azure-policy
AKS
azure-policy | AKS | |
---|---|---|
9 | 18 | |
1,433 | 1,902 | |
0.8% | 0.6% | |
8.1 | 9.6 | |
5 days ago | 9 days ago | |
Open Policy Agent | HTML | |
MIT License | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
azure-policy
- VMSS Azure Policy Compliance
-
Automation as key to cloud adoption success
Reference: https://github.com/Azure/azure-policy
-
Favorite cloud provider governance tips and tricks?
I just came across this post over in the Azure subreddit and it gave me a good idea on one way to deal with rogue Azure subscriptions - just have them default into a Management Group where a policy is in-place that basically denies use of any and all services.
-
How can we stop random users in our on-prem AD from creating new Azure subscriptions?
Oooo, that's a nice trick for the use of the root management group which usually has best practice to leave empty. I like that a lot! Could maybe pair that with the "deny all resource types" policy sample, and then even if someone does create a new subscription it's pretty much 100% neutered until someone pulls it out of the root management group and places it somewhere else.
-
Architecture on Decommission huge list of old Azure servers
Found a 2018 Github article - https://github.com/Azure/azure-policy/issues/102
-
Public assets
MS Repo https://github.com/Azure/azure-policy/tree/master/built-in-policies/policyDefinitions
-
How can I resolve this Security center recommendation: "Replace a process level token"
I can see here that is expecting azure-policy/AzureWindowsBaseline.mof at master ยท Azure/azure-policy ยท GitHub: "LOCAL SERVICE, NETWORK SERVICE". However, that would exclude the web app pools.
-
Iron Dome = 'Security Policies' at scale for your Multi-Cloud accounts
Azure shared with us a GitHub repository contains built-in samples of Azure Policies that can be used as reference for creating and assigning policies to your subscriptions and resource groups.
-
Compliance with policy or blueprints?
The only real way you'll be able to do this is via an Azure Policy, alongside a deny effect - where your policy would restrict based on the type field, with the values passed in via an array parameter (example)
AKS
-
Upgrading AKS node pool from 18.04 to 22.04
Ah yep, you're right. Just found someone asking the same thing from two days ago in the Azure AKS GitHub https://github.com/Azure/AKS/issues/3689. It should definitely be pulling the Ubuntu 22.04 fips compliant image if it were available.
-
Why creating new http handshake is randomly slow in ingress nginx in aks?
Just did a search not sure related to your problem https://github.com/Azure/AKS/issues/85
-
Update: AKS Node CPU Pressure โ stuck debugging
As I could gather additional information which indicates some problems with the Monitoring Agent (high cpu on ama pods, no metrics delivered during CPU pressure, ama pods emitting logs), I opened a ticket on GitHub (https://github.com/Azure/AKS/issues/3469). Hopefully this helps to resolve the issue.
-
AKS using same MachineID on all nodes
While I'm glad I saw this here, it's not one of our primary support channels. In the future, you can also raise an issue in our GitHub repository or file a support request.
-
Overcoming the real paradox of managing Kubernetes ๐
You're dependent on the cloud provider for security settings in a lot of cases and they don't always get it right (e.g. AKS still doesn't have Node Authorization enabled! https://github.com/Azure/AKS/issues/3004)
-
Kubernetes 1.21 - Going EOL on major cloud providers in early 2023
For ASK even v1.22 got out of support yesterday 04 of December. https://github.com/Azure/AKS/releases/tag/2022-11-27
- How can I use Kubernetes RBAC with AKS but without using Azure AD?
-
Workload Identity
The Workload Identity add-on for AKS is still in progress. AKS has a public roadmap where you can find this kind of information.
-
Automation as key to cloud adoption success
Reference: https://github.com/Azure/AKS
-
Stateless, Secretless Multi-cluster Monitoring in Azure Kubernetes Service with Thanos, Prometheus and Azure Managed Grafana
For Thanos receive and query components to be available outside the cluster and secured with TLS, we will need ingress-nginx and cert-manager. For ingress, deploy the Helm chart using the following command, to account for this issue with AKS clusters >1.23:
What are some alternatives?
OPA (Open Policy Agent) - Open Policy Agent (OPA) is an open source, general-purpose policy engine.
aks-engine - AKS Engine: legacy tool for Kubernetes on Azure (see status)
shellharden - The corrective bash syntax highlighter
distroless - ๐ฅ Language focused docker images, minus the operating system.
balanced-employee-ip-agreement - GitHub's employee intellectual property agreement, open sourced and reusable
wg-serverless - CNCF Serverless WG
opal - Fork of https://github.com/permitio/opal
rego-style-guide - Style guide for Rego
Community-Policy - This repo is for Microsoft Azure customers and Microsoft teams to collaborate in making custom policies.
aws-cdk-examples - Example projects using the AWS CDK
Certified-Kubernetes-Security-Specialist - Curated resources help you prepare for the CNCF/Linux Foundation CKS 2021 "Kubernetes Certified Security Specialist" Certification exam. Please provide feedback or requests by raising issues, or making a pull request. All feedback for improvements are welcome. thank you.
cloud-build-samples - Code snippets used in Cloud Build documentation