Родитель
71b205da24
Коммит
0d9a3ea72d
|
@ -44,11 +44,19 @@
|
|||
},
|
||||
{
|
||||
"policyDefinitionIds": [
|
||||
"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d"
|
||||
"/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d",
|
||||
"/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7"
|
||||
],
|
||||
"reason": "Duplicate",
|
||||
"value": "Azure.AKS.AzurePolicyAddOn"
|
||||
},
|
||||
{
|
||||
"policyDefinitionIds": [
|
||||
"/providers/Microsoft.Authorization/policyDefinitions/5c345cdf-2049-47e0-b8fe-b0e96bc2df35"
|
||||
],
|
||||
"reason": "Duplicate",
|
||||
"value": "Azure.AKS.AutoUpgrade"
|
||||
},
|
||||
{
|
||||
"policyDefinitionIds": [
|
||||
"/providers/Microsoft.Authorization/policyDefinitions/4fa4b6c0-31ca-4c0d-b10d-24b96f62a751"
|
||||
|
|
|
@ -42,9 +42,13 @@ What's changed since pre-release v1.35.0-B0030:
|
|||
[#2768](https://github.com/Azure/PSRule.Rules.Azure/issues/2768)
|
||||
- Fixed `Azure.AppService.PHPVersion` check fails when phpVersion is null.
|
||||
- Bumped rule set to `2024_03`.
|
||||
- Updated `Azure.AKS.Version` to use `1.27.9` as the minimum version by @BernieWhite.
|
||||
[#2771](https://github.com/Azure/PSRule.Rules.Azure/issues/2771)
|
||||
- General improvements:
|
||||
- Quality updates to rule documentation by @BernieWhite.
|
||||
[#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)
|
||||
- Additional policies added to default ignore list by @BernieWhite.
|
||||
[#1731](https://github.com/Azure/PSRule.Rules.Azure/issues/1731)
|
||||
- Bug fixes:
|
||||
- Fixed failed to expand JObject value with invalid key by @BernieWhite.
|
||||
[#2751](https://github.com/Azure/PSRule.Rules.Azure/issues/2751)
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
---
|
||||
reviewed: 2021/12/10
|
||||
reviewed: 2024-03-25
|
||||
severity: Important
|
||||
pillar: Operational Excellence
|
||||
category: Automation
|
||||
category: OE:09 Task automation
|
||||
resource: Azure Kubernetes Service
|
||||
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.AutoUpgrade/
|
||||
---
|
||||
|
@ -22,13 +22,13 @@ To configure auto-upgrades select a release channel instead of the default `none
|
|||
The following release channels are available:
|
||||
|
||||
- `none` - Disables auto-upgrades.
|
||||
The default setting.
|
||||
The default setting.
|
||||
- `patch` - Automatically upgrade to the latest supported patch version of the current minor version.
|
||||
- `stable` - Automatically upgrade to the latest supported patch release of the recommended minor version.
|
||||
This is N-1 of the current AKS non-preview minor version.
|
||||
This is N-1 of the current AKS non-preview minor version.
|
||||
- `rapid` - Automatically upgrade to the latest supported patch of the latest support minor version.
|
||||
- `node-image` - Automatically upgrade to the latest node image version.
|
||||
Normally upgraded weekly.
|
||||
Normally upgraded weekly.
