The goal of this repo is to have a baseline secure AKS setup with private Kubernetes API and egress traffic lockdown
- In-cluster Security (Network Policies, OPA, mTLS, etc)
- Secure CI/CD pipelines
- Container Security (AppArmor, seccomp)
Download a proper package for your operating system from here. Alternatively, you can use Azure Cloud Shell, that has Terraform binary pre-installed.
Follow the instructions for your operating system here. Alternatively, you can use Azure Cloud Shell, that has Azure CLI binary pre-installed.
git clone https://github.com/akamenev/sec-base-aks
cd sec-base-aks/terraformTemplates structure:
terraform
├── acr.tf # contains ACR deployment with ACR Firewall Rules
├── akscni.tf # contains AKS deployment with DNS Private Zone Link
├── firewall.tf # contains Azure Firewall deployment with Network and Application rules and Route Table
├── jumpbox.tf # contains Jumpbox VM deployment
├── logs.tf # contains Azure Log Analytics deployment
├── providers.tf # contains required Terraform Providers (azurerm)
├── variables.tf # contains required variables
└── vnet.tf # contains Resource Group and Virtual Network deploymentsaz login
export TF_VAR_cluster_name="sec-aks" # Name of a cluster
export TF_VAR_username="aksadmin" # Username for a jumpbox and cluster user
export TF_VAR_resource_group_name="sec-aks" # Resource group name
export TF_VAR_location="WestEurope" # Location
export TF_VAR_ssh_public_key="~/.ssh/id_rsa.pub" # Location of ssh key to use
export TF_VAR_dns_prefix="sec-aks" # DNS prefix for a cluster
export TF_VAR_kubernetes_version="1.15.7" # Cluster version
export TF_VAR_acr_name="secureacr" # Name of container registryterraform init
terraform applyterraform destroy