Azure
/
NoOpsAccelerator
зеркало из https://github.com/Azure/NoOpsAccelerator.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Merge pull request #108 from Azure/update-aks-wl 

Update aks wl
This commit is contained in:
Matthew Ross 2022-10-12 15:25:49 -05:00 коммит произвёл GitHub
Родитель ebdce22d8b f8ce1648fa
Коммит 48a578fd86
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
15 изменённых файлов: 825 добавлений и 419 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

85
src/bicep/azresources/Modules/Microsoft.Authorization/roleAssignments/resources/az.auth.role.assignment.acr.bicep Normal file
Просмотреть файл

@ -0,0 +1,85 @@
/* Copyright (c) Microsoft Corporation. Licensed under the MIT license. */
targetScope = 'resourceGroup'
@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleDefinitionIdOrName string
@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).')
param principalId string
@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param resourceGroupName string = resourceGroup().name
@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param subscriptionId string = subscription().subscriptionId
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. ID of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.')
param condition string = ''
@sys.description('Optional. name of acr for assignment. This limits the resources it can be assigned to.')
param acrName string = ''
@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
var builtInRoleNames_var = {
'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec'
'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c'
'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d'
'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f'
'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04'
'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608'
}
var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName)
resource acr 'Microsoft.ContainerRegistry/registries@2021-06-01-preview' existing = {
name: acrName
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscriptionId, resourceGroupName, roleDefinitionId_var, principalId)
properties: {
roleDefinitionId: roleDefinitionId_var
principalId: principalId
description: !empty(description) ? description : null
principalType: !empty(principalType) ? any(principalType) : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
condition: !empty(condition) ? condition : null
}
scope: acr
}
@sys.description('The GUID of the Role Assignment.')
output name string = roleAssignment.name
@sys.description('The resource ID of the Role Assignment.')
output resourceId string = az.resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name)
@sys.description('The name of the resource group the role assignment was applied at.')
output resourceGroupName string = resourceGroup().name
@sys.description('The scope this Role Assignment applies to.')
output rgscope string = resourceGroup().id

84
src/bicep/azresources/Modules/Microsoft.Authorization/roleAssignments/resources/az.auth.role.assignment.network.contrib.bicep Normal file
Просмотреть файл

@ -0,0 +1,84 @@
/* Copyright (c) Microsoft Corporation. Licensed under the MIT license. */
@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleDefinitionIdOrName string
@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).')
param principalId string
@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param resourceGroupName string = resourceGroup().name
@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param subscriptionId string = subscription().subscriptionId
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. ID of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.')
param condition string = ''
@sys.description('Optional. name of vnet for assignment. This limits the resources it can be assigned to.')
param vnetName string = ''
@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
var builtInRoleNames_var = {
'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec'
'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c'
'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d'
'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f'
'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04'
'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608'
}
var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName)
resource spokeVnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = {
name: vnetName
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscriptionId, resourceGroupName, roleDefinitionId_var, principalId)
properties: {
roleDefinitionId: roleDefinitionId_var
principalId: principalId
description: !empty(description) ? description : null
principalType: !empty(principalType) ? any(principalType) : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
condition: !empty(condition) ? condition : null
}
scope: spokeVnet
}
@sys.description('The GUID of the Role Assignment.')
output name string = roleAssignment.name
@sys.description('The resource ID of the Role Assignment.')
output resourceId string = az.resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name)
@sys.description('The name of the resource group the role assignment was applied at.')
output resourceGroupName string = resourceGroup().name
@sys.description('The scope this Role Assignment applies to.')
output scope string = resourceGroup().id

85
src/bicep/azresources/Modules/Microsoft.Authorization/roleAssignments/resources/az.auth.role.assignment.routeTable.bicep Normal file
Просмотреть файл

@ -0,0 +1,85 @@
/* Copyright (c) Microsoft Corporation. Licensed under the MIT license. */
targetScope = 'resourceGroup'
@sys.description('Required. You can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
param roleDefinitionIdOrName string
@sys.description('Required. The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity).')
param principalId string
@sys.description('Optional. Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param resourceGroupName string = resourceGroup().name
@sys.description('Optional. Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment.')
param subscriptionId string = subscription().subscriptionId
@sys.description('Optional. The description of the role assignment.')
param description string = ''
@sys.description('Optional. ID of the delegated managed identity resource.')
param delegatedManagedIdentityResourceId string = ''
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to.')
param condition string = ''
@sys.description('Optional. name of route table for assignment. This limits the resources it can be assigned to.')
param routeTableName string = ''
@sys.description('Optional. Version of the condition. Currently accepted value is "2.0".')
@allowed([
'2.0'
])
param conditionVersion string = '2.0'
@sys.description('Optional. The principal type of the assigned principal ID.')
@allowed([
'ServicePrincipal'
'Group'
'User'
'ForeignGroup'
'Device'
''
])
param principalType string = ''
var builtInRoleNames_var = {
'AcrPush': '/providers/Microsoft.Authorization/roleDefinitions/8311e382-0749-4cb8-b61a-304f252e45ec'
'API Management Service Contributor': '/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c'
'AcrPull': '/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d'
'AcrImageSigner': '/providers/Microsoft.Authorization/roleDefinitions/6cef56e8-d556-48e5-a04f-b8e64114680f'
'AcrDelete': '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
'AcrQuarantineReader': '/providers/Microsoft.Authorization/roleDefinitions/cdda3590-29a3-44f6-95f2-9f980659eb04'
'AcrQuarantineWriter': '/providers/Microsoft.Authorization/roleDefinitions/c8d4ff99-41c3-41a8-9f60-21dfdad59608'
}
var roleDefinitionId_var = (contains(builtInRoleNames_var, roleDefinitionIdOrName) ? builtInRoleNames_var[roleDefinitionIdOrName] : roleDefinitionIdOrName)
resource routeTable 'Microsoft.Network/routeTables@2022-05-01' existing = {
name: routeTableName
}
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
name: guid(subscriptionId, resourceGroupName, roleDefinitionId_var, principalId)
properties: {
roleDefinitionId: roleDefinitionId_var
principalId: principalId
description: !empty(description) ? description : null
principalType: !empty(principalType) ? any(principalType) : null
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
condition: !empty(condition) ? condition : null
}
scope: routeTable
}
@sys.description('The GUID of the Role Assignment.')
output name string = roleAssignment.name
@sys.description('The resource ID of the Role Assignment.')
output resourceId string = az.resourceId(resourceGroupName, 'Microsoft.Authorization/roleAssignments', roleAssignment.name)
@sys.description('The name of the resource group the role assignment was applied at.')
output resourceGroupName string = resourceGroup().name
@sys.description('The scope this Role Assignment applies to.')
output rgscope string = resourceGroup().id

44
src/bicep/azresources/Modules/Microsoft.Authorization/roleAssignments/resources/readme.md Normal file
Просмотреть файл

