Auteur/autrice : zigmax

3 juillet 20203 juillet 2020

Azure Security Center | Policies for enabling Threat Protection and Advanced Data Security

Hi,

In this article, I would like to share with you, how you can use built-in Azure Policies for enabling:

Advanced Data Security (AKS):

Threat Protection:

Example with Threat Protection should be enabled on Azure AKS

Click on: Advanced threat protection should be enabled on Azure Kubernetes Service clusters

Define your scope, in this example my subscription Visual Studio Enterprise

Policy enforcement should be defined with the value: Enabled

Effect: AuditifNotExists

Remediation, in this example we don’t have a Managed Identity.

Click on: Create

Maxime.

22 juin 20203 juillet 2020

AKS | Node image upgrades

[English Below]

Bonjour,

Dans cet article nous allons voir ensemble comment mettre à jour l’images de vos nodes. Pour cela nous allons utiliser la fonctionnalité nodes images AKS qui est encore en pré-version au moment où j’écris cet article.

# Register the preview feature 

az feature register --namespace "Microsoft.ContainerService" --name "NodeImageUpgradePreview"

# Verify the feature is registered

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/NodeImageUpgradePreview')].{Name:name,State:properties.state}"

# Install the aks-preview extension 

az extension add --name aks-preview # Update the extension to make sure you have the latest version installed az extension update --name aks-preview

# Mettre à jour l'ensemble de vos nodes pour l'ensemble des node pools de votre cluster

az aks upgrade \ --resource-group myResourceGroup \ --name myAKSCluster \ --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks show \ --resource-group myResourceGroup \ --name myAKSCluster
-----------------------------------------------------
# Mettre à jour un node pool spécifique
az aks nodepool upgrade \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name mynodepool \ --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks nodepool show \ --resource-group myResourceGroup \ --cluster-name myAKSCluster \ --name mynodepool

Maxime.

—

Hi,

In this article, I would like to share with you how we can upgrade all nodes in all node pool of your AKS cluster or you can upgrade a specific node pool.

# Register the preview feature 

az feature register --namespace "Microsoft.ContainerService" --name "NodeImageUpgradePreview"

# Verify the feature is registered 

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/NodeImageUpgradePreview')].{Name:name,State:properties.state}"

# Install the aks-preview extension 

az extension add --name aks-preview # Update the extension to make sure you have the latest version installed az extension update --name aks-preview

# Upgrade all nodes in all node pools

az aks upgrade --resource-group myResourceGroup --name myAKSCluster --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks show --resource-group myResourceGroup --name myAKSCluster
----------------------------------------------------------
# Upgrade a specific node pool
az aks nodepool upgrade --resource-group myResourceGroup --cluster-name myAKSCluster --name mynodepool --node-image-only

kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.kubernetes.azure.com\/node-image-version}{"\n"}{end}'

az aks nodepool show --resource-group myResourceGroup --cluster-name myAKSCluster --name mynodepool

Maxime.

7 juin 20207 juin 2020

AKS | Supports Gen2 VMs

[English Below]

Bonjour,

Dans cet article, je vais vous présenter comment créer un cluster AKS en utilisant des machines virtuelles de type gen2.

L’avantage d’utiliser des machines de types Gen2 est de pouvoir bénécifier de fonctionnalités de sécurité comme:

Intel Software Guard Extensions (Intel SGX)
virtualized persistent memory (vPMEM)
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2

Pour cela, je vous invite à saisir les commandes suivantes depuis Azure Cloud Shell par exemple (https://shell.azure.com)

az feature register --name "Gen2VMPreview" --namespace "Microsoft.ContainerService"    

# wait for the feature to register
az feature show --name Gen2VMPreview --namespace "Microsoft.ContainerService"

# Re-register the AKS namespace by performing the below
az provider register --namespace 'Microsoft.ContainerService'

# Finally create the cluster
az aks create -n aks -g aks -s Standard_D2s_v3 --aks-custom-headers usegen2vm=true

Maxime.

Hello,

In this article, I would like to share with you how you can create an AKS cluster with gen2 virtual machines.

With Azure Gen2 Virtual Machines, you can use advance security features like:

Intel Software Guard Extensions (Intel SGX)
virtualized persistent memory (vPMEM)
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/generation-2

From Azure Cloud Shell (https://shell.azure.com), please use this commands:

az feature register --name "Gen2VMPreview" --namespace "Microsoft.ContainerService"    

# wait for the feature to register
az feature show --name Gen2VMPreview --namespace "Microsoft.ContainerService"

# Re-register the AKS namespace by performing the below
az provider register --namespace 'Microsoft.ContainerService'

# Finally create the cluster
az aks create -n aks -g aks -s Standard_D2s_v3 --aks-custom-headers usegen2vm=true

Maxime.