|
||||
|
||||
## RECOMMENDATION
|
||||
|
||||
|
@ -189,10 +189,17 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {
|
|||
az aks update -n '<name>' -g '<resource_group>' --auto-upgrade-channel 'stable'
|
||||
```
|
||||
|
||||
### Configure with Azure Policy
|
||||
|
||||
To address this issue at runtime use the following policies:
|
||||
|
||||
- [Azure Kubernetes Service Clusters should enable cluster auto-upgrade](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_Autoupgrade_Cluster_Audit.json)
|
||||
`/providers/Microsoft.Authorization/policyDefinitions/5c345cdf-2049-47e0-b8fe-b0e96bc2df35`
|
||||
|
||||
## LINKS
|
||||
|
||||
- [Automation overview](https://learn.microsoft.com/azure/architecture/framework/devops/automation-overview)
|
||||
- [Supported Kubernetes versions in Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/supported-kubernetes-versions)
|
||||
- [Support policies for Azure Kubernetes Service](https://docs.microsoft.com/azure/aks/support-policies)
|
||||
- [Set auto-upgrade channel](https://docs.microsoft.com/azure/aks/upgrade-cluster#set-auto-upgrade-channel)
|
||||
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters#ManagedClusterAutoUpgradeProfile)
|
||||
- [OE:09 Task automation](https://learn.microsoft.com/azure/well-architected/operational-excellence/automate-tasks)
|
||||
- [Supported Kubernetes versions in Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/supported-kubernetes-versions)
|
||||
- [Support policies for Azure Kubernetes Service](https://learn.microsoft.com/azure/aks/support-policies)
|
||||
- [Automatically upgrade an Azure Kubernetes Service (AKS) cluster](https://learn.microsoft.com/azure/aks/auto-upgrade-cluster)
|
||||
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
---
|
||||
reviewed: 2024-03-25
|
||||
severity: Important
|
||||
pillar: Security
|
||||
category: Optimize
|
||||
category: SE:08 Hardening resources
|
||||
resource: Azure Kubernetes Service
|
||||
online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.AKS.AzurePolicyAddOn/
|
||||
---
|
||||
|
@ -41,72 +42,93 @@ For example:
|
|||
|
||||
```json
|
||||
{
|
||||
"type": "Microsoft.ContainerService/managedClusters",
|
||||
"apiVersion": "2021-10-01",
|
||||
"name": "[parameters('clusterName')]",
|
||||
"location": "[parameters('location')]",
|
||||
"identity": {
|
||||
"type": "UserAssigned",
|
||||
"userAssignedIdentities": {
|
||||
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
|
||||
}
|
||||
"type": "Microsoft.ContainerService/managedClusters",
|
||||
"apiVersion": "2024-01-01",
|
||||
"name": "[parameters('name')]",
|
||||
"location": "[parameters('location')]",
|
||||
"identity": {
|
||||
"type": "UserAssigned",
|
||||
"userAssignedIdentities": {
|
||||
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
|
||||
}
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "[parameters('kubernetesVersion')]",
|
||||
"disableLocalAccounts": true,
|
||||
"enableRBAC": true,
|
||||
"dnsPrefix": "[parameters('dnsPrefix')]",
|
||||
"agentPoolProfiles": [
|
||||
{
|
||||
"name": "system",
|
||||
"osDiskSizeGB": 0,
|
||||
"minCount": 3,
|
||||
"maxCount": 5,
|
||||
"enableAutoScaling": true,
|
||||
"maxPods": 50,
|
||||
"vmSize": "Standard_D4s_v5",
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"vnetSubnetID": "[parameters('clusterSubnetId')]",
|
||||
"mode": "System",
|
||||
"osDiskType": "Ephemeral"
|
||||
},
|
||||
{
|
||||
"name": "user",
|
||||
"osDiskSizeGB": 0,
|
||||
"minCount": 3,
|
||||
"maxCount": 20,
|
||||
"enableAutoScaling": true,
|
||||
"maxPods": 50,
|
||||
"vmSize": "Standard_D4s_v5",
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"vnetSubnetID": "[parameters('clusterSubnetId')]",
|
||||
"mode": "User",
|
||||
"osDiskType": "Ephemeral"
|
||||
}
|
||||
],
|
||||
"aadProfile": {
|
||||
"managed": true,
|
||||
"enableAzureRBAC": true,
|
||||
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
|
||||
"tenantID": "[subscription().tenantId]"
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "[parameters('kubernetesVersion')]",
|
||||
"enableRBAC": true,
|
||||
"dnsPrefix": "[parameters('dnsPrefix')]",
|
||||
"agentPoolProfiles": "[variables('allPools')]",
|
||||
"aadProfile": {
|
||||
"managed": true,
|
||||
"enableAzureRBAC": true,
|
||||
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
|
||||
"tenantID": "[subscription().tenantId]"
|
||||
},
|
||||
"networkProfile": {
|
||||
"networkPlugin": "azure",
|
||||
"networkPolicy": "azure",
|
||||
"loadBalancerSku": "standard",
|
||||
"serviceCidr": "[variables('serviceCidr')]",
|
||||
"dnsServiceIP": "[variables('dnsServiceIP')]",
|
||||
"dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
|
||||
},
|
||||
"autoUpgradeProfile": {
|
||||
"upgradeChannel": "stable"
|
||||
},
|
||||
"addonProfiles": {
|
||||
"httpApplicationRouting": {
|
||||
"enabled": false
|
||||
},
|
||||
"azurepolicy": {
|
||||
"enabled": true,
|
||||
"config": {
|
||||
"version": "v2"
|
||||
}
|
||||
},
|
||||
"omsagent": {
|
||||
"enabled": true,
|
||||
"config": {
|
||||
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
|
||||
}
|
||||
},
|
||||
"kubeDashboard": {
|
||||
"enabled": false
|
||||
},
|
||||
"azureKeyvaultSecretsProvider": {
|
||||
"enabled": true,
|
||||
"config": {
|
||||
"enableSecretRotation": "true"
|
||||
}
|
||||
}
|
||||
},
|
||||
"podIdentityProfile": {
|
||||
"enabled": true
|
||||
}
|
||||
"networkProfile": {
|
||||
"networkPlugin": "azure",
|
||||
"networkPolicy": "azure",
|
||||
"loadBalancerSku": "standard",
|
||||
"serviceCidr": "[variables('serviceCidr')]",
|
||||
"dnsServiceIP": "[variables('dnsServiceIP')]"
|
||||
},
|
||||
"tags": "[parameters('tags')]",
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
|
||||
]
|
||||
"apiServerAccessProfile": {
|
||||
"enablePrivateCluster": true,
|
||||
"enablePrivateClusterPublicFQDN": false
|
||||
},
|
||||
"autoUpgradeProfile": {
|
||||
"upgradeChannel": "stable"
|
||||
},
|
||||
"oidcIssuerProfile": {
|
||||
"enabled": true
|
||||
},
|
||||
"addonProfiles": {
|
||||
"azurepolicy": {
|
||||
"enabled": true
|
||||
},
|
||||
"omsagent": {
|
||||
"enabled": true,
|
||||
"config": {
|
||||
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
|
||||
}
|
||||
},
|
||||
"azureKeyvaultSecretsProvider": {
|
||||
"enabled": true,
|
||||
"config": {
|
||||
"enableSecretRotation": "true"
|
||||
}
|
||||
}
|
||||
}
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
|
@ -119,9 +141,9 @@ To deploy AKS clusters that pass this rule:
|
|||
For example:
|
||||
|
||||
```bicep
|
||||
resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
|
||||
resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
|
||||
location: location
|
||||
name: clusterName
|
||||
name: name
|
||||
identity: {
|
||||
type: 'UserAssigned'
|
||||
userAssignedIdentities: {
|
||||
|
@ -130,9 +152,37 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
|
|||
}
|
||||
properties: {
|
||||
kubernetesVersion: kubernetesVersion
|
||||
disableLocalAccounts: true
|
||||
enableRBAC: true
|
||||
dnsPrefix: dnsPrefix
|
||||
agentPoolProfiles: allPools
|
||||
agentPoolProfiles: [
|
||||
{
|
||||
name: 'system'
|
||||
osDiskSizeGB: 0
|
||||
minCount: 3
|
||||
maxCount: 5
|
||||
enableAutoScaling: true
|
||||
maxPods: 50
|
||||
vmSize: 'Standard_D4s_v5'
|
||||
type: 'VirtualMachineScaleSets'
|
||||
vnetSubnetID: clusterSubnetId
|
||||
