Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configured baseline presets #472

Merged
merged 6 commits into from
Nov 29, 2022
Merged

Configured baseline presets #472

Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
3635686
Configured baseline presets
MattLeach25 Nov 24, 2022
8c0e405
changed apisecurity to private
MattLeach25 Nov 24, 2022
ff88384
Added flow logs to regulated
MattLeach25 Nov 24, 2022
7a662f2
more updates
MattLeach25 Nov 24, 2022
b8bb450
Merge branch 'main' into ml-secbaseline
MattLeach25 Nov 24, 2022
7be87db
Merge branch 'main' into ml-secbaseline
MattLeach25 Nov 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 81 additions & 38 deletions helper/src/configpresets/baselines.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
{
"baselineRI": {
"title": "AKS Baseline",
"title": "AKS Secure Baseline",
"icon": "Dictionary",
"disabled" : true,
"disabled" : false,
"sections": [
{
"key": "baselineRI",
"sectionTitle": "AKS Baseline Cluster Stamps",
"sectionDescription" : "The AKS Baseline architectures are references for learning how to build AKS Clusters that include recommendations for networking, security, identity, management, and monitoring of the cluster based on an organization's business requirements. These presets closely replicate the cluster-stamp for each sample reference implementation, and should be leveraged after you've read the AKS baseline reference architecture documentation.",
"sectionTitle": "AKS Secure Baseline Cluster Stamps",
"sectionDescription" : "The AKS Secure Baseline architectures are references for learning how to build AKS Clusters that include recommendations for networking, security, identity, management, and monitoring of the cluster based on an organization's business requirements. These presets closely replicate the cluster-stamp for each sample reference implementation, and should be leveraged after you've read the AKS baseline reference architecture documentation.",
"sectionMoreInfoLink" : "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks",
"sectionWarning": "",
"cards": [
Expand All @@ -20,51 +20,82 @@
"title": "Standard Workload V2",
"bulets": [
{
"description": "Cluster auto-scaler (2-4 nodes)",
"description": "Cluster auto-scaler (2-5 nodes)",
"linksrc": "https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler"
},
{
"description": "Azure Monitor for Containers",
"linksrc": "https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview"
},
{
"description": "Azure Container Registry (public)"
"description": "Azure Firewall for outbound traffic",
"linksrc": "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/aks-firewall/aks-firewall"
},
{
"description": "Traefik Ingress Controller"
},
{
"description": "Azure Container Registry (private)"
},
{
"description": "Restrict dependencies with Private Link",
"linksrc": "https://docs.microsoft.com/en-us/azure/private-link/private-link-overview"
},
{
"description": "AAD Integration",
"linksrc": "https://docs.microsoft.com/en-gb/azure/aks/managed-aad"
},
{
"description": "Audit Pod security baseline standards",
"description": "Audit restricted pod security standards",
"linksrc": "https://docs.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes"
},
{
"description": "East-West traffic control",
"linksrc": "https://docs.microsoft.com/en-gb/azure/aks/use-network-policies"
},
{
"description": "Store Kubernetes Secrets in Azure KeyVault,",
"linksrc": "https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver"
}
]
},
"imageSrc": "https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/images/secure-baseline-architecture.svg",
"values": {
"cluster": {
"enable_aad": true,
"AksDisableLocalAccounts": false,
"AksDisableLocalAccounts": true,
"apisecurity": "none",
"autoscale": true,
"agentCount": 2,
"maxCount": 10,
"maxCount": 5,
"upgradeChannel": "none",
MattLeach25 marked this conversation as resolved.
Show resolved Hide resolved
"DefenderForContainers": true
"DefenderForContainers": true,
"AksPaidSkuForSLA": true,
"SystemPoolType": "Standard",
"availabilityZones": "yes"
},
"addons": {
"networkPolicy": "azure",
"registry": "Basic",
"registry": "Premium",
"azurepolicy": "audit",
"ingress": "none",
"azurePolicyInitiative": "Restricted",
"ingress": "traefik",
"appgwKVIntegration": false,
"monitor": "aci",
"csisecret": "none"
"csisecret": "akvNew",
"acrUntaggedRetentionPolicy": 15,
"acrUntaggedRetentionPolicyEnabled": true,
"workloadIdentity": true,
"fileCSIDriver": false,
"diskCSIDriver": false

