From 36356862ac148af9490ec63c00bebed6a073925e Mon Sep 17 00:00:00 2001 From: Matthew Leach Date: Thu, 24 Nov 2022 15:39:25 +0000 Subject: [PATCH 1/4] Configured baseline presets --- helper/src/configpresets/baselines.json | 115 ++++++++++++++++-------- 1 file changed, 76 insertions(+), 39 deletions(-) diff --git a/helper/src/configpresets/baselines.json b/helper/src/configpresets/baselines.json index 4bf34bd5c..de6a1403a 100644 --- a/helper/src/configpresets/baselines.json +++ b/helper/src/configpresets/baselines.json @@ -1,13 +1,13 @@ { "baselineRI": { - "title": "AKS Baseline", + "title": "AKS Secure Baseline", "icon": "Dictionary", - "disabled" : true, + "disabled" : false, "sections": [ { "key": "baselineRI", - "sectionTitle": "AKS Baseline Cluster Stamps", - "sectionDescription" : "The AKS Baseline architectures are references for learning how to build AKS Clusters that include recommendations for networking, security, identity, management, and monitoring of the cluster based on an organization's business requirements. These presets closely replicate the cluster-stamp for each sample reference implementation, and should be leveraged after you've read the AKS baseline reference architecture documentation.", + "sectionTitle": "AKS Secure Baseline Cluster Stamps", + "sectionDescription" : "The AKS Secure Baseline architectures are references for learning how to build AKS Clusters that include recommendations for networking, security, identity, management, and monitoring of the cluster based on an organization's business requirements. These presets closely replicate the cluster-stamp for each sample reference implementation, and should be leveraged after you've read the AKS baseline reference architecture documentation.", "sectionMoreInfoLink" : "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks", "sectionWarning": "", "cards": [ @@ -20,7 +20,7 @@ "title": "Standard Workload V2", "bulets": [ { - "description": "Cluster auto-scaler (2-4 nodes)", + "description": "Cluster auto-scaler (2-5 nodes)", "linksrc": "https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler" }, { @@ -28,15 +28,34 @@ "linksrc": "https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview" }, { - "description": "Azure Container Registry (public)" + "description": "Azure Firewall for outbound traffic", + "linksrc": "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/aks-firewall/aks-firewall" + }, + { + "description": "Traefik Ingress Controller" + }, + { + "description": "Azure Container Registry (private)" + }, + { + "description": "Restrict dependencies with Private Link", + "linksrc": "https://docs.microsoft.com/en-us/azure/private-link/private-link-overview" }, { "description": "AAD Integration", "linksrc": "https://docs.microsoft.com/en-gb/azure/aks/managed-aad" }, { - "description": "Audit Pod security baseline standards", + "description": "Audit restricted pod security standards", "linksrc": "https://docs.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes" + }, + { + "description": "East-West traffic control", + "linksrc": "https://docs.microsoft.com/en-gb/azure/aks/use-network-policies" + }, + { + "description": "Store Kubernetes Secrets in Azure KeyVault,", + "linksrc": "https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver" } ] }, @@ -44,27 +63,35 @@ "values": { "cluster": { "enable_aad": true, - "AksDisableLocalAccounts": false, + "AksDisableLocalAccounts": true, "apisecurity": "none", "autoscale": true, "agentCount": 2, - "maxCount": 10, + "maxCount": 5, "upgradeChannel": "none", - "DefenderForContainers": true + "DefenderForContainers": true, + "AksPaidSkuForSLA": true, + "SystemPoolType": "Standard", + "availabilityZones": "yes" }, "addons": { "networkPolicy": "azure", - "registry": "Basic", + "registry": "Premium", "azurepolicy": "audit", - "ingress": "none", + "azurePolicyInitiative": "Restricted", + "ingress": "traefik", "appgwKVIntegration": false, "monitor": "aci", - "csisecret": "none" + "csisecret": "akvNew", + "acrUntaggedRetentionPolicy": 15, + "acrUntaggedRetentionPolicyEnabled": true }, "net": { - "vnetprivateend": false, - "vnet_opt": "default", - "afw": true + "vnetprivateend": true, + "vnet_opt": "custom", + "afw": true, + "azureFirewallSku": "Premium", + "nsg": true } } }, @@ -75,13 +102,9 @@ "linksrc" : "https://github.com/mspnp/aks-baseline-regulated", "description": { "title": "Suited for regulated workloads", - "titleWarning": { - "description": "Requires existing Subnet, preconfigured with firewall egress", - "MessageBarType": 5 - }, "bulets": [ { - "description": "Cluster auto-scaler", + "description": "Cluster auto-scaler (2-5 nodes)", "linksrc": "https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler" }, { @@ -89,35 +112,38 @@ "linksrc": "https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview" }, { - "description": "Azure