@ -0,0 +1,44 @@
# Role Assignment on Resource Group level `[Microsoft.Authorization/roleAssignments/resourceGroup]`
With this module you can perform role assignments on a resource group level
## Navigation
- [Resource Types](#Resource-Types)
- [Parameters](#Parameters)
- [Outputs](#Outputs)
## Resource Types
| Resource Type | API Version |
| :-- | :-- |
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
## Parameters
**Required parameters**
| Parameter Name | Type | Description |
| :-- | :-- | :-- |
| `principalId` | string | The Principal or Object ID of the Security Principal (User, Group, Service Principal, Managed Identity). |
| `roleDefinitionIdOrName` | string | You can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
**Optional parameters**
| Parameter Name | Type | Default Value | Allowed Values | Description |
| :-- | :-- | :-- | :-- | :-- |
| `condition` | string | `''` | | The conditions on the role assignment. This limits the resources it can be assigned to. |
| `conditionVersion` | string | `'2.0'` | `[2.0]` | Version of the condition. Currently accepted value is "2.0". |
| `delegatedManagedIdentityResourceId` | string | `''` | | ID of the delegated managed identity resource. |
| `description` | string | `''` | | The description of the role assignment. |
| `principalType` | string | `''` | `['', Device, ForeignGroup, Group, ServicePrincipal, User]` | The principal type of the assigned principal ID. |
| `resourceGroupName` | string | `[resourceGroup().name]` | | Name of the Resource Group to assign the RBAC role to. If not provided, will use the current scope for deployment. |
| `subscriptionId` | string | `[subscription().subscriptionId]` | | Subscription ID of the subscription to assign the RBAC role to. If not provided, will use the current scope for deployment. |
## Outputs
| Output Name | Type | Description |
| :-- | :-- | :-- |
| `name` | string | The GUID of the Role Assignment. |
| `resourceGroupName` | string | The name of the resource group the role assignment was applied at. |
| `resourceId` | string | The resource ID of the Role Assignment. |
| `scope` | string | The scope this Role Assignment applies to. |

3
src/bicep/azresources/Modules/Microsoft.Network/privateDnsZones/virtualNetworkLinks/az.net.private.dns.vnet.link.bicep
Просмотреть файл

@ -17,9 +17,6 @@ param registrationEnabled bool = false
@description('Required. Link to another virtual network resource ID.')
param virtualNetworkResourceId string
resource privateDnsZone 'Microsoft.Network/privateDnsZones@2020-06-01' existing = {
name: privateDnsZoneName
}

2
src/bicep/enclaves/enclave-scca-hubspoke-aks/deploy.bicep
Просмотреть файл

@ -86,7 +86,6 @@ module modAKSWorkload '../../workloads/wl-aks-spoke/deploy.bicep' = {
parRequired: parRequired
parLocation: parLocation
parTags: parTags
parHubFirewallPolicyName: modHubSpoke.outputs.firewallPolicyName
parHubResourceGroupName: modHubSpoke.outputs.hub.resourceGroupName
parHubSubscriptionId: modHubSpoke.outputs.hub.subscriptionId
parHubVirtualNetworkName: modHubSpoke.outputs.hub.virtualNetworkName
@ -97,6 +96,5 @@ module modAKSWorkload '../../workloads/wl-aks-spoke/deploy.bicep' = {
parLogAnalyticsWorkspaceName: modHubSpoke.outputs.logAnalyticsWorkspaceName
parLogAnalyticsWorkspaceResourceId: modHubSpoke.outputs.logAnalyticsWorkspaceResourceId
parWorkloadStorageAccountAccess: parWorkloadLogStorageAccountAccess
parSourceAddresses: parSourceAddresses
}
}

82
src/bicep/enclaves/enclave-scca-hubspoke-aks/parameters/deploy.parameters.json
Просмотреть файл

@ -50,7 +50,7 @@
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"7bc6bc45-b256-407c-9d79-bde13dfb5639"
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
@ -81,7 +81,7 @@
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"7bc6bc45-b256-407c-9d79-bde13dfb5639"
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
@ -93,7 +93,7 @@
"10.0.115.0/26"
]
},
"parAksWorkload": {
"parAksSpoke": {
"value": {
"name": "app",
"shortName": "app",
@ -114,12 +114,7 @@
"service": "Microsoft.Storage"
}
],
"subnets": [
{
"name": "app",
"addressPrefix": ""
}
],
"subnets": [],
"routeTable": {
"disableBgpRoutePropagation": false,
"routes": [
@ -127,7 +122,7 @@
"name": "wl-routetable",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopIpAddress": "<<FirewallPrivateIPAddress>>",
"nextHopIpAddress": "10.0.100.4",
"nextHopType": "VirtualAppliance"
}
}
@ -146,39 +141,60 @@
"parKubernetesCluster": {
"value": {
"name": "Contoso",
"enableSystemAssignedIdentity": true,
"enableSystemAssignedIdentity": false,
"aksClusterKubernetesVersion": "1.24.3",
"enableResourceLock": true,
"enableRBAC": true,
"enablePrivateCluster": true,
"enableAzurePolicy": true,
"enableAadProfileEnableAzureRBAC": true,
"enableAadProfileManaged": true,
"aadProfileAdminGroupObjectIDs": [],
"enableResourceLock": false,
"enablePodIdentity": false,
"aksClusterSkuTier": "Free",
"enableIngressApplicationGateway": false,
"primaryAgentPoolProfile": {
"name": "default",
"vmSize": "Standard_D4s_v3",
"osDiskSizeGB": 128,
"name": "systempool",
"vmSize": "Standard_DS2_v2",
"osDiskSizeGB": 30,
"osDiskType": "Managed",
"enableAutoScaling": true,
"count": 1,
"maxCount": 5,
"minCount": 1,
"maxPods": 50,
"count": 10,
"osType": "Linux",
"osSKU": "Ubuntu",
"type": "VirtualMachineScaleSets",
"mode": "System"
"mode": "System",
"availabilityZones": []
},
"networkProfile": {
"networkProfile": {
"aksClusterLoadBalancerSku": "standard",
"aksClusterNetworkPlugin": "azure",
"aksClusterNetworkPolicy": "azure",
"aksClusterServiceCidr": "10.1.0.0/16",
"aksClusterDnsServiceIP": "10.1.0.10",
"aksClusterDockerBridgeCidr": "170.10.0.1/16",
"aksClusterPodCidr": "10.244.0.0/16",
"aksClusterServiceCidr": "172.16.1.0/24",
"aksClusterDnsServiceIP": "172.16.1.10",
"aksClusterDockerBridgeCidr": "170.10.0.1/30",
"aksClusterOutboundType": "userDefinedRouting"
},
"apiServerAccessProfile": {
"enablePrivateCluster": true,
"enablePrivateClusterPublicFQDN": false
},
"aadProfile": {
"aadProfileTenantId": "<<TenantId>>",
"aadProfileAdminGroupObjectIDs": [
"<<GroupObjectID>>"
],
"enableAadProfileEnableAzureRBAC": true,
"enableAadProfileManaged": true
},
"addonProfiles": {
"omsagent": {
"enable": true,
"config": {
"logAnalyticsWorkspaceResourceID": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
}
},
"enableResourceLock": true,
"enableAzurePolicy": true,
"azureKeyvaultSecretsProvider": true
},
"servicePrincipalProfile": {
"clientId": "<<clientId>>",
"secret": "<<secret>>"
}
}
},
@ -244,7 +260,7 @@
"value": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"7bc6bc45-b256-407c-9d79-bde13dfb5639"
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}
@ -261,7 +277,7 @@
"storageAccountAccess": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [
"7bc6bc45-b256-407c-9d79-bde13dfb5639"
"<<principalId>>"
],
"roleDefinitionIdOrName": "Contributor"
}

