Catégorie : Divers

AKS | Azure Linux

Hi!

A few months ago, I wrote an article about CBL Mariner (internal code name). During Microsoft Build 2023, Microsoft announced the General Availability of Azure Linux.

The Azure Linux Container Host is designed to be lightweight, including only the necessary packages to efficiently run container workloads. It has undergone rigorous validation tests and internal usage to ensure its robustness and security. Moreover, it seamlessly integrates with Azure agents, ensuring compatibility and smooth operation.

This solution offers a reliable and consistent experience across various environments, from the cloud to the edge, encompassing AKS, AKS for Azure Stack HCI, and Azure Arc. With its versatility, you have the flexibility to deploy Azure Linux node pools in both new and existing clusters, as well as migrate your current nodes to Azure Linux nodes.

The Azure Linux Container Host offers the following key benefits:

  • Secure supply chain: Microsoft builds, signs, and validates the Azure Linux Container Host packages from source, and hosts its packages and sources in Microsoft-owned and secured platforms.
  • Small and lightweight: The Azure Linux Container Host only includes the necessary set of packages needed to run container workloads – as a result, it consumes limited disk and memory resources.
  • Secure by default: The Azure Linux Container Host has an emphasis on security and follows the secure-by-default principles, including using a hardened Linux kernel with Azure cloud optimizations and flags tuned for Azure. It also provides a reduced attack surface and eliminates patching and maintenance of unnecessary packages.
  • Extensively validated: The AKS and Azure Linux teams run a suite of functional and performance regression tests with the Azure Linux Container Host before releasing to customers, which enables earlier issue detection and mitigation.​

Create an AKS cluster with Azure Linux:

az aks create --name testAzureLinuxCluster --resource-group testAzureLinuxResourceGroup --os-sku AzureLinux

Resource: https://learn.microsoft.com/en-us/azure/azure-linux/

Maxime.

Azure Policy Export

Hi!

Azure Policy definitions, initiatives, and assignments can each be exported as JSON with Azure CLI.

Here an example to export an Azure Policy. In the first we will list all the Azure Policies which contains the display name « virtual machine ». In the second step we will export the Azure Policy in JSON.

maxime@Azure:~$ az policy definition list --query "[?contains(displayName, 'virtual machine')]" -o table
Name                                  PolicyType    Mode     DisplayName                                                                                                                       Description
------------------------------------  ------------  -------  ----------------
0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56  BuiltIn       All      Audit virtual machines without disaster recovery configured                                                                       Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.
04c4380f-3fae-46e8-96c9-30193528f602  BuiltIn       Indexed  [Preview]: Network traffic data collection agent should be installed on Linux virtual machines                                    Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats.


maxime@Azure:~$ az policy definition show -n 0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56 -o jsonc
{
  "description": "Audit virtual machines which do not have disaster recovery configured. To learn more about disaster recovery, visit https://aka.ms/asr-doc.",
  "displayName": "Audit virtual machines without disaster recovery configured",
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
  "metadata": {
    "category": "Compute",
    "version": "1.0.0"
  },
  "mode": "All",
  "name": "0015ea4d-51ff-4ce3-8d8c-f3f8f0179a56",
  "parameters": {},
  "policyRule": {
    "if": {
      "field": "type",
      "in": [
        "Microsoft.Compute/virtualMachines",
        "Microsoft.ClassicCompute/virtualMachines"
      ]
    },
    "then": {
      "details": {
        "existenceCondition": {
          "field": "name",
          "like": "ASR-Protect-*"
        },
        "type": "Microsoft.Resources/links"
      },
      "effect": "auditIfNotExists"
    }
  },
  "policyType": "BuiltIn",
  "systemData": null,
  "type": "Microsoft.Authorization/policyDefinitions"
}

Maxime.

Happy New Year 2023!

Hi!

I wish you and your family a happy and prosperous New Year 2023! I hope this is going to be an exceptional year for all of us. I will continue to write articles, blog-post about the Azure Security stack (Azure Policy, Defender for Cloud, AKS/Kubernetes). I think to add more articles related to multi-cloud (GCP). Lot of organizations will move forward with a multi-cloud strategy in 2023.

I absolutely love giving talks, sharing thoughts and having a good conversation with a group of like-minded people. If you’re interested let me know! Please find my upcoming speaking engagements for 2023.

All the best for the coming year, and I hope to see you in person as soon as possible! .

Maxime.