This document is the starting point for deploying the AKS Secure Baseline reference implementation. There is required access and tooling you need in order to complete the deployment. Follow the instructions below and on the subsequent pages so that you can get your environment ready to proceed with the AKS cluster creation.
-
An Azure subscription. If you don't have an Azure subscription, you can create a free account.
⚠️ The user or service principal initiating the deployment process must have the following minimal set of Azure Role-Based Access Control (RBAC) roles:- Contributor role is required at the subscription level to have the ability to create resource groups and perform deployments.
- User Access Administrator role is required at the subscription level since you'll be granting least-privilege RBAC access to managed identities.
- One such example is detailed in the Container Insights documentation.
-
An Azure AD tenant to associate your Kubernetes RBAC configuration to.
⚠️ The user or service principal initiating the deployment process must have the following minimal set of Azure AD permissions assigned:- Azure AD User Administrator is required to create a "break glass" AKS admin Active Directory Security Group and User. Alternatively, you could get your Azure AD admin to create this for you when instructed to do so.
- If you are not part of the User Administrator group in the tenant associated to your Azure subscription, please consider creating a new tenant to use while evaluating this implementation.
- Azure AD User Administrator is required to create a "break glass" AKS admin Active Directory Security Group and User. Alternatively, you could get your Azure AD admin to create this for you when instructed to do so.
-
Latest Azure CLI installed (must be at least 2.37), or you can perform this from Azure Cloud Shell by clicking below.
-
Clone/download this repo locally, or even better, fork this repository.
🔀 If you have forked this reference implementation repos, you'll be able to customize some of the files and commands for a more personalized experience; also, ensure references to repos mentioned are updated to use your own (e.g., the following
GITHUB_REPO).export GITHUB_REPO=https://github.com/mspnp/aks-fabrikam-dronedelivery.git git clone --recurse-submodules $GITHUB_REPO
💡 The steps shown here and elsewhere in the reference implementation use Bash shell commands. On Windows, you can use the Windows Subsystem for Linux to run Bash. If you are planning to use VS Code, create a script file to store commands from this tutorial in it and run using VS Code's integrated Bash terminal then run
export MSYS_NO_PATHCONV=1to avoid path mangling. -
Ensure OpenSSL is installed in order to generate self-signed certs used in this implementation.
-
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