55
src/bicep/overlays/management-services/containerRegistry/deploy.bicep
Просмотреть файл

@ -52,6 +52,35 @@ param parLocation string = deployment().location
@description('Defines the Container Registry.')
param parContainerRegistry object
// HUB NETWORK PARAMETERS
// Hub Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parHubSubscriptionId": {
// "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxx"
// }
@description('The subscription ID for the Hub Network and resources. It defaults to the deployment subscription.')
param parHubSubscriptionId string = subscription().subscriptionId
// Hub Subnet Resource Id
// (JSON Parameter)
// ---------------------------
// "parHubVirtualNetworkResourceId": {
// "value": "/subscriptions/xxxxxxxx-xxxxxx-xxxxx-xxxxxx-xxxxxx/resourceGroups/anoa-eastus-platforms-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-platforms-hub-vnet/subnets/anoa-eastus-platforms-hub-vnet"
// }
@description('The virtual network resource Id for the Hub Network.')
param parHubVirtualNetworkResourceId string = ''
// Hub Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('The name of the Hub resource group which contains the network for vnet peering.')
param parHubResourceGroupName string = ''
// SUBSCRIPTIONS PARAMETERS
// Target Virtual Network Name
@ -172,9 +201,12 @@ module privatednsACRZone '../../../azresources/Modules/Microsoft.Network/private
name: 'deploy-acrpvtdnszone-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetResourceGroup)
params: {
name: (environment().name =~ 'AzureCloud' ? 'privatelink.azurecr.${environment().suffixes.storage}' : 'privatelink.azurecr.usgovcloudapi.net')
name: 'privatelink${environment().suffixes.acrLoginServer}'
location: 'global'
}
dependsOn: [
acrpvtEndpoint
]
}
module privateDNSACR '../../../azresources/Modules/Microsoft.Network/privateDnsZones/virtualNetworkLinks/az.net.private.dns.vnet.link.bicep' = {
@ -185,6 +217,9 @@ module privateDNSACR '../../../azresources/Modules/Microsoft.Network/privateDnsZ
virtualNetworkResourceId: vnetacrpvt.id
privateDnsZoneName: privatednsACRZone.outputs.name
}
dependsOn: [
privatednsACRZone
]
}
module privateACRDNSZoneGroup '../../../azresources/Modules/Microsoft.Network/privateEndPoints/privateDnsZoneGroups/az.net.private.dns.groups.bicep' = {
@ -196,6 +231,24 @@ module privateACRDNSZoneGroup '../../../azresources/Modules/Microsoft.Network/p
]
privateEndpointName: acrpvtEndpoint.outputs.name
}
dependsOn: [
acrpvtEndpoint
privatednsACRZone
privateDNSACR
]
}
module modACRHubLink '../../../azresources/Modules/Microsoft.Network/privateDnsZones/virtualNetworkLinks/az.net.private.dns.vnet.link.bicep' = {
name: 'deploy-aksHubLink-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parHubSubscriptionId, parHubResourceGroupName)
params: {
virtualNetworkResourceId: parHubVirtualNetworkResourceId
privateDnsZoneName: privateACRDNSZoneGroup.name
}
dependsOn: [
privateACRDNSZoneGroup
modContainerRegistry
]
}
// Create Container Registry

74
src/bicep/overlays/management-services/kubernetesCluster/parameters/deploy.parameters.json
Просмотреть файл

@ -1,74 +0,0 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "appsvcsplan"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "appsvcsplan",
"deploymentType": "NoOpsBicep"
}
},
"parTargetSubscriptionId": {
"value": "<<subscriptionId>>"
},
"parTargetResourceGroup": {
"value": "<<example-rg>>"
},
"parTargetVNetName": {
"value": "<<example-vnet>>"
},
"parTargetSubnetName": {
"value": "<<example-subnet>>"
},
"parKubernetesCluster": {
"value": {
"name": "Contoso",
"enableSystemAssignedIdentity": true,
"aksClusterKubernetesVersion": "1.24.3",
"enableResourceLock": true,
"enableRBAC": true,
"enablePrivateCluster": true,
"enableAzurePolicy": true,
"enableAadProfileEnableAzureRBAC": true,
"enableAadProfileManaged": true,
"aadProfileAdminGroupObjectIDs": [
"xxxxxx-xxxx-xxxx-xxxx-xxxxxx"
],
"aksClusterSkuTier": "Free",
"primaryAgentPoolProfile": {
"name": "default",
"vmSize": "Standard_D4s_v3",
"osDiskSizeGB": 128,
"osDiskType": "Managed",
"enableAutoScaling": true,
"count": 1,
"maxCount": 5,
"minCount": 1,
"maxPods": 50,
"osType": "Linux",
"osSKU": "Ubuntu",
"type": "VirtualMachineScaleSets",
"mode": "System"
},
"networkProfile": {
"aksClusterLoadBalancerSku": "standard",
"aksClusterNetworkPlugin": "azure",
"aksClusterNetworkPolicy": "azure",
"aksClusterServiceCidr": "10.1.0.0/16",
"aksClusterDnsServiceIP": "10.1.0.10",
"aksClusterDockerBridgeCidr": "170.10.0.1/16",
"aksClusterOutboundType": "userDefinedRouting"
}
}
}
}
}

187
src/bicep/overlays/management-services/kubernetesCluster/deploy.bicep → src/bicep/overlays/management-services/kubernetesPrivateCluster-Kubnet/deploy.bicep
Просмотреть файл