mode: 'System'
|
||||
osDiskType: 'Ephemeral'
|
||||
}
|
||||
{
|
||||
name: 'user'
|
||||
osDiskSizeGB: 0
|
||||
minCount: 3
|
||||
maxCount: 20
|
||||
enableAutoScaling: true
|
||||
maxPods: 50
|
||||
vmSize: 'Standard_D4s_v5'
|
||||
type: 'VirtualMachineScaleSets'
|
||||
vnetSubnetID: clusterSubnetId
|
||||
mode: 'User'
|
||||
osDiskType: 'Ephemeral'
|
||||
}
|
||||
]
|
||||
aadProfile: {
|
||||
managed: true
|
||||
enableAzureRBAC: true
|
||||
|
@ -145,20 +195,20 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
|
|||
loadBalancerSku: 'standard'
|
||||
serviceCidr: serviceCidr
|
||||
dnsServiceIP: dnsServiceIP
|
||||
dockerBridgeCidr: dockerBridgeCidr
|
||||
}
|
||||
apiServerAccessProfile: {
|
||||
enablePrivateCluster: true
|
||||
enablePrivateClusterPublicFQDN: false
|
||||
}
|
||||
autoUpgradeProfile: {
|
||||
upgradeChannel: 'stable'
|
||||
}
|
||||
oidcIssuerProfile: {
|
||||
enabled: true
|
||||
}
|
||||
addonProfiles: {
|
||||
httpApplicationRouting: {
|
||||
enabled: false
|
||||
}
|
||||
azurepolicy: {
|
||||
enabled: true
|
||||
config: {
|
||||
version: 'v2'
|
||||
}
|
||||
}
|
||||
omsagent: {
|
||||
enabled: true
|
||||
|
@ -166,9 +216,6 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
|
|||
logAnalyticsWorkspaceResourceID: workspaceId
|
||||
}
|
||||
}
|
||||
kubeDashboard: {
|
||||
enabled: false
|
||||
}
|
||||
azureKeyvaultSecretsProvider: {
|
||||
enabled: true
|
||||
config: {
|
||||
|
@ -176,14 +223,19 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2021-10-01' = {
|
|||
}
|
||||
}
|
||||
}
|
||||
podIdentityProfile: {
|
||||
enabled: true
|
||||
}
|
||||
}
|
||||
tags: tags
|
||||
}
|
||||
```
|
||||
|
||||
### Configure with Azure Policy
|
||||
|
||||
To address this issue at runtime use the following policies:
|
||||
|
||||
- [Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json)
|
||||
`/providers/Microsoft.Authorization/policyDefinitions/0a15ec92-a229-4763-bb14-0ea34a568f8d`
|
||||
- [Deploy Azure Policy Add-on to Azure Kubernetes Service clusters](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_DINE.json)
|
||||
`/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7`
|
||||
|
||||
## NOTES
|
||||
|
||||
Azure Policy for AKS clusters is generally available (GA).
|
||||
|
@ -191,7 +243,7 @@ Azure Policy for AKS Engine and Arc enabled Kubernetes are currently in preview.
|
|||
|
||||
## LINKS
|
||||
|
||||
- [Governance, risk, and compliance](https://learn.microsoft.com/azure/architecture/framework/security/governance#audit-and-enforce-policy-compliance)
|
||||
- [Understand Azure Policy for Kubernetes clusters](https://docs.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes)
|
||||
- [Secure your cluster with Azure Policy](https://docs.microsoft.com/azure/aks/use-azure-policy)
|
||||
- [Azure deployment reference](https://docs.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
|
||||
- [SE:08 Hardening resources](https://learn.microsoft.com/azure/well-architected/security/harden-resources)
|
||||
- [Understand Azure Policy for Kubernetes clusters](https://learn.microsoft.com/azure/governance/policy/concepts/policy-for-kubernetes)
|
||||
- [Secure your Azure Kubernetes Service (AKS) clusters with Azure Policy](https://learn.microsoft.com/azure/aks/use-azure-policy)
|
||||
- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.containerservice/managedclusters)
|
||||
|
|
|
@ -232,9 +232,8 @@ az aks update -n '<name>' -g '<resource_group>' --enable-aad --aad-admin-group-o
|
|||
|
||||
To address this issue at runtime use the following policies:
|
||||
|
||||
```text
|
||||
/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32
|
||||
```
|
||||
