Skip to content

AKS compliance validation pack for Probr

License

Notifications You must be signed in to change notification settings

synechron-code/probr-pack-aks

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Probr AKS Service Pack

The Probr AKS Service pack compliments the Kubernetes service pack with Azure Kubernetes Service (AKS)-specific compliance checks.

Click here to see the current state of the probes in this pack.

To Build

The following will build a binary named "aks":

git clone https://github.com/probr/probr-pack-aks.git
cd probr-pack-aks
make binary

Move the aks binary into your probr service pack location (default is ${HOME}/probr/binaries)

Pre-Requisites

You will need

  1. Probr Core (https://github.com/probr/probr)
  2. An AKS Cluster
  3. An active kubeconfig against the cluster, that can deploy into the probe namespace (see config below. Default is probr-general-test-ns)
  4. A service principle that has the "Reader" Azure role on the cluster
  5. For the IAM probes, you will need:
  • Managed Pod Identity to be configured in your cluster
  • An AzureIdentity called probr-ai and an AzureIdentityBinding called probr-aib to be deployed in the default namespace (or the namespace configured in the runtime config, see below).

Configuration

Minimum configuration

The minimum required additions to your Probr runtime configuration is as follows:

Run:
  - "aks"
ServicePacks:
  Kubernetes:
    AuthorisedContainerImage: "yourprivateregistry.io/probr/probr-probe"
  AKS:
    ClusterName: "your-clustername-here"
    ResourceGroupName: "your-resource-group-name-here"      
    CloudProviders:
      Azure:
        TenantID: "UUID of your tenant"
        SubscriptionID: "UUID of your subscription"
        ClientID: "Client ID UUID of your service principle"
        ClientSecret: "Recommend leaving this blank and using envvar"

We recommend not storing the ClientSecret in the config.yml, instead use the PROBR_AZURE_CLIENT_SECRET environment variable.

Full configuration

If you don't want to use the defaults you can add the following to your Probr config.yml:

Run:
  - "aks"
ServicePacks:
  Kubernetes:
    KubeConfig: "location of your kubeconfig if not the default"
    KubeContext: "specific kubecontext if not the current context"
    AuthorisedContainerImage: "yourprivateregistry.io/probr/probr-probe"
    ProbeNamespace: "namespace Probr deploys into. Defaults to 'probr-general-test-ns'"
  AKS:
    ClusterName: "your-clustername-here"
    ResourceGroupName: "your-resource-group-name-here"
    ManagedPodIdentity:
      DefaultAzureIdentityNamespace: "Namespace where the probr-ai and probr-aib live for cross-namespace identity tests. Defaults to 'default'"
      IdentityPodNamespace: "namespace where the MIC and NMI pods live. Defaults to 'kube-system'"
CloudProviders:
  Azure:
    TenantID: "UUID of your tenant"
    SubscriptionID: "UUID of your subscription"
    ClientID: "Client ID UUID of your service principle"
    ClientSecret: "Recommend leaving this blank and using envvar"

Running the Service Pack

If all of the instructions above have been followed, then you should be able to run ./probr and the service pack will run.

About

AKS compliance validation pack for Probr

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 87.6%
  • Gherkin 7.1%
  • Makefile 3.4%
  • Open Policy Agent 1.9%