@ -52,10 +52,19 @@ param parLocation string = deployment().location
// AZURE KUBERNETES SERVICE - CLUSTER PARAMETERS
@description('Defines the Azure Kubernetes Service - Cluster.')
param parKubernetesCluster object
param parKubernetesCluster object
// HUB NETWORK PARAMETERS
// Hub Virtual Network Name
// (JSON Parameter)
// ---------------------------
// "parHubSubscriptionId": {
// "value": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxx"
// }
@description('The subscription ID for the Hub Network and resources. It defaults to the deployment subscription.')
param parHubSubscriptionId string = subscription().subscriptionId
// Hub Subnet Resource Id
// (JSON Parameter)
// ---------------------------
@ -65,15 +74,14 @@ param parKubernetesCluster object
@description('The virtual network resource Id for the Hub Network.')
param parHubVirtualNetworkResourceId string = ''
// LOGGING PARAMETERS
// Log Analytics Workspace Resource Id
// Hub Resource Group Name
// (JSON Parameter)
// ---------------------------
// "parLogAnalyticsWorkspaceResourceId": {
// "value": "/subscriptions/xxxxxxxx-xxxxxx-xxxxx-xxxxxx-xxxxxx/resourceGroups/anoa-eastus-platforms-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-platforms-hub-vnet/subnets/anoa-eastus-platforms-hub-vnet"
// "parHubResourceGroupName": {
// "value": "anoa-eastus-platforms-hub-rg"
// }
@description('Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging')
param parLogAnalyticsWorkspaceResourceId string
@description('The name of the Hub resource group which contains the network for vnet peering.')
param parHubResourceGroupName string = ''
// TARGET PARAMETERS
@ -118,7 +126,6 @@ param parTargetSubnetName string
@description('A suffix to use for naming deployments uniquely. It defaults to the Bicep resolution of the "utcNow()" function.')
param parDeploymentNameSuffix string = utcNow()
@description('The current date - do not override the default value')
param dateUtcNow string = utcNow('yyyy-MM-dd HH:mm:ss')
@ -147,7 +154,6 @@ var referential = {
deploymentDate: dateUtcNow
}
@description('Resource group tags')
module modTags '../../../azresources/Modules/Microsoft.Resources/tags/az.resources.tags.bicep' = {
name: 'deploy-aks-tags-${parLocation}-${parDeploymentNameSuffix}'
@ -166,34 +172,48 @@ resource rgKubernetesCluster 'Microsoft.Resources/resourceGroups@2021-04-01' = {
}
// Get Existing VNet
resource vnet 'Microsoft.Network/virtualNetworks@2019-11-01' existing = {
resource resVNet 'Microsoft.Network/virtualNetworks@2019-11-01' existing = {
name: parTargetVNetName
scope: az.resourceGroup(parTargetResourceGroup)
scope: resourceGroup(parTargetResourceGroup)
}
// Get Existing subnet
resource subnetakspvt 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' existing = {
parent: vnet
resource resSubnetakspvt 'Microsoft.Network/virtualNetworks/subnets@2021-05-01' existing = {
parent: resVNet
name: parTargetSubnetName
}
module privatednsAKSZone '../../../azresources/Modules/Microsoft.Network/privateDnsZones/az.net.private.dns.bicep' = {
name: 'deploy-akspvtdnszone-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetResourceGroup)
module modAksIdentity '../../../azresources/Modules/Microsoft.ManagedIdentity/userAssignedIdentities/az.managed.identity.user.assigned.bicep' = {
name: 'deploy-aksIdentity-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(rgKubernetesCluster.name)
params: {
name: (environment().name =~ 'AzureCloud' ? 'privatelink.azmk8s.${environment().suffixes.storage}' : 'privatelink.azmk8s.usgovcloudapi.net')
location: 'global'
}
location: parLocation
}
}
module aksHubLink '../../../azresources/Modules/Microsoft.Network/privateDnsZones/virtualNetworkLinks/az.net.private.dns.vnet.link.bicep' = {
name: 'deploy-aksHubLink-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetResourceGroup)
module modAksContribRoleAssignement '../../../azresources/Modules/Microsoft.Authorization/roleAssignments/resourceGroup/az.auth.role.assignment.rg.bicep' = {
scope: resourceGroup(rgKubernetesCluster.name)
name: 'deploy-aksContribRole-${parLocation}-${parDeploymentNameSuffix}'
params: {
location: 'global'
virtualNetworkResourceId: parHubVirtualNetworkResourceId
privateDnsZoneName: privatednsAKSZone.outputs.name
principalId: modAksIdentity.outputs.principalId
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' //Contributor
}
dependsOn: [
modAksIdentity
]
}
module modDefAKSAssignment '../../../azresources/Modules/Microsoft.Authorization/policyAssignments/resourceGroup/az.auth.policy.set.assignment.rg.bicep' = {
name: 'deploy-aksDefPolicy-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(rgKubernetesCluster.name)
params: {
location: parLocation
name: 'EnableDefenderForAKS'
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/64def556-fbad-4622-930e-72d1d5589bf5'
}
dependsOn: [
modKubernetesCluster
]
}
// Create Azure Kubernetes Cluster
@ -203,45 +223,126 @@ module modKubernetesCluster '../../../azresources/Modules/Microsoft.ContainerSer
params: {
name: '${parKubernetesCluster.name}aks'
location: parLocation
nodeResourceGroup: '${parKubernetesCluster.name}-aksInfraRG'
nodeResourceGroup: 'MC${parKubernetesCluster.name}-aksInfraRG'
aksClusterSkuTier: parKubernetesCluster.aksClusterSkuTier
systemAssignedIdentity: parKubernetesCluster.enableSystemAssignedIdentity
userAssignedIdentities: {
'${modAksIdentity.outputs.resourceId}': {}
}
aksClusterKubernetesVersion: parKubernetesCluster.aksClusterKubernetesVersion
enableRBAC: parKubernetesCluster.enableRBAC
lock: parKubernetesCluster.enableResourceLock ? 'CanNotDelete' : ''
lock: parKubernetesCluster.enableResourceLock ? 'CanNotDelete' : ''
tags: modTags.outputs.tags
primaryAgentPoolProfile: [
podIdentityProfileEnable: parKubernetesCluster.enablePodIdentity
podIdentityProfileAllowNetworkPluginKubenet: false
ingressApplicationGatewayEnabled: parKubernetesCluster.enableIngressApplicationGateway
primaryAgentPoolProfile: [
{
name: parKubernetesCluster.primaryAgentPoolProfile.name
availabilityZones: !empty(parKubernetesCluster.primaryAgentPoolProfile.availabilityZones) ? parKubernetesCluster.primaryAgentPoolProfile.availabilityZones : null
count: parKubernetesCluster.primaryAgentPoolProfile.count
maxCount: parKubernetesCluster.primaryAgentPoolProfile.maxCount
minCount: parKubernetesCluster.primaryAgentPoolProfile.minCount
maxPods: parKubernetesCluster.primaryAgentPoolProfile.maxPods
minCount: parKubernetesCluster.primaryAgentPoolProfile.enableAutoScaling ? 1 : null
maxCount: parKubernetesCluster.primaryAgentPoolProfile.enableAutoScaling ? parKubernetesCluster.primaryAgentPoolProfile.count : null
vmSize: parKubernetesCluster.primaryAgentPoolProfile.vmSize
enableAutoScaling: parKubernetesCluster.primaryAgentPoolProfile.enableAutoScaling
vnetSubnetID: subnetakspvt.id
vnetSubnetID: resSubnetakspvt.id
osDiskSizeGB: parKubernetesCluster.primaryAgentPoolProfile.osDiskSizeGB
osDiskType: parKubernetesCluster.primaryAgentPoolProfile.osDiskType
osType: parKubernetesCluster.primaryAgentPoolProfile.osType
osSKU: parKubernetesCluster.primaryAgentPoolProfile.osSKU
mode: parKubernetesCluster.primaryAgentPoolProfile.mode
mode: parKubernetesCluster.primaryAgentPoolProfile.mode
}
]
//Network Profile
aksClusterLoadBalancerSku: parKubernetesCluster.networkProfile.aksClusterLoadBalancerSku
aksClusterNetworkPlugin: parKubernetesCluster.networkProfile.aksClusterNetworkPlugin
aksClusterNetworkPolicy: parKubernetesCluster.networkProfile.aksClusterNetworkPolicy
aksClusterKubernetesVersion: parKubernetesCluster.aksClusterKubernetesVersion
aksClusterNetworkPlugin: 'kubenet'
aksClusterNetworkPolicy: 'calico'
aksClusterPodCidr: (!empty(parKubernetesCluster.networkProfile.aksClusterPodCidr)) ? parKubernetesCluster.networkProfile.aksClusterPodCidr : ''
aksClusterServiceCidr: (!empty(parKubernetesCluster.networkProfile.aksClusterServiceCidr)) ? parKubernetesCluster.networkProfile.aksClusterServiceCidr : ''
aksClusterDnsServiceIP: (!empty(parKubernetesCluster.networkProfile.aksClusterDnsServiceIP)) ? parKubernetesCluster.networkProfile.aksClusterDnsServiceIP : ''
aksClusterDockerBridgeCidr: (!empty(parKubernetesCluster.networkProfile.aksClusterDockerBridgeCidr)) ? parKubernetesCluster.networkProfile.aksClusterDockerBridgeCidr : ''
aksClusterOutboundType: parKubernetesCluster.networkProfile.aksClusterOutboundType
monitoringWorkspaceId: parLogAnalyticsWorkspaceResourceId
enablePrivateCluster: parKubernetesCluster.enablePrivateCluster
azurePolicyEnabled: parKubernetesCluster.enableAzurePolicy
aadProfileEnableAzureRBAC: parKubernetesCluster.enableAadProfileEnableAzureRBAC
aadProfileAdminGroupObjectIDs: parKubernetesCluster.aadProfileAdminGroupObjectIDs
aadProfileManaged: parKubernetesCluster.enableAadProfileManaged
//Addons
omsAgentEnabled: parKubernetesCluster.addonProfiles.omsagent.enable
monitoringWorkspaceId: parKubernetesCluster.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceID
azurePolicyEnabled: parKubernetesCluster.addonProfiles.enableAzurePolicy
//ApiServerAccessProfile
enablePrivateCluster: parKubernetesCluster.apiServerAccessProfile.enablePrivateCluster
enablePrivateClusterPublicFQDN: parKubernetesCluster.apiServerAccessProfile.enablePrivateClusterPublicFQDN
//AADProfile
aadProfileEnableAzureRBAC: parKubernetesCluster.aadProfile.enableAadProfileEnableAzureRBAC
aadProfileAdminGroupObjectIDs: parKubernetesCluster.aadProfile.aadProfileAdminGroupObjectIDs
aadProfileManaged: parKubernetesCluster.aadProfile.enableAadProfileManaged
aadProfileTenantId: parKubernetesCluster.aadProfile.aadProfileTenantId
//ServicePrincipalProfile
aksServicePrincipalProfile: parKubernetesCluster.servicePrincipalProfile
}
dependsOn: [
modAksIdentity
modAksContribRoleAssignement
]
}
module akspvtEndpoint '../../../azresources/Modules/Microsoft.Network/privateEndPoints/az.net.private.endpoint.bicep' = {
name: 'deploy-akspvtendpnt-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetResourceGroup)
params: {
name: 'akspvtEndpoint'
location: parLocation
groupIds: [
'management'
]
subnetResourceId: resSubnetakspvt.id
serviceResourceId: modKubernetesCluster.outputs.resourceId
}
}
module privatednsAKSZone '../../../azresources/Modules/Microsoft.Network/privateDnsZones/az.net.private.dns.bicep' = {
name: 'deploy-akspvtdnszone-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetResourceGroup)
params: {
name: (environment().name =~ 'AzureCloud' ? 'privatelink.azmk8s.io' : 'privatelink.azmk8s.us')
location: 'global'
}
}
module privateDNSAKS '../../../azresources/Modules/Microsoft.Network/privateDnsZones/virtualNetworkLinks/az.net.private.dns.vnet.link.bicep' = {
name: 'deploy-akspvtdns-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetResourceGroup)
params: {
location: 'global'
virtualNetworkResourceId: resVNet.id
privateDnsZoneName: privatednsAKSZone.outputs.name
}
}
output aksResourceId string = modKubernetesCluster.outputs.resourceId
module privateAKSDNSZoneGroup '../../../azresources/Modules/Microsoft.Network/privateEndPoints/privateDnsZoneGroups/az.net.private.dns.groups.bicep' = {
name: 'deploy-akspvtdnsgrp-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parTargetResourceGroup)
params: {
privateDNSResourceIds: [
privatednsAKSZone.outputs.resourceId
]
privateEndpointName: akspvtEndpoint.outputs.name
}
}
module modAKSHubLink '../../../azresources/Modules/Microsoft.Network/privateDnsZones/virtualNetworkLinks/az.net.private.dns.vnet.link.bicep' = {
name: 'deploy-aksHubLink-${parLocation}-${parDeploymentNameSuffix}'
scope: resourceGroup(parHubSubscriptionId, parHubResourceGroupName)
params: {
virtualNetworkResourceId: parHubVirtualNetworkResourceId
privateDnsZoneName: privateAKSDNSZoneGroup.name
}
dependsOn: [
modKubernetesCluster
]
}
output aksResourceId string = modKubernetesCluster.outputs.resourceId
output aksIdentityPrincipalId string = modAksIdentity.outputs.principalId
output aksControlPlaneFQDN string = modKubernetesCluster.outputs.controlPlaneFQDN

0
src/bicep/overlays/management-services/kubernetesCluster/media/aksNetworkExampleDeploymentOutput.png → src/bicep/overlays/management-services/kubernetesPrivateCluster-Kubnet/media/aksNetworkExampleDeploymentOutput.png
Просмотреть файл

Режим "рядом" Свайп Оверлей

До

Ширина:  |  Высота:  |  Размер: 109 KiB

После

Ширина:  |  Высота:  |  Размер: 109 KiB

102
src/bicep/overlays/management-services/kubernetesPrivateCluster-Kubnet/parameters/deploy.parameters.json Normal file
Просмотреть файл

@ -0,0 +1,102 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"parRequired": {
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "dev",
"deploymentType": "NoOpsBicep"
}
},
"parHubSubscriptionId": {
"value": "<<subscriptionId>>"
},
"parHubResourceGroupName": {
"value": "anoa-eastus-dev-hub-rg"
},
"parHubVirtualNetworkResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/anoa-eastus-dev-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-dev-hub-vnet"
},
"parTargetSubscriptionId": {
"value": "<<subscriptionId>>"
},
"parTargetResourceGroup": {
"value": "anoa-eastus-aks-app-rg"
},
"parTargetVNetName": {
"value": "anoa-eastus-aks-app-vnet"
},
"parTargetSubnetName": {
"value": "anoa-eastus-aks-app-snet"
},
"parKubernetesCluster": {
"value": {
"name": "Contoso",
"enableSystemAssignedIdentity": false,
"aksClusterKubernetesVersion": "1.24.3",
"enableRBAC": true,
"enableResourceLock": false,
"enablePodIdentity": false,
"aksClusterSkuTier": "Free",
"enableIngressApplicationGateway": false,
"primaryAgentPoolProfile": {
"name": "systempool",
"vmSize": "Standard_DS2_v2",
"osDiskSizeGB": 30,
"osDiskType": "Managed",
"enableAutoScaling": true,
"count": 10,
"osType": "Linux",
"osSKU": "Ubuntu",
"type": "VirtualMachineScaleSets",
"mode": "System",
"availabilityZones": []
},
"networkProfile": {
"aksClusterLoadBalancerSku": "standard",
"aksClusterPodCidr": "10.244.0.0/16",
"aksClusterServiceCidr": "172.16.1.0/24",
"aksClusterDnsServiceIP": "172.16.1.10",
"aksClusterDockerBridgeCidr": "170.10.0.1/30",
"aksClusterOutboundType": "userDefinedRouting"
},
"apiServerAccessProfile": {
"enablePrivateCluster": true,
"enablePrivateClusterPublicFQDN": false
},
"aadProfile": {
"aadProfileTenantId": "<<TenantId>>",
"aadProfileAdminGroupObjectIDs": [
"<<GroupObjectID>>"
],
"enableAadProfileEnableAzureRBAC": true,
"enableAadProfileManaged": true
},
"addonProfiles": {
"omsagent": {
"enable": true,
"config": {
"logAnalyticsWorkspaceResourceID": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
}
},
"enableResourceLock": true,
"enableAzurePolicy": true,
"azureKeyvaultSecretsProvider": true
},
"servicePrincipalProfile": {
"clientId": "<<clientId>>",
"secret": "<<secret>>"
}
}
}
}
}

116
src/bicep/overlays/management-services/kubernetesCluster/readme.md → src/bicep/overlays/management-services/kubernetesPrivateCluster-Kubnet/readme.md
Просмотреть файл