- [Azure Kubernetes Service Clusters should have local authentication methods disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_DisableLocalAccounts_Deny.json)
|
||||
`/providers/Microsoft.Authorization/policyDefinitions/993c2fcd-2b29-49d2-9eb0-df2c3a730c32`
|
||||
|
||||
## LINKS
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
reviewed: 2024-02-17
|
||||
reviewed: 2024-03-25
|
||||
severity: Important
|
||||
pillar: Reliability
|
||||
category: RE:04 Target metrics
|
||||
|
@ -67,7 +67,7 @@ For example:
|
|||
}
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"enableRBAC": true,
|
||||
"dnsPrefix": "[parameters('dnsPrefix')]",
|
||||
"agentPoolProfiles": "[variables('allPools')]",
|
||||
|
@ -145,7 +145,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2023-07-01' = {
|
|||
}
|
||||
}
|
||||
properties: {
|
||||
kubernetesVersion: '1.27.7'
|
||||
kubernetesVersion: '1.27.9'
|
||||
enableRBAC: true
|
||||
dnsPrefix: dnsPrefix
|
||||
agentPoolProfiles: allPools
|
||||
|
@ -207,13 +207,13 @@ az aks update -n '<name>' -g '<resource_group>' --auto-upgrade-channel 'stable'
|
|||
```
|
||||
|
||||
```bash
|
||||
az aks upgrade -n '<name>' -g '<resource_group>' --kubernetes-version '1.27.7'
|
||||
az aks upgrade -n '<name>' -g '<resource_group>' --kubernetes-version '1.27.9'
|
||||
```
|
||||
|
||||
### Configure with Azure PowerShell
|
||||
|
||||
```powershell
|
||||
Set-AzAksCluster -Name '<name>' -ResourceGroupName '<resource_group>' -KubernetesVersion '1.27.7'
|
||||
Set-AzAksCluster -Name '<name>' -ResourceGroupName '<resource_group>' -KubernetesVersion '1.27.9'
|
||||
```
|
||||
|
||||
## NOTES
|
||||
|
|
|
@ -46,7 +46,7 @@ param systemPoolMin int
|
|||
param systemPoolMax int = 3
|
||||
|
||||
@description('The version of Kubernetes.')
|
||||
param kubernetesVersion string = '1.26.6'
|
||||
param kubernetesVersion string = '1.27.9'
|
||||
|
||||
@description('Maximum number of pods that can run on nodes in the system pool.')
|
||||
@minValue(30)
|
||||
|
@ -104,22 +104,24 @@ var systemPools = [
|
|||
scaleSetPriority: 'Regular'
|
||||
}
|
||||
]
|
||||
var userPools = [for i in range(0, length(pools)): {
|
||||
name: pools[i].name
|
||||
osDiskSizeGB: osDiskSizeGB
|
||||
count: pools[i].minCount
|
||||
minCount: pools[i].minCount
|
||||
maxCount: pools[i].maxCount
|
||||
enableAutoScaling: true
|
||||
maxPods: pools[i].maxPods
|
||||
vmSize: pools[i].vmSize
|
||||
osType: pools[i].osType
|
||||
type: 'VirtualMachineScaleSets'
|
||||
vnetSubnetID: clusterSubnetId
|
||||
mode: 'User'
|
||||
osDiskType: 'Ephemeral'
|
||||
scaleSetPriority: pools[i].priority
|
||||
}]
|
||||
var userPools = [
|
||||
for i in range(0, length(pools)): {
|
||||
name: pools[i].name
|
||||
osDiskSizeGB: osDiskSizeGB
|
||||
count: pools[i].minCount
|
||||
minCount: pools[i].minCount
|
||||
maxCount: pools[i].maxCount
|
||||
enableAutoScaling: true
|
||||
maxPods: pools[i].maxPods
|
||||
vmSize: pools[i].vmSize
|
||||
osType: pools[i].osType
|
||||
type: 'VirtualMachineScaleSets'
|
||||
vnetSubnetID: clusterSubnetId
|
||||
mode: 'User'
|
||||
osDiskType: 'Ephemeral'
|
||||
scaleSetPriority: pools[i].priority
|
||||
}
|
||||
]
|
||||
|
||||
// Define resources
|
||||
|
||||
|
@ -130,7 +132,7 @@ resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31'
|
|||
}
|
||||
|
||||
// An example AKS cluster
|
||||
resource cluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
|
||||
resource cluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
|
||||
location: location
|
||||
name: name
|
||||
identity: {
|
||||
|
@ -190,7 +192,7 @@ resource cluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
|
|||
}
|
||||
|
||||
// An example AKS cluster with pools defined.