Container Registry (with Private Link)" + "description": "Azure Firewall for outbound traffic", + "linksrc": "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/aks-firewall/aks-firewall" }, { - "description": "Azure AppGateway Ingress", - "linksrc": "https://docs.microsoft.com/en-gb/azure/application-gateway/ingress-controller-overview" + "description": "Nginx Ingress Controller" + }, + { + "description": "Azure Container Registry (private)" + }, + { + "description": "Restrict dependencies with Private Link", + "linksrc": "https://docs.microsoft.com/en-us/azure/private-link/private-link-overview" }, { "description": "AAD Integration", "linksrc": "https://docs.microsoft.com/en-gb/azure/aks/managed-aad" }, { - "description": "Audit Pod security baseline standards", + "description": "Audit restricted pod security standards", "linksrc": "https://docs.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes" }, { "description": "East-West traffic control", "linksrc": "https://docs.microsoft.com/en-gb/azure/aks/use-network-policies" }, - { - "description": "Private Cluster", - "linksrc": "https://docs.microsoft.com/en-us/azure/aks/private-clusters" - }, - { - "description": "Restrict dependencies with Private Link", - "linksrc": "https://docs.microsoft.com/en-us/azure/private-link/private-link-overview" - }, { "description": "Store Kubernetes Secrets in Azure KeyVault,", "linksrc": "https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver" + }, + { + "description": "Private Cluster", + "linksrc": "https://docs.microsoft.com/en-us/azure/aks/private-clusters" } ] }, @@ -126,24 +152,35 @@ "cluster": { "enable_aad": true, "AksDisableLocalAccounts": true, - "apisecurity": "private", + "apisecurity": "none", "autoscale": true, + "agentCount": 2, + "maxCount": 5, "upgradeChannel": "none", - "DefenderForContainers": true + "DefenderForContainers": true, + "AksPaidSkuForSLA": true, + "SystemPoolType": "Standard", + "availabilityZones": "yes" }, "addons": { "networkPolicy": "azure", "registry": "Premium", "azurepolicy": "audit", - "ingress": "appgw", + "azurePolicyInitiative": "Restricted", + "ingress": "nginx", + "appgwKVIntegration": false, "monitor": "aci", "csisecret": "akvNew", - "appgwKVIntegration": true + "acrUntaggedRetentionPolicy": 15, + "acrUntaggedRetentionPolicyEnabled": true, + "enableACRTrustPolicy": true }, "net": { "vnetprivateend": true, - "vnet_opt": "byo", - "afw": false + "vnet_opt": "custom", + "afw": true, + "azureFirewallSku": "Premium", + "nsg": true } } } From 8c0e40520a7914322f5b965887b811d3ee47323c Mon Sep 17 00:00:00 2001 From: Matthew Leach Date: Thu, 24 Nov 2022 15:55:01 +0000 Subject: [PATCH 2/4] changed apisecurity to private --- helper/src/configpresets/baselines.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helper/src/configpresets/baselines.json b/helper/src/configpresets/baselines.json index de6a1403a..c30d3168b 100644 --- a/helper/src/configpresets/baselines.json +++ b/helper/src/configpresets/baselines.json @@ -152,7 +152,7 @@ "cluster": { "enable_aad": true, "AksDisableLocalAccounts": true, - "apisecurity": "none", + "apisecurity": "private", "autoscale": true, "agentCount": 2, "maxCount": 5, From ff8838433b174e86e9332dca090e952d6f96bbc1 Mon Sep 17 00:00:00 2001 From: Matthew Leach Date: Thu, 24 Nov 2022 15:59:51 +0000 Subject: [PATCH 3/4] Added flow logs to regulated --- helper/src/configpresets/baselines.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/helper/src/configpresets/baselines.json b/helper/src/configpresets/baselines.json index c30d3168b..1fe37d9f7 100644 --- a/helper/src/configpresets/baselines.json +++ b/helper/src/configpresets/baselines.json @@ -180,7 +180,8 @@ "vnet_opt": "custom", "afw": true, "azureFirewallSku": "Premium", - "nsg": true + "nsg": true, + "nsgFlowLogs": true } } } From 7a662f227aff4c3808a73ad2c28fa5ef8909c8e0 Mon Sep 17 00:00:00 2001 From: Matthew Leach Date: Thu, 24 Nov 2022 16:14:42 +0000 Subject: [PATCH 4/4] more updates --- helper/src/configpresets/baselines.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/helper/src/configpresets/baselines.json b/helper/src/configpresets/baselines.json index 1fe37d9f7..e74ad82bc 100644 --- a/helper/src/configpresets/baselines.json +++ b/helper/src/configpresets/baselines.json @@ -84,7 +84,11 @@ "monitor": "aci", "csisecret": "akvNew", "acrUntaggedRetentionPolicy": 15, - "acrUntaggedRetentionPolicyEnabled": true + "acrUntaggedRetentionPolicyEnabled": true, + "workloadIdentity": true, + "fileCSIDriver": false, + "diskCSIDriver": false + }, "net": { "vnetprivateend": true, @@ -173,7 +177,8 @@ "csisecret": "akvNew", "acrUntaggedRetentionPolicy": 15, "acrUntaggedRetentionPolicyEnabled": true, - "enableACRTrustPolicy": true + "enableACRTrustPolicy": true, + "workloadIdentity": true }, "net": { "vnetprivateend": true,