azure-policy VS AKS

Reference: https://github.com/Azure/azure-policy

I just came across this post over in the Azure subreddit and it gave me a good idea on one way to deal with rogue Azure subscriptions - just have them default into a Management Group where a policy is in-place that basically denies use of any and all services.

Oooo, that's a nice trick for the use of the root management group which usually has best practice to leave empty. I like that a lot! Could maybe pair that with the "deny all resource types" policy sample, and then even if someone does create a new subscription it's pretty much 100% neutered until someone pulls it out of the root management group and places it somewhere else.

Found a 2018 Github article - https://github.com/Azure/azure-policy/issues/102

MS Repo https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions

I can see here that is expecting azure-policy/AzureWindowsBaseline.mof at master · Azure/azure-policy · GitHub: "LOCAL SERVICE, NETWORK SERVICE". However, that would exclude the web app pools.

Azure shared with us a GitHub repository contains built-in samples of Azure Policies that can be used as reference for creating and assigning policies to your subscriptions and resource groups.

The only real way you'll be able to do this is via an Azure Policy, alongside a deny effect - where your policy would restrict based on the type field, with the values passed in via an array parameter (example)

Ah yep, you're right. Just found someone asking the same thing from two days ago in the Azure AKS GitHub https://github.com/Azure/AKS/issues/3689. It should definitely be pulling the Ubuntu 22.04 fips compliant image if it were available.

Just did a search not sure related to your problem https://github.com/Azure/AKS/issues/85

As I could gather additional information which indicates some problems with the Monitoring Agent (high cpu on ama pods, no metrics delivered during CPU pressure, ama pods emitting logs), I opened a ticket on GitHub (https://github.com/Azure/AKS/issues/3469). Hopefully this helps to resolve the issue.

While I'm glad I saw this here, it's not one of our primary support channels. In the future, you can also raise an issue in our GitHub repository or file a support request.

You're dependent on the cloud provider for security settings in a lot of cases and they don't always get it right (e.g. AKS still doesn't have Node Authorization enabled! https://github.com/Azure/AKS/issues/3004)

For ASK even v1.22 got out of support yesterday 04 of December. https://github.com/Azure/AKS/releases/tag/2022-11-27

The Workload Identity add-on for AKS is still in progress. AKS has a public roadmap where you can find this kind of information.

Reference: https://github.com/Azure/AKS

For Thanos receive and query components to be available outside the cluster and secured with TLS, we will need ingress-nginx and cert-manager. For ingress, deploy the Helm chart using the following command, to account for this issue with AKS clusters >1.23: