29 juin 202129 juin 2021

Back from Microsoft Build 2021 – Security

Hi,

I had the pleasure to be speaker for the Back from Microsoft Build 2021 organized by the DotNetQuebec and the Azure Quebec communities.

Please find below my presentation:

En cours de chargement…

Cela prend trop de temps ?

Recharger le document

Ouvrir dans un nouvel onglet

Maxime.

20 juin 202125 juin 2021

AKS | FIPS

Hi,

The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems. AKS allows you to create Linux-based node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance.

In this article, I will show you how you can add a FIPS Node pool to an existing AKS cluster:

Install the aks-preview extension
az extension add --name aks-preview

Update the extension to make sure you have the latest version installed
az extension update --name aks-preview
az feature register --namespace "Microsoft.ContainerService" --name "FIPSPreview"
az feature list -o table --query "[?contains(name,'Microsoft.ContainerService/FIPSPreview')].{Name:name,State:properties.state}"
az provider register --namespace Microsoft.ContainerService
 
Add FIPS Node Pool to an existing AKS cluster
az aks nodepool add \
     --resource-group myResourceGroup \
     --cluster-name myAKSCluster \
     --name fipsnp \
     --enable-fips-image

az aks show --resource-group myResourceGroup --cluster-name myAKSCluster --query="agentPoolProfiles[].{Name:name enableFips:enableFips}" -o table
 Name       enableFips
 ---------  ------------
 fipsnp     True
 nodepool1  False

Maxime.

4 juin 20214 juin 2021

AKS | Disable Administrator local account

Hi,

When deploying an AKS Cluster, local accounts are enabled by default. Even when enabling RBAC or Azure Active Directory integration, –admin access still exists, essentially as a non-auditable backdoor option. With this in mind, AKS offers users the ability to disable local accounts via a flag, disable-local. A field, properties.disableLocalAccounts, has also been added to the managed cluster API to indicate whether the feature has been enabled on the cluster.

Requirements:

az feature register --namespace "Microsoft.ContainerService" --name "DisableLocalAccountsPreview"

az feature list -o table --query "[?contains(name, 'Microsoft.ContainerService/DisableLocalAccountsPreview')].{Name:name,State:properties.state}"

Disable local account on an existing AKS cluster:

az aks update -g -n --enable-aad --aad-admin-group-object-ids --disable-local

Create a new AKS cluster without any local account:

az aks create -g -n --enable-aad --aad-admin-group-object-ids --disable-local

Maxime.