutdownTime string = '1800' // The time for auto-shutdown in HHmm format (24-hour clock) +param autoShutdownTimezone string = 'UTC' // Timezone for the auto-shutdown +param autoShutdownEmailRecipient string = '' + var bastionName = '${namingPrefix}-Bastion' var publicIpAddressName = deployBastion == false ? '${vmName}-PIP' : '${bastionName}-PIP' var networkInterfaceName = '${vmName}-NIC' @@ -277,5 +282,26 @@ resource vmRoleAssignment_Storage 'Microsoft.Authorization/roleAssignments@2022- } } +resource autoShutdown 'Microsoft.DevTestLab/schedules@2018-09-15' = if (autoShutdownEnabled) { + name: 'shutdown-computevm-${vm.name}' + location: location + properties: { + status: 'Enabled' + taskType: 'ComputeVmShutdownTask' + dailyRecurrence: { + time: autoShutdownTime + } + timeZoneId: autoShutdownTimezone + notificationSettings: { + status: 'Enabled' + timeInMinutes: 30 + webhookUrl: '' + emailRecipient: autoShutdownEmailRecipient + notificationLocale: 'en' + } + targetResourceId: vm.id + } +} + output adminUsername string = windowsAdminUsername output publicIP string = deployBastion == false ? concat(publicIpAddress.properties.ipAddress) : '' diff --git a/azure_jumpstart_arcbox/bicep/main.bicep b/azure_jumpstart_arcbox/bicep/main.bicep index 4b1daceecd..6d32daf925 100644 --- a/azure_jumpstart_arcbox/bicep/main.bicep +++ b/azure_jumpstart_arcbox/bicep/main.bicep @@ -75,6 +75,11 @@ param resourceTags object = { @description('The naming prefix for the nested virtual machines and all Azure resources deployed. The maximum length for the naming prefix is 7 characters,example: `ArcBox-Win2k19`') param namingPrefix string = 'ArcBox' +param autoShutdownEnabled bool = false +param autoShutdownTime string = '1800' // The time for auto-shutdown in HHmm format (24-hour clock) +param autoShutdownTimezone string = 'UTC' // Timezone for the auto-shutdown +param autoShutdownEmailRecipient string = '' + var templateBaseUrl = 'https://raw.githubusercontent.com/${githubAccount}/azure_arc/${githubBranch}/azure_jumpstart_arcbox/' var aksArcDataClusterName = '${namingPrefix}-AKS-Data-${guid}' var aksDrArcDataClusterName = '${namingPrefix}-AKS-DR-Data-${guid}' @@ -159,6 +164,10 @@ module clientVmDeployment 'clientVm/clientVm.bicep' = { customLocationRPOID: customLocationRPOID namingPrefix: namingPrefix debugEnabled: debugEnabled + autoShutdownEnabled: autoShutdownEnabled + autoShutdownTime: autoShutdownTime + autoShutdownTimezone: autoShutdownTimezone + autoShutdownEmailRecipient: autoShutdownEmailRecipient } dependsOn: [ updateVNetDNSServers From 48244267e21ff908dfdf47c1582f5661d71a0de6 Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 10:45:33 +0000 Subject: [PATCH 04/11] Added function to check if dpkg lock is in place Signed-off-by: Jan Egil Ring --- azure_jumpstart_arcbox/artifacts/installK3s.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/artifacts/installK3s.sh b/azure_jumpstart_arcbox/artifacts/installK3s.sh index 8dd8db1852..9f82e1ce71 100644 --- a/azure_jumpstart_arcbox/artifacts/installK3s.sh +++ b/azure_jumpstart_arcbox/artifacts/installK3s.sh @@ -64,6 +64,17 @@ sudo chmod +x /usr/local/bin/azcopy # Authorize azcopy by using a system-wide managed identity export AZCOPY_AUTO_LOGIN_TYPE=MSI +# Function to check if dpkg lock is in place +check_dpkg_lock() { + while fuser /var/lib/dpkg/lock-frontend >/dev/null 2>&1; do + echo "Waiting for other package management processes to complete..." + sleep 5 + done +} + +# Run the lock check before attempting the installation +check_dpkg_lock + # Installing Azure CLI & Azure Arc extensions curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash @@ -155,7 +166,7 @@ if [[ "$k3sControlPlane" == "true" ]]; then sudo -u $adminUsername az connectedk8s connect --name $vmName --resource-group $resourceGroup --location $location echo "Onboarding the k3s cluster to Azure Arc completed" - + # Verify if cluster is connected to Azure Arc successfully connectedClusterInfo=$(sudo -u $adminUsername