@ -1,8 +1,8 @@
# Overlay: NoOps Accelerator - Azure Kubernetes Service - Cluster
# Overlay: NoOps Accelerator - Azure Kubernetes Service - Cluster with Optional AGW Ingress Controller
## Overview
This overlay module deploys a Azure Kubernetes Service - Cluster suitable for hosting docker containers apps. The cluster will be deployed to the Hub/Spoke shared services resource group using default naming unless alternative values are provided at run time.
This overlay module deploys a Azure Kubernetes Service - Cluster with Optional AGW Ingress Controller suitable for hosting docker containers apps. The cluster will be deployed to the Hub/Spoke shared services resource group using default naming unless alternative values are provided at run time.
Read on to understand what this example does, and when you're ready, collect all of the pre-requisites, then deploy the example.
@ -14,9 +14,17 @@ The subscription and resource group can be changed by providing the resource gro
## Pre-requisites
* A virtual network and subnet is deployed. (a deployment of [deploy.bicep](../../../../bicep/platforms/lz-platform-scca-hub-3spoke/deploy.bicep))
* A virtual network and subnet is deployed. (a deployment of [deploy.bicep](../../../../bicep/platforms/lz-platform-scca-hub-1spoke/deploy.bicep))
* Decide if the optional parameters is appropriate for your deployment. If it needs to change, override one of the optional parameters.
### AKS Service Principal
To access other Azure Active Directory (Azure AD) resources, an AKS cluster requires either an Azure Active Directory (AD) service principal or a managed identity. A service principal or managed identity is needed to dynamically create and manage other Azure resources such as an Azure load balancer or container registry (ACR).
```bash
az ad sp create-for-rbac --name myAKSClusterServicePrincipal
```
## Parameters
See below for information on how to use the appropriate deployment parameters for use with this overlay:
@ -129,6 +137,106 @@ OR
Get-AzResource -ResourceGroupName anoa-eastus-workload-aks-rg
```
## Set up Application Gateway Ingress Controller
We created and configured a new AKS cluster and an Application Gateway with the overlay. We're now ready to an ingress controller to our new Kubernetes infrastructure.
### Setup Kubernetes Credentials
For the following steps, we need setup kubectl command, which we'll use to connect to our new Kubernetes cluster. Cloud Shell has kubectl already installed. We'll use az CLI to obtain credentials for Kubernetes.
Get credentials for your newly deployed AKS (read more):
```bash
# use the deployment-outputs.json created after deployment to get the cluster name and resource group name
aksClusterName=$(jq -r ".aksClusterName.value" deployment-outputs.json)
resourceGroupName=$(jq -r ".resourceGroupName.value" deployment-outputs.json)
az aks get-credentials --resource-group $resourceGroupName --name $aksClusterName
```
### Install Azure AD Pod Identity
Azure Active Directory Pod Identity provides token-based access to Azure Resource Manager (ARM).
Azure AD Pod Identity will add the following components to your Kubernetes cluster:
* Kubernetes CRDs: AzureIdentity, AzureAssignedIdentity, AzureIdentityBinding
* Managed Identity Controller (MIC) component
* Node Managed Identity (NMI) component
To install Azure AD Pod Identity to your cluster:
* Kubernetes RBAC enabled AKS cluster
```bash
kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
```
* Kubernetes RBAC disabled AKS cluster
```bash
kubectl create -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml
```
### Install Helm
Helm is a package manager for Kubernetes. We'll use it to install the application-gateway-kubernetes-ingress package:
1. Install Helm and run the following to add application-gateway-kubernetes-ingress helm package:
* Kubernetes RBAC enabled AKS cluster
```bash
kubectl create serviceaccount --namespace kube-system tiller-sa
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller-sa
helm init --tiller-namespace kube-system --service-account tiller-sa
```
* Kubernetes RBAC disabled AKS cluster
```bash
helm init
```
2. Add the AGIC Helm repository:
```bash
helm repo add application-gateway-kubernetes-ingress https://appgwingress.blob.core.windows.net/ingress-azure-helm-package/
helm repo update
```
### Install Ingress Controller Helm Chart
1. Use the deployment-outputs.json file created above and create the following variables.
```bash
applicationGatewayName=$(jq -r ".applicationGatewayName.value" deployment-outputs.json)
resourceGroupName=$(jq -r ".resourceGroupName.value" deployment-outputs.json)
subscriptionId=$(jq -r ".subscriptionId.value" deployment-outputs.json)
identityClientId=$(jq -r ".identityClientId.value" deployment-outputs.json)
identityResourceId=$(jq -r ".identityResourceId.value" deployment-outputs.json)
```
2. Edit the helm-config.yaml found in the [helm folder](./helm/) and fill out the sections appgw and armAuth.
```bash
sed -i "s|<subscriptionId>|${subscriptionId}|g" helm-config.yaml
sed -i "s|<resourceGroupName>|${resourceGroupName}|g" helm-config.yaml
sed -i "s|<applicationGatewayName>|${applicationGatewayName}|g" helm-config.yaml
sed -i "s|<identityResourceId>|${identityResourceId}|g" helm-config.yaml
sed -i "s|<identityClientId>|${identityClientId}|g" helm-config.yaml
# You can further modify the helm config to enable/disable features
nano helm-config.yaml
```
3. Install the Application Gateway ingress controller package:
```bash
helm install -f helm-config.yaml application-gateway-kubernetes-ingress/ingress-azure
```
## Cleanup
The Bicep/ARM deployment of NoOps Accelerator - Azure Kubernetes Service - Cluster deployment can be deleted with these steps:

221
src/bicep/workloads/wl-aks-spoke/deploy.bicep
Просмотреть файл

@ -86,14 +86,6 @@ param parHubVirtualNetworkName string
@description('The virtual network resource Id for the Hub Network.')
param parHubVirtualNetworkResourceId string
// FIREWALL PARAMETERS
@description('The virtual network name for the Hub Network.')
param parHubFirewallPolicyName string
@description('The firewall source addresses for the Rule Collection Groups, Must be Hub/Spoke addresses.')
param parSourceAddresses array = []
// LOGGING PARAMETERS
@description('Log Analytics Workspace Resource Id Needed for NSG, VNet and Activity Logging')
@ -215,7 +207,7 @@ module modTier3 '../../overlays/management-services/workloadSpoke/deploy.bicep'
//WorkLoad Parameters
parWorkloadSpoke: parWorkloadSpoke
//Logging Parameters
parLogAnalyticsWorkspaceName: parLogAnalyticsWorkspaceName
parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
@ -230,209 +222,6 @@ module modTier3 '../../overlays/management-services/workloadSpoke/deploy.bicep'
//=== Azure Kubernetes Service Workload Buildout ===
module firewallAKSAppRuleCollectionGroup '../../azresources/Modules/Microsoft.Network/firewallPolicies/ruleCollectionGroups/az.net.rule.groups.bicep' = {
name: 'deploy-aks-appruleGroup-${parDeploymentNameSuffix}'
scope: resourceGroup(parHubResourceGroupName)
params: {
name: '${parWorkloadSpoke.shortName}ApplicationRuleCollectionGroup'
firewallPolicyName: parHubFirewallPolicyName
priority: 210
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
rules: [
{
name: 'Allow-ifconfig'
ruleType: 'ApplicationRule'
protocols: [
{
port: 80
protocolType: 'Http'
}
{
port: 443
protocolType: 'Https'
}
]
fqdnTags: []
webCategories: []
targetFqdns: [
'ifconfig.co'
'api.snapcraft.io'
'jsonip.com'
'kubernaut.io'
'motd.ubuntu.com'
]
targetUrls: []
terminateTLS: false
sourceAddresses: parSourceAddresses
destinationAddresses: []
sourceIpGroups: []
}
]
name: 'Helper-tools'
priority: 101
}
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