},
"net": {
"vnetprivateend": false,
"vnet_opt": "default",
"afw": true
"vnetprivateend": true,
"vnet_opt": "custom",
"afw": true,
"azureFirewallSku": "Premium",
"nsg": true
Gordonby marked this conversation as resolved.
Show resolved Hide resolved
}
}
},
Expand All @@ -75,49 +106,48 @@
"linksrc" : "https://github.com/mspnp/aks-baseline-regulated",
"description": {
"title": "Suited for regulated workloads",
"titleWarning": {
"description": "Requires existing Subnet, preconfigured with firewall egress",
"MessageBarType": 5
},
"bulets": [
{
"description": "Cluster auto-scaler",
"description": "Cluster auto-scaler (2-5 nodes)",
"linksrc": "https://docs.microsoft.com/en-us/azure/aks/cluster-autoscaler"
},
{
"description": "Azure Monitor for Containers",
"linksrc": "https://docs.microsoft.com/en-us/azure/azure-monitor/insights/container-insights-overview"
},
{
"description": "Azure Container Registry (with Private Link)"
"description": "Azure Firewall for outbound traffic",
"linksrc": "https://learn.microsoft.com/en-us/azure/architecture/example-scenario/aks-firewall/aks-firewall"
},
{
"description": "Azure AppGateway Ingress",
"linksrc": "https://docs.microsoft.com/en-gb/azure/application-gateway/ingress-controller-overview"
"description": "Nginx Ingress Controller"
},
{
"description": "Azure Container Registry (private)"
},
{
"description": "Restrict dependencies with Private Link",
"linksrc": "https://docs.microsoft.com/en-us/azure/private-link/private-link-overview"
},
{
"description": "AAD Integration",
"linksrc": "https://docs.microsoft.com/en-gb/azure/aks/managed-aad"
},
{
"description": "Audit Pod security baseline standards",
"description": "Audit restricted pod security standards",
"linksrc": "https://docs.microsoft.com/en-us/azure/governance/policy/concepts/policy-for-kubernetes"
},
{
"description": "East-West traffic control",
"linksrc": "https://docs.microsoft.com/en-gb/azure/aks/use-network-policies"
},
{
"description": "Private Cluster",
"linksrc": "https://docs.microsoft.com/en-us/azure/aks/private-clusters"
},
{
"description": "Restrict dependencies with Private Link",
"linksrc": "https://docs.microsoft.com/en-us/azure/private-link/private-link-overview"
},
{
"description": "Store Kubernetes Secrets in Azure KeyVault,",
"linksrc": "https://docs.microsoft.com/en-us/azure/aks/csi-secrets-store-driver"
},
{
"description": "Private Cluster",
"linksrc": "https://docs.microsoft.com/en-us/azure/aks/private-clusters"
}
]
},
Expand All @@ -128,22 +158,35 @@
"AksDisableLocalAccounts": true,
"apisecurity": "private",
"autoscale": true,
"agentCount": 2,
"maxCount": 5,
"upgradeChannel": "none",
"DefenderForContainers": true
"DefenderForContainers": true,
"AksPaidSkuForSLA": true,
"SystemPoolType": "Standard",
"availabilityZones": "yes"
},
"addons": {
"networkPolicy": "azure",
"registry": "Premium",
"azurepolicy": "audit",
"ingress": "appgw",
"azurePolicyInitiative": "Restricted",
MattLeach25 marked this conversation as resolved.
Show resolved Hide resolved
"ingress": "nginx",
"appgwKVIntegration": false,
"monitor": "aci",
"csisecret": "akvNew",
"appgwKVIntegration": true
"acrUntaggedRetentionPolicy": 15,
"acrUntaggedRetentionPolicyEnabled": true,
"enableACRTrustPolicy": true,
"workloadIdentity": true
},
"net": {
"vnetprivateend": true,
"vnet_opt": "byo",
"afw": false
"vnet_opt": "custom",
"afw": true,
"azureFirewallSku": "Premium",
"nsg": true,
"nsgFlowLogs": true
}
}
}
Expand Down