Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Azure Kubernetes Services - If "Planned Maintenance" is used, window duration should be equal or greater than four hours #6190

Open
tdefise opened this issue Apr 18, 2024 · 0 comments
Open

Azure Kubernetes Services - If "Planned Maintenance" is used, window duration should be equal or greater than four hours #6190

tdefise opened this issue Apr 18, 2024 · 0 comments
Labels
checks Check additions or changes

Comments

@tdefise
Copy link
Contributor

tdefise commented Apr 18, 2024
edited

Describe the issue
It seems that there are no checks for this best practice from Microsoft

Examples

resource "azurerm_kubernetes_cluster" "pc" {
  name                = "${local.prefix}-cluster"
  location            = azurerm_resource_group.pc.location
  resource_group_name = azurerm_resource_group.pc.name
  dns_prefix          = "${local.prefix}-cluster"
  kubernetes_version  = var.k8s_version

  key_vault_secrets_provider {
    secret_rotation_enabled = true
  }

  oidc_issuer_enabled       = true
  workload_identity_enabled = true

  # https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-cluster#use-cluster-auto-upgrade
  automatic_channel_upgrade = "rapid"

  # https://learn.microsoft.com/en-us/azure/aks/auto-upgrade-node-os-image
  node_os_channel_upgrade = "NodeImage"

  image_cleaner_enabled = true

  default_node_pool {
    name                 = "agentpool"
    os_sku               = "AzureLinux"
    vm_size              = "Standard_DS2_v2"
    node_count           = var.aks_node_count
    vnet_subnet_id       = azurerm_subnet.node_subnet.id
    orchestrator_version = var.k8s_version
  }

  identity {
    type = "SystemAssigned"
  }

  azure_active_directory_role_based_access_control {
    managed            = true
    azure_rbac_enabled = true
  }

  maintenance_window {
    allowed {
      day = "Saturday"
      hours = [10, 11, 12, 13, 14, 15, 16, 17, 18]
    }
    # not_allowed {
    #   start = ISO8601
    #   end = ISO8601
    # }
  }

  # Recommendation is to make it at least 4 hours long
  # https://learn.microsoft.com/en-us/azure/aks/planned-maintenance?tabs=json-file#creating-a-maintenance-window
  maintenance_window_auto_upgrade {
    frequency = "Weekly"
    day_of_week = "Saturday"
    interval = 1
    duration = 4
    utc_offset = "+00:00"
    start_time = "10:00" # UTC
  }

  maintenance_window_node_os {
    frequency = "Weekly"
    day_of_week = "Saturday"
    interval = 1
    duration = 4
    utc_offset = "+00:00"
    start_time = "14:00" # UTC
  }
}

Version (please complete the following information):

  • Current

Additional context

Recommendation from Microsoft
@tdefise tdefise added the checks Check additions or changes label Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
checks Check additions or changes
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tdefise