az connectedk8s show --name $vmName --resource-group $resourceGroup) echo "Connected cluster info: $connectedClusterInfo" From ee99a3c910a99bea592a8807b48de7466063bbc3 Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 10:47:38 +0000 Subject: [PATCH 05/11] Remove auto-logon registry keys and create shortcuts in DataOpsLogonScript.ps1 and DevOpsLogonScript.ps1 Signed-off-by: Jan Egil Ring --- .../artifacts/DataOpsLogonScript.ps1 | 44 ++++++++++++++++++- .../artifacts/DevOpsLogonScript.ps1 | 44 ++++++++++++++++++- 2 files changed, 86 insertions(+), 2 deletions(-) diff --git a/azure_jumpstart_arcbox/artifacts/DataOpsLogonScript.ps1 b/azure_jumpstart_arcbox/artifacts/DataOpsLogonScript.ps1 index c997589429..3c66cd4386 100644 --- a/azure_jumpstart_arcbox/artifacts/DataOpsLogonScript.ps1 +++ b/azure_jumpstart_arcbox/artifacts/DataOpsLogonScript.ps1 @@ -19,6 +19,48 @@ $clusters = @( Start-Transcript -Path $Env:ArcBoxLogsDir\DataOpsLogonScript.log +# Remove registry keys that are used to automatically logon the user (only used for first-time setup) +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" +$keys = @("AutoAdminLogon", "DefaultUserName", "DefaultPassword") + +foreach ($key in $keys) { + try { + $property = Get-ItemProperty -Path $registryPath -Name $key -ErrorAction Stop + Remove-ItemProperty -Path $registryPath -Name $key + Write-Host "Removed registry key that are used to automatically logon the user: $key" + } catch { + Write-Verbose "Key $key does not exist." + } +} + +# Create Windows Terminal desktop shortcut +$WshShell = New-Object -comObject WScript.Shell +$WinTerminalPath = (Get-ChildItem "C:\Program Files\WindowsApps" -Recurse | Where-Object { $_.name -eq "wt.exe" }).FullName +$Shortcut = $WshShell.CreateShortcut("$Env:USERPROFILE\Desktop\Windows Terminal.lnk") +$Shortcut.TargetPath = $WinTerminalPath +$shortcut.WindowStyle = 3 +$shortcut.Save() + +# Create desktop shortcut for Logs-folder +$WshShell = New-Object -comObject WScript.Shell +$LogsPath = "C:\ArcBox\Logs" +$Shortcut = $WshShell.CreateShortcut("$Env:USERPROFILE\Desktop\Logs.lnk") +$Shortcut.TargetPath = $LogsPath +$shortcut.WindowStyle = 3 +$shortcut.Save() + +# Configure Windows Terminal as the default terminal application +$registryPath = "HKCU:\Console\%%Startup" + +if (Test-Path $registryPath) { + Set-ItemProperty -Path $registryPath -Name "DelegationConsole" -Value "{2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69}" + Set-ItemProperty -Path $registryPath -Name "DelegationTerminal" -Value "{E12CFF52-A866-4C77-9A90-F570A7AA2C6B}" +} else { + New-Item -Path $registryPath -Force | Out-Null + Set-ItemProperty -Path $registryPath -Name "DelegationConsole" -Value "{2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69}" + Set-ItemProperty -Path $registryPath -Name "DelegationTerminal" -Value "{E12CFF52-A866-4C77-9A90-F570A7AA2C6B}" +} + $cliDir = New-Item -Path "$Env:ArcBoxDir\.cli\" -Name ".dataops" -ItemType Directory if (-not $($cliDir.Parent.Attributes.HasFlag([System.IO.FileAttributes]::Hidden))) { @@ -386,7 +428,7 @@ $clusters | Foreach-Object -ThrottleLimit 5 -Parallel { Write-Host "Error creating custom location: $_" -ForegroundColor Red Exit 1 } - + Start-Sleep -Seconds 10 # Deploying the Azure Arc Data Controller diff --git a/azure_jumpstart_arcbox/artifacts/DevOpsLogonScript.ps1 b/azure_jumpstart_arcbox/artifacts/DevOpsLogonScript.ps1 index 5e6957f823..021048c365 100644 --- a/azure_jumpstart_arcbox/artifacts/DevOpsLogonScript.ps1 +++ b/azure_jumpstart_arcbox/artifacts/DevOpsLogonScript.ps1 @@ -25,6 +25,48 @@ $clusters = @( Start-Transcript -Path $Env:ArcBoxLogsDir\DevOpsLogonScript.log +# Remove registry keys that are used to automatically logon the user (only used for first-time setup) +$registryPath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" +$keys = @("AutoAdminLogon", "DefaultUserName", "DefaultPassword") + +foreach ($key in $keys) { + try { + $property = Get-ItemProperty -Path $registryPath -Name $key -ErrorAction Stop + Remove-ItemProperty -Path $registryPath -Name $key + Write-Host "Removed registry key that are used to automatically logon the user: $key" + } catch { + Write-Verbose "Key $key does not exist." + } +} + +# Create Windows Terminal desktop shortcut +$WshShell = New-Object -comObject WScript.Shell +$WinTerminalPath = (Get-ChildItem "C:\Program Files\WindowsApps" -Recurse | Where-Object { $_.name -eq "wt.exe" }).FullName +$Shortcut = $WshShell.CreateShortcut("$Env:USERPROFILE\Desktop\Windows Terminal.lnk") +$Shortcut.TargetPath = $WinTerminalPath +$shortcut.WindowStyle = 3 +$shortcut.Save() + +# Create desktop shortcut for Logs-folder +$WshShell = New-Object -comObject WScript.Shell +$LogsPath = "C:\ArcBox\Logs" +$Shortcut = $WshShell.CreateShortcut("$Env:USERPROFILE\Desktop\Logs.lnk") +$Shortcut.TargetPath = $LogsPath +$shortcut.WindowStyle = 3 +$shortcut.Save() + +# Configure Windows Terminal as the default terminal application +$registryPath = "HKCU:\Console\%%Startup" + +if (Test-Path $registryPath) { + Set-ItemProperty -Path $registryPath -Name "DelegationConsole" -Value "{2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69}" + Set-ItemProperty -Path $registryPath -Name "DelegationTerminal" -Value "{E12CFF52-A866-4C77-9A90-F570A7AA2C6B}" +} else { + New-Item -Path $registryPath -Force | Out-Null + Set-ItemProperty -Path $registryPath -Name "DelegationConsole" -Value "{2EACA947-7F5F-4CFA-BA87-8F7FBEEFBE69}" + Set-ItemProperty -Path $registryPath -Name "DelegationTerminal" -Value "{E12CFF52-A866-4C77-9A90-F570A7AA2C6B}" +} + # Required for azcopy and Get-AzResource Connect-AzAccount -Identity -Tenant $env:tenantId -Subscription $env:subscriptionId @@ -100,7 +142,7 @@ foreach ($cluster in $clusters) { $nicName = $cluster.clusterName + "-NIC" $k3sVIP = az network nic ip-config list --resource-group $Env:resourceGroup --nic-name $nicName --query "[?primary == ``true``].privateIPAddress" -otsv - + Write-Header "Installing istio on K3s cluster" istioctl install --skip-confirmation From 9304df776549f5a01f33542ec3eeee6834fa010a Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 10:50:08 +0000 Subject: [PATCH 06/11] Update startup memory for virtual machines Signed-off-by: Jan Egil Ring --- .../artifacts/dsc/virtual_machines_itpro.dsc.yml | 4 ++-- .../artifacts/dsc/virtual_machines_sql.dsc.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_itpro.dsc.yml b/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_itpro.dsc.yml index edcb70a7e4..df8fe96f15 100644 --- a/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_itpro.dsc.yml +++ b/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_itpro.dsc.yml @@ -11,7 +11,7 @@ properties: SwitchName: 'InternalNATSwitch' VhdPath: F:\Virtual Machines\ArcBox-Win2K19.vhdx ProcessorCount: 2 - StartupMemory: '12GB' + StartupMemory: '4GB' RestartIfNeeded: true State: Running Generation: 2 @@ -27,7 +27,7 @@ properties: SwitchName: 'InternalNATSwitch' VhdPath: F:\Virtual Machines\ArcBox-Win2K22.vhdx ProcessorCount: 2 - StartupMemory: '12GB' + StartupMemory: '4GB' RestartIfNeeded: true State: Running Generation: 2 diff --git a/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_sql.dsc.yml b/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_sql.dsc.yml index c8f205d61f..f385a8ca0f 100644 --- a/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_sql.dsc.yml +++ b/azure_jumpstart_arcbox/artifacts/dsc/virtual_machines_sql.dsc.yml @@ -10,7 +10,7 @@ properties: SwitchName: 'InternalNATSwitch' VhdPath: F:\Virtual Machines\ArcBox-SQL.vhdx ProcessorCount: 2 - StartupMemory: '12GB' + StartupMemory: '6GB' RestartIfNeeded: true State: Running Generation: 2 From 3494504d74a7cec94c555c10cd98a1d3ea1e6daf Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 11:45:40 +0000 Subject: [PATCH 07/11] Updated VM size for ITPro Signed-off-by: Jan Egil Ring --- azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep index 837e4e4017..58085acf6d 100644 --- a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep +++ b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep @@ -180,7 +180,7 @@ resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = { } properties: { hardwareProfile: { - vmSize: flavor == 'DevOps' ? 