|
||||
resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
|
||||
resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
|
||||
location: location
|
||||
name: name
|
||||
identity: {
|
||||
|
@ -277,7 +279,7 @@ resource clusterWithPools 'Microsoft.ContainerService/managedClusters@2023-11-01
|
|||
}
|
||||
|
||||
// An example private AKS cluster with pools defined.
|
||||
resource privateCluster 'Microsoft.ContainerService/managedClusters@2023-11-01' = {
|
||||
resource privateCluster 'Microsoft.ContainerService/managedClusters@2024-01-01' = {
|
||||
location: location
|
||||
name: name
|
||||
identity: {
|
||||
|
|
|
@ -4,8 +4,8 @@
|
|||
"metadata": {
|
||||
"_generator": {
|
||||
"name": "bicep",
|
||||
"version": "0.25.3.34343",
|
||||
"templateHash": "15286438717534282301"
|
||||
"version": "0.26.54.24096",
|
||||
"templateHash": "2536331348365960823"
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
|
@ -73,7 +73,7 @@
|
|||
},
|
||||
"kubernetesVersion": {
|
||||
"type": "string",
|
||||
"defaultValue": "1.26.6",
|
||||
"defaultValue": "1.27.9",
|
||||
"metadata": {
|
||||
"description": "The version of Kubernetes."
|
||||
}
|
||||
|
@ -178,7 +178,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.ContainerService/managedClusters",
|
||||
"apiVersion": "2023-11-01",
|
||||
"apiVersion": "2024-01-01",
|
||||
"name": "[parameters('name')]",
|
||||
"location": "[parameters('location')]",
|
||||
"identity": {
|
||||
|
@ -241,7 +241,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.ContainerService/managedClusters",
|
||||
"apiVersion": "2023-11-01",
|
||||
"apiVersion": "2024-01-01",
|
||||
"name": "[parameters('name')]",
|
||||
"location": "[parameters('location')]",
|
||||
"identity": {
|
||||
|
@ -331,7 +331,7 @@
|
|||
},
|
||||
{
|
||||
"type": "Microsoft.ContainerService/managedClusters",
|
||||
"apiVersion": "2023-11-01",
|
||||
"apiVersion": "2024-01-01",
|
||||
"name": "[parameters('name')]",
|
||||
"location": "[parameters('location')]",
|
||||
"identity": {
|
||||
|
|
|
@ -32,8 +32,8 @@ Use comments to add context.
|
|||
|
||||
```yaml
|
||||
requires:
|
||||
# Require a minimum of PSRule for Azure v1.30.0
|
||||
PSRule.Rules.Azure: '>=1.30.0'
|
||||
# Require a minimum of PSRule for Azure v1.34.2
|
||||
PSRule.Rules.Azure: '>=1.34.2'
|
||||
|
||||
configuration:
|
||||
# Enable expansion of Azure Template files.
|
||||
|
@ -52,7 +52,7 @@ Use comments to add context.
|
|||
AZURE_BICEP_MINIMUM_VERSION: '0.16.2'
|
||||
|
||||
# Configure the minimum AKS cluster version.
|
||||
AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.7'
|
||||
AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.9'
|
||||
|
||||
rule:
|
||||
# Enable custom rules that don't exist in the baseline
|
||||
|
|
|
@ -66,7 +66,7 @@ Default:
|
|||
```yaml title="ps-rule.yaml"
|
||||
# YAML: The default AZURE_AKS_CLUSTER_MINIMUM_VERSION configuration option
|
||||
configuration:
|
||||
AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.7
|
||||
AZURE_AKS_CLUSTER_MINIMUM_VERSION: 1.27.9
|
||||
```
|
||||
|
||||
Example:
|
||||
|
|
|
@ -40,7 +40,7 @@ spec:
|
|||
AZURE_BICEP_CHECK_TOOL: false
|
||||
|
||||
# Configure minimum AKS cluster version.
|
||||
AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.7'
|
||||
AZURE_AKS_CLUSTER_MINIMUM_VERSION: '1.27.9'
