incorporate some feedback in issues

2021-09-29 17:38:37 -04:00 · 2021-09-29 17:38:37 -04:00 · e4b68fdc68
--- a/README.md
+++ b/README.md
@ -6,8 +6,7 @@ Enterprise-scale for AKS represents the strategic design path and target technic

 Below is a picture of what a golden state looks like and open source software like flux and traefik integrate well within the AKS ecosystem.

-![Golden state platform foundation with AKS landingzone highlighted in red](./media/aks-eslz-architecture.png)
-The enterprise-scale for AKS is only concerned with what gets deployed in the landingzone subscription highlighted by the red box in the picture above. It is assumed that an appropriate platform foundation is already setup which may or may not be the [official ESLZ](https://docs.microsoft.com/azure/cloud-adoption-framework/ready/enterprise-scale/architecture) platform foundation. This means that policies and governance should already be in place or should be setup after this implementation and are not a part of the scope this program. The policies applied by the platform foundation would trickle down to the Enterprise-scale for AKS landingzone subscription.
+![Golden state platform foundation with AKS landingzone highlighted in red](./media/aks-eslz-architecture.png) platform foundation. This means that policies and governance should already be in place or should be setup after this implementation and are not a part of the scope this program. The policies applied to management groups in the hierarchy above the subscription will trickle down to the Enterprise-scale for AKS landing zone subscription.

 ---

@ -52,4 +51,4 @@ Pick one of the scenarios below to get started on a reference implementation

 :arrow_forward: [AKS Secure Baseline in a Private Cluster](./Scenarios/AKS-Secure-Baseline-PrivateCluster)

-:arrow_forward: [Bicep AKS Accelerator](https://github.com/Azure/Aks-Construction#getting-started)
+:arrow_forward: [Bicep AKS Accelerator](https://github.com/Azure/Aks-Construction#getting-started)
--- a/Scenarios/Secure-Baseline/README.md
+++ b/Scenarios/Secure-Baseline/README.md
@ -26,6 +26,17 @@ For this scenario, we have various IaC technology that you can choose from depen
 * [Azure RBAC for Kubernetes Authorization](https://docs.microsoft.com/azure/aks/manage-azure-rbac)
 * [Azure Active Directory pod-managed identities](https://docs.microsoft.com/azure/aks/use-azure-ad-pod-identity)

+## Some of the differences Between this RI and the AKS  Secure Baseline
+
+Here are some of the differences between the Enterprise scale reference implementation of an AKS secure baseline and the [AKS secure baseline](https://github.com/mspnp/aks-secure-baseline) the RI is based on
+
+* As of now, GitOps is not used in this scenario. GitHub CI/CD pipeline used instead
+* AGIC used instead of Traefik ingress controller
+* ACR and Key vault are used that are accessed via private link. This requires the use of Bastion host to build the image for the private ACR.
+* The templates are broken down in a way to promote separation of duties and modularity and the steps are broken into stages
+* Reference implementations in Terraform and Bicep
+* More recent Add-ons are used 
+
 ## Steps of Implementation for AKS Construction Set

 A deployment of AKS-hosted workloads typically experiences a separation of duties and lifecycle management in the area of prerequisites, the host network, the cluster infrastructure, and finally the workload itself. This reference implementation is similar. Also, be aware our primary purpose is to illustrate the topology and decisions of a baseline cluster. We feel a "step-by-step" flow will help you learn the pieces of the solution and give you insight into the relationship between them. Ultimately, lifecycle/SDLC management of your cluster and its dependencies will depend on your situation (team roles, organizational standards, etc), and will be implemented as appropriate for your needs.
@ -37,4 +48,4 @@ Pick one of the IaC options below and follow the instructions to deploy the AKS

 :arrow_forward: [Terraform](./Terraform)

-:arrow_forward: [Bicep (still in development)](./Bicep)
+:arrow_forward: [Bicep (still in development)](./Bicep)
--- a/Scenarios/Secure-Baseline/Terraform/07-b-keyvault-addon.md
+++ b/Scenarios/Secure-Baseline/Terraform/07-b-keyvault-addon.md
@ -1,6 +1,8 @@
 ## The Key Vault Add-On
 The AKS Key Vault Add-On is not currently supported for deployment with Terraform. Configure that separately on the cluster after it is deployed. 

+  :warning: **Note:** Because these steps are not being deployed by Terraform, TF state will not know these extenstions exist. By continuing to use these extensions, you will not be able to futher update your AKS cluster using Terraform. We are adding these steps for training purposes only. If you plan to use this deployment in production where you would need to continue updating your AKS infrastructure using Terraform, do not use these implement these CLI commands. 
+
 We start by creating some environment variables. The AKS cluster name can be found in the portal or in the variables file. The value is aks-<prefix value>, for example, in this case it is aks-escs. The resource group name by default is <prefix value>-lz01-rg-aks

 ```