rules: [
{
name: 'Egress'
ruleType: 'ApplicationRule'
protocols: [
{
port: 443
protocolType: 'Https'
}
]
ipProtocols: [
'Https'
]
targetFqdns: [
'*.azmk8s.io'
'aksrepos.azurecr.io'
'*.blob.core.windows.net'
'mcr.microsoft.com'
'*.cdn.mscr.io'
'management.azure.com'
'login.microsoftonline.com'
'packages.azure.com'
'acs-mirror.azureedge.net'
'*.opinsights.azure.com'
'*.monitoring.azure.com'
'dc.services.visualstudio.com'
]
sourceAddresses: parSourceAddresses
}
{
name: 'Registries'
ruleType: 'ApplicationRule'
protocols: [
{
port: 443
protocolType: 'Https'
}
]
ipProtocols: [
'Https'
]
targetFqdns: [
'*.data.mcr.microsoft.com'
'*.azurecr.io'
'*.gcr.io'
'gcr.io'
'storage.googleapis.com'
'*.docker.io'
'quay.io'
'*.quay.io'
'*.cloudfront.net'
'production.cloudflare.docker.com'
]
sourceAddresses: parSourceAddresses
}
{
name: 'Additional-Usefull-Address'
ruleType: 'ApplicationRule'
protocols: [
{
port: 443
protocolType: 'Https'
}
]
ipProtocols: [
'Https'
]
targetFqdns: [
'grafana.net'
'grafana.com'
'stats.grafana.org'
'github.com'
'raw.githubusercontent.com'
'security.ubuntu.com'
'security.ubuntu.com'
'packages.microsoft.com'
'azure.archive.ubuntu.com'
'security.ubuntu.com'
'hack32003.vault.azure.net'
'*.letsencrypt.org'
'usage.projectcalico.org'
'gov-prod-policy-data.trafficmanager.net'
'vortex.data.microsoft.com'
]
sourceAddresses: parSourceAddresses
}
{
name: 'AKS-FQDN-TAG'
ruleType: 'ApplicationRule'
protocols: [
{
port: 80
protocolType: 'Http'
}
{
port: 443
protocolType: 'Https'
}
]
targetFqdns: []
fqdnTags: [
'AzureKubernetesService'
]
sourceAddresses: parSourceAddresses
}
]
name: 'AKS-egress-application'
priority: 102
}
]
}
}
module firewallAKSNetworkRuleCollectionGroup '../../azresources/Modules/Microsoft.Network/firewallPolicies/ruleCollectionGroups/az.net.rule.groups.bicep' = {
name: 'deploy-aks-networkruleGroup-${parDeploymentNameSuffix}'
scope: resourceGroup(parHubResourceGroupName)
params: {
name: '${parWorkloadSpoke.shortName}NetworkRuleCollectionGroup'
firewallPolicyName: parHubFirewallPolicyName
priority: 250
ruleCollections: [
{
ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
action: {
type: 'Allow'
}
rules: [
{
ruleType: 'NetworkRule'
name: 'NTP'
ipProtocols: [
'UDP'
]
sourceAddresses: parSourceAddresses
sourceIpGroups: []
destinationAddresses: [
'*'
]
destinationIpGroups: []
destinationFqdns: []
destinationPorts: [
'123'
]
}
]
name: 'AKS-egress'
priority: 100
}
]
}
}
module modAcrDeploy '../../overlays/management-services/containerRegistry/deploy.bicep' = {
name: 'deploy-aks-acr-${parLocation}-${parDeploymentNameSuffix}'
scope: subscription(parWorkloadSpoke.subscriptionId)
@ -445,6 +234,9 @@ module modAcrDeploy '../../overlays/management-services/containerRegistry/deploy
parTargetSubscriptionId: parWorkloadSpoke.subscriptionId
parTargetSubnetName: modTier3.outputs.subnetNames[0]
parTargetVNetName: modTier3.outputs.virtualNetworkName
parHubVirtualNetworkResourceId: parHubVirtualNetworkResourceId
parHubResourceGroupName: parHubResourceGroupName
parHubSubscriptionId: parHubSubscriptionId
}
dependsOn: [
modTier3
@ -452,7 +244,7 @@ module modAcrDeploy '../../overlays/management-services/containerRegistry/deploy
}
// Create a AKS Cluster
module modDeployAzureKS '../../overlays/management-services/kubernetesCluster/deploy.bicep' = {
module modDeployAzureKS '../../overlays/management-services/kubernetesPrivateCluster-Kubnet/deploy.bicep' = {
scope: subscription(parWorkloadSpoke.subscriptionId)
name: 'deploy-aks-${parLocation}-${parDeploymentNameSuffix}'
params: {
@ -465,7 +257,8 @@ module modDeployAzureKS '../../overlays/management-services/kubernetesCluster/de
parTargetVNetName: modTier3.outputs.virtualNetworkName
parTargetSubscriptionId: parWorkloadSpoke.subscriptionId
parHubVirtualNetworkResourceId: parHubVirtualNetworkResourceId
parLogAnalyticsWorkspaceResourceId: parLogAnalyticsWorkspaceResourceId
parHubResourceGroupName: parHubResourceGroupName
parHubSubscriptionId: parHubSubscriptionId
}
dependsOn: [
modTier3

104
src/bicep/workloads/wl-aks-spoke/parameters/deploy.parameters.json
Просмотреть файл

@ -6,14 +6,14 @@
"value": {
"orgPrefix": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "aks"
"deployEnvironment": "dev"
}
},
"parTags": {
"value": {
"organization": "anoa",
"templateVersion": "v1.0",
"deployEnvironment": "aks",
"deployEnvironment": "dev",
"deploymentType": "NoOpsBicep"
}
},
@ -38,13 +38,20 @@
"service": "Microsoft.Storage"
}
],
"subnets": [
{
"name": "app",
"addressPrefix": ""
}
],
"routes": []
"subnets": [],
"routeTable": {
"disableBgpRoutePropagation": false,
"routes": [
{
"name": "wl-routetable",
"properties": {
"addressPrefix": "0.0.0.0/0",
"nextHopIpAddress": "10.0.100.4",
"nextHopType": "VirtualAppliance"
}
}
]
}
}
}
},
@ -60,24 +67,12 @@
"parHubVirtualNetworkResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/anoa-eastus-dev-hub-rg/providers/Microsoft.Network/virtualNetworks/anoa-eastus-dev-hub-vnet"
},
"parHubFirewallPolicyName": {
"value": "anoa-eastus-dev-hub-afwp"
},
"parFirewallPrivateIPAddress": {
"value": "10.0.100.4"
},
"parLogAnalyticsWorkspaceResourceId": {
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
},
"parLogAnalyticsWorkspaceName": {
"value": "anoa-eastus-dev-logging-log"
},
"parSourceAddresses": {
"value": [
"10.0.100.0/24",
"10.0.115.0/26"
]
},
"parContainerRegistry": {
"value": {
"name": "anoaeastusdevacr",
@ -88,45 +83,64 @@
"parKubernetesCluster": {
"value": {
"name": "Contoso",
"enableSystemAssignedIdentity": true,
"enableSystemAssignedIdentity": false,
"aksClusterKubernetesVersion": "1.24.3",
"enableResourceLock": true,
"enableRBAC": true,
"enablePrivateCluster": true,
"enableAzurePolicy": true,
"enableAadProfileEnableAzureRBAC": true,
"enableAadProfileManaged": true,
"aadProfileAdminGroupObjectIDs": [
"<<objectId>>"
],
"enableResourceLock": false,
"enablePodIdentity": false,
"aksClusterSkuTier": "Free",
"enableIngressApplicationGateway": false,
"primaryAgentPoolProfile": {
"name": "default",
"vmSize": "Standard_D4s_v3",
"osDiskSizeGB": 128,
"name": "systempool",
"vmSize": "Standard_DS2_v2",
"osDiskSizeGB": 30,
"osDiskType": "Managed",
"enableAutoScaling": true,
"count": 1,
"maxCount": 5,
"minCount": 1,
"maxPods": 50,
"count": 10,
"osType": "Linux",
"osSKU": "Ubuntu",
"type": "VirtualMachineScaleSets",
"mode": "System"
"mode": "System",
"availabilityZones": []
},
"networkProfile": {
"networkProfile": {
"aksClusterLoadBalancerSku": "standard",
"aksClusterNetworkPlugin": "azure",
"aksClusterNetworkPolicy": "azure",
"aksClusterServiceCidr": "10.1.0.0/16",
"aksClusterDnsServiceIP": "10.1.0.10",
"aksClusterDockerBridgeCidr": "170.10.0.1/16",
"aksClusterPodCidr": "10.244.0.0/16",
"aksClusterServiceCidr": "172.16.1.0/24",
"aksClusterDnsServiceIP": "172.16.1.10",
"aksClusterDockerBridgeCidr": "170.10.0.1/30",
"aksClusterOutboundType": "userDefinedRouting"
},
"apiServerAccessProfile": {
"enablePrivateCluster": true,
"enablePrivateClusterPublicFQDN": false
},
"aadProfile": {
"aadProfileTenantId": "<<TenantId>>",
"aadProfileAdminGroupObjectIDs": [
"<<GroupObjectID>>"
],
"enableAadProfileEnableAzureRBAC": true,
"enableAadProfileManaged": true
},
"addonProfiles": {
"omsagent": {
"enable": true,
"config": {
"logAnalyticsWorkspaceResourceID": "/subscriptions/<<subscriptionId>>/resourcegroups/anoa-eastus-dev-logging-rg/providers/microsoft.operationalinsights/workspaces/anoa-eastus-dev-logging-log"
}
},
"enableResourceLock": true,
"enableAzurePolicy": true,
"azureKeyvaultSecretsProvider": true
},
"servicePrincipalProfile": {
"clientId": "<<clientId>>",
"secret": "<<secret>>"
}
}
},
"parStorageAccountAccess": {
"parWorkloadStorageAccountAccess": {
"value": {
"enableRoleAssignmentForStorageAccount": false,
"principalIds": [