Now that the AKS clusters have been deployed and enrolled in GitOps management as part of the GitHub workflow deployment, follow these steps to import the TLS certificates that the Ingress Controller will serve for Application Gateway to connect to your web app.
📖 Contoso Bicycle procured a CA certificate, a standard one, to be used with the AKS Ingress Controller. This one is not EV, as it will not be user facing.
-
Obtain the Azure Key Vault details and give the current user permissions to import certificates.
📖 Finally the app team decides to use a wildcard certificate of
*.aks-ingress.contoso.comfor the ingress controller. They use Azure Key Vault to import and manage the lifecycle of this certificate.KEYVAULT_NAME_BU0001A0042_03=$(az deployment group show -g rg-bu0001a0042-03 -n cluster-stamp --query properties.outputs.keyVaultName.value -o tsv) KEYVAULT_NAME_BU0001A0042_04=$(az deployment group show -g rg-bu0001a0042-04 -n cluster-stamp --query properties.outputs.keyVaultName.value -o tsv) echo KEYVAULT_NAME_BU0001A0042_03: $KEYVAULT_NAME_BU0001A0042_03 echo KEYVAULT_NAME_BU0001A0042_04: $KEYVAULT_NAME_BU0001A0042_04 az keyvault set-policy --certificate-permissions import list get --object-id $(az ad signed-in-user show --query 'id' -o tsv) -n $KEYVAULT_NAME_BU0001A0042_03 az keyvault set-policy --certificate-permissions import list get --object-id $(az ad signed-in-user show --query 'id' -o tsv) -n $KEYVAULT_NAME_BU0001A0042_04
-
Import the AKS Ingress Controller's Wildcard Certificate for
*.aks-ingress.contoso.com.⚠️ If you already have access to an appropriate certificate, or can procure one from your organization, consider using it for this step. For more information, take a look at the import certificate tutorial using Azure Key Vault.⚠️ Do not use the certificate created by this script for actual deployments. The use of self-signed certificates are provided for ease of illustration purposes only. For your cluster, use your organization's requirements for procurement and lifetime management of TLS certificates, even for development purposes.az keyvault certificate import -f traefik-ingress-internal-aks-ingress-contoso-com-tls.pem -n traefik-ingress-internal-aks-ingress-contoso-com-tls --vault-name $KEYVAULT_NAME_BU0001A0042_03 az keyvault certificate import -f traefik-ingress-internal-aks-ingress-contoso-com-tls.pem -n traefik-ingress-internal-aks-ingress-contoso-com-tls --vault-name $KEYVAULT_NAME_BU0001A0042_04
-
Remove Azure Key Vault import certificates permissions for current user.
The Azure Key Vault policy for your user was a temporary policy to allow you to upload the certificate for this walkthrough. In actual deployments, you would manage these access policies via your ARM templates using Azure RBAC for Key Vault data plane.
az keyvault delete-policy --object-id $(az ad signed-in-user show --query 'id' -o tsv) -n $KEYVAULT_NAME_BU0001A0042_03 az keyvault delete-policy --object-id $(az ad signed-in-user show --query 'id' -o tsv) -n $KEYVAULT_NAME_BU0001A0042_04
📖 The app team wants to apply Azure Policy over their cluster like they do other Azure resources. Their pods will be covered using the Azure Policy add-on for AKS. Some of these audits might end up in the denial of a specific Kubernetes API request operation to ensure the pod's specification is compliance with the organization's security best practices. Moreover data is generated by Azure Policy to assist the app team in the process of assessing the current compliance state of the AKS cluster. The app team is going to assign at the resource group level the Azure Policy for Kubernetes built-in restricted initiative as well as five more built-in individual Azure policies that enforce that pods perform resource requests, define trusted container registries, mandate that root filesystem access is read-only, enforce the usage of internal load balancers, and enforce HTTPS-only Kubernetes Ingress objects.
-
Confirm policies are applied to the AKS cluster
kubectl get constrainttemplate --context $AKS_CLUSTER_NAME_BU0001A0042_03_AKS_MRB kubectl get constrainttemplate --context $AKS_CLUSTER_NAME_BU0001A0042_04_AKS_MRB
A similar output as the one showed below should be returned
NAME AGE k8sazurev1ingresshttpsonly 21m k8sazurev1loadbalancernopublicips 21m … more … k8sazurev3noprivilegeescalation 21m k8sazurev3readonlyrootfilesystem 21m