'Standard_B4ms' : flavor == 'DataOps' ? 'Standard_D8s_v5' : 'Standard_D16s_v5' + vmSize: flavor == 'DevOps' ? 'Standard_B4ms' : 'Standard_D8s_v5' } storageProfile: { osDisk: { From 5fd8d49a879883c6931e14da5919018fe3b99557 Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 13:18:22 +0000 Subject: [PATCH 08/11] Update VM size based on flavor selection Signed-off-by: Jan Egil Ring --- azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep index 58085acf6d..752879868e 100644 --- a/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep +++ b/azure_jumpstart_arcbox/bicep/clientVm/clientVm.bicep @@ -180,7 +180,7 @@ resource vm 'Microsoft.Compute/virtualMachines@2022-03-01' = { } properties: { hardwareProfile: { - vmSize: flavor == 'DevOps' ? 'Standard_B4ms' : 'Standard_D8s_v5' + vmSize: flavor == 'DevOps' ? 'Standard_B4ms' : flavor == 'DataOps' ? 'Standard_D4s_v5' : 'Standard_D8s_v5' } storageProfile: { osDisk: { From 4429c506911bfaece9387c2184b7568e672c791b Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 13:30:44 +0000 Subject: [PATCH 09/11] Updated logic for Container Insights, Azure Policy and Microsoft Defender for Containers cluster extension installation Signed-off-by: Jan Egil Ring --- .../artifacts/installK3s.sh | 50 +++++++++++++++---- 1 file changed, 40 insertions(+), 10 deletions(-) diff --git a/azure_jumpstart_arcbox/artifacts/installK3s.sh b/azure_jumpstart_arcbox/artifacts/installK3s.sh index 9f82e1ce71..41276743d4 100644 --- a/azure_jumpstart_arcbox/artifacts/installK3s.sh +++ b/azure_jumpstart_arcbox/artifacts/installK3s.sh @@ -172,18 +172,48 @@ if [[ "$k3sControlPlane" == "true" ]]; then echo "Connected cluster info: $connectedClusterInfo" # Wait - # Enabling Container Insights and Microsoft Defender for Containers cluster extensions - echo "" - echo "Enabling Container Insights and Microsoft Defender for Containers cluster extensions" - echo "" +# Function to check if an extension is already installed +is_extension_installed() { + extension_name=$1 + extension_count=$(sudo -u $adminUsername az k8s-extension list --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --query "[?name=='$extension_name'] | length(@)") + + if [ "$extension_count" -gt 0 ]; then + return 0 # Extension is installed + else + return 1 # Extension is not installed + fi +} + +# Enabling Container Insights and Microsoft Defender for Containers cluster extensions +echo "" +echo "Enabling Container Insights and Microsoft Defender for Containers cluster extensions" +echo "" + +# Check and install azuremonitor-containers extension +if is_extension_installed "azuremonitor-containers"; then + echo "Extension 'azuremonitor-containers' is already installed." +else sudo -u $adminUsername az k8s-extension create -n "azuremonitor-containers" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings logAnalyticsWorkspaceResourceID=$workspaceResourceId --only-show-errors - sudo -u $adminUsername az k8s-extension create -n "azure-defender" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.AzureDefender.Kubernetes --configuration-settings logAnalyticsWorkspaceResourceID=$workspaceResourceId --only-show-errors +fi - # Enabling Azure Policy for Kubernetes on the cluster - echo "" - echo "Enabling Azure Policy for Kubernetes on the cluster" - echo "" - sudo -u $adminUsername az k8s-extension create --name "arc-azurepolicy" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.PolicyInsights --only-show-errors +# Check and install microsoft.azuredefender.kubernetes extension +if is_extension_installed "microsoft.azuredefender.kubernetes"; then + echo "Extension 'microsoft.azuredefender.kubernetes' is already installed." +else + sudo -u $adminUsername az k8s-extension create -n "microsoft.azuredefender.kubernetes" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.AzureDefender.Kubernetes --configuration-settings logAnalyticsWorkspaceResourceID=$workspaceResourceId --only-show-errors +fi + +# Enabling Azure Policy for Kubernetes on the cluster +echo "" +echo "Enabling Azure Policy for Kubernetes on the cluster" +echo "" + +# Check and install arc-azurepolicy extension +if is_extension_installed "azurepolicy"; then + echo "Extension 'azurepolicy' is already installed." +else + sudo -u $adminUsername az k8s-extension create --name "azurepolicy" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.PolicyInsights --only-show-errors +fi else # Downloading k3s control plane details From 8b9979779e5deeb41ceb1e6a067fb110c2aa1cb9 Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 16:21:58 +0000 Subject: [PATCH 10/11] Update to installation of Azure Monitor Containers, Microsoft Azure Defender Kubernetes, and Azure Policy extensions Signed-off-by: Jan Egil Ring --- azure_jumpstart_arcbox/artifacts/installK3s.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/azure_jumpstart_arcbox/artifacts/installK3s.sh b/azure_jumpstart_arcbox/artifacts/installK3s.sh index 41276743d4..fcc4ea784c 100644 --- a/azure_jumpstart_arcbox/artifacts/installK3s.sh +++ b/azure_jumpstart_arcbox/artifacts/installK3s.sh @@ -193,6 +193,7 @@ echo "" if is_extension_installed "azuremonitor-containers"; then echo "Extension 'azuremonitor-containers' is already installed." else + echo "Extension 'azuremonitor-containers' is not installed - triggering installation" sudo -u $adminUsername az k8s-extension create -n "azuremonitor-containers" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings logAnalyticsWorkspaceResourceID=$workspaceResourceId --only-show-errors fi @@ -200,6 +201,7 @@ fi if is_extension_installed "microsoft.azuredefender.kubernetes"; then echo "Extension 'microsoft.azuredefender.kubernetes' is already installed." else + echo "Extension 'microsoft.azuredefender.kubernetes' is not installed - triggering installation" sudo -u $adminUsername az k8s-extension create -n "microsoft.azuredefender.kubernetes" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.AzureDefender.Kubernetes --configuration-settings logAnalyticsWorkspaceResourceID=$workspaceResourceId --only-show-errors fi @@ -212,6 +214,7 @@ echo "" if is_extension_installed "azurepolicy"; then echo "Extension 'azurepolicy' is already installed." else + echo "Extension 'azurepolicy' is not installed - triggering installation" sudo -u $adminUsername az k8s-extension create --name "azurepolicy" --cluster-name $vmName --resource-group $resourceGroup --cluster-type connectedClusters --extension-type Microsoft.PolicyInsights --only-show-errors fi From 52dadd3255b12ddf8af5173df201f25e8c9d71e5 Mon Sep 17 00:00:00 2001 From: Jan Egil Ring Date: Tue, 13 Aug 2024 16:43:04 +0000 Subject: [PATCH 11/11] Added exit 0, errors will be caught by tests and found in logs Signed-off-by: Jan Egil Ring --- azure_jumpstart_arcbox/artifacts/installK3s.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/azure_jumpstart_arcbox/artifacts/installK3s.sh b/azure_jumpstart_arcbox/artifacts/installK3s.sh index fcc4ea784c..5564d7c98a 100644 --- a/azure_jumpstart_arcbox/artifacts/installK3s.sh +++ b/azure_jumpstart_arcbox/artifacts/installK3s.sh @@ -248,4 +248,6 @@ echo "" exec 1>&3 2>&4 # Further commands will now output to the original stdout and stderr and not the log file log="/home/$adminUsername/jumpstart_logs/installK3s-$vmName.log" storageContainerNameLower=$(echo $storageContainerName | tr '[:upper:]' '[:lower:]') -azcopy cp $log "https://$stagingStorageAccountName.blob.core.windows.net/$storageContainerNameLower/installK3s-$vmName.log" --check-length=false >/dev/null 2>&1 \ No newline at end of file +azcopy cp $log "https://$stagingStorageAccountName.blob.core.windows.net/$storageContainerNameLower/installK3s-$vmName.log" --check-length=false >/dev/null 2>&1 + +exit 0 \ No newline at end of file