|
||||
|
||||
# Configures the minimum number of nodes across all system node pools.
|
||||
AZURE_AKS_CLUSTER_MINIMUM_SYSTEM_NODES: 3
|
||||
|
|
|
@ -81,7 +81,7 @@ Describe 'Azure.AKS' -Tag AKS {
|
|||
$ruleResult.TargetName | Should -BeIn 'cluster-B';
|
||||
|
||||
$ruleResult[0].Reason | Should -Not -BeNullOrEmpty;
|
||||
$ruleResult[0].Reason | Should -BeExactly "Path Properties.kubernetesVersion: The version '1.13.8' does not match the constraint '>=1.27.7'.";
|
||||
$ruleResult[0].Reason | Should -BeExactly "Path Properties.kubernetesVersion: The version '1.13.8' does not match the constraint '>=1.27.9'.";
|
||||
|
||||
# Pass
|
||||
$ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
|
||||
|
|
|
@ -50,7 +50,7 @@
|
|||
"type": "SystemAssigned"
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "[concat('dns-', parameters('clusterName'))]",
|
||||
"agentPoolProfiles": [
|
||||
{
|
||||
|
@ -210,7 +210,7 @@
|
|||
"type": "SystemAssigned"
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "[concat('dns-', parameters('clusterName'))]",
|
||||
"agentPoolProfiles": [
|
||||
{
|
||||
|
@ -395,7 +395,7 @@
|
|||
"vnetSubnetID": "[concat(parameters('vnetId'), '/subnets/subnet-03')]",
|
||||
"maxPods": 50,
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"osType": "Linux",
|
||||
"enableAutoScaling": false
|
||||
}
|
||||
|
@ -427,7 +427,7 @@
|
|||
"type": "SystemAssigned"
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "[concat('dns-', parameters('clusterName'))]",
|
||||
"agentPoolProfiles": [
|
||||
{
|
||||
|
@ -628,7 +628,7 @@
|
|||
"type": "SystemAssigned"
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "[concat('dns-', parameters('clusterName5'))]",
|
||||
"agentPoolProfiles": [
|
||||
{
|
||||
|
@ -831,7 +831,7 @@
|
|||
"type": "SystemAssigned"
|
||||
},
|
||||
"properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "[concat('dns-', parameters('clusterName6'))]",
|
||||
"agentPoolProfiles": [
|
||||
{
|
||||
|
|
|
@ -6,7 +6,7 @@
|
|||
"ResourceName": "cluster-A",
|
||||
"Name": "cluster-A",
|
||||
"Properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-A",
|
||||
"fqdn": "cluster-A-00000000.nnn.region.azmk8s.io",
|
||||
"agentPoolProfiles": [
|
||||
|
@ -18,7 +18,7 @@
|
|||
"vnetSubnetID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A",
|
||||
"maxPods": 30,
|
||||
"type": "AvailabilitySet",
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"osType": "Linux",
|
||||
"enableAutoScaling": false,
|
||||
"availabilityZones": null
|
||||
|
@ -172,7 +172,7 @@
|
|||
"ParentResource": null,
|
||||
"Properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-C",
|
||||
"fqdn": "cluster-C-00000000.nnn.region.azmk8s.io",
|
||||
"agentPoolProfiles": [
|
||||
|
@ -186,7 +186,7 @@
|
|||
"maxPods": 50,
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"provisioningState": "Succeeded",
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"osType": "Linux",
|
||||
"enableAutoScaling": false
|
||||
}
|
||||
|
@ -300,7 +300,7 @@
|
|||
"Plan": null,
|
||||
"Properties": {
|
||||
"provisioningState": "Succeeded",
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-D",
|
||||
"fqdn": "cluster-D-nnnnnnnn.hcp.region.azmk8s.io",
|
||||
"agentPoolProfiles": [
|
||||
|
@ -313,7 +313,7 @@
|
|||
"maxPods": 50,
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"provisioningState": "Succeeded",
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"nodeLabels": {},
|
||||
"mode": "System",
|
||||
"osType": "Linux",
|
||||
|
@ -495,7 +495,7 @@
|
|||
"powerState": {
|
||||
"code": "Running"
|
||||
},
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"nodeLabels": {},
|
||||
"mode": "System",
|
||||
"osType": "Linux",
|
||||
|
@ -565,7 +565,7 @@
|
|||
"powerState": {
|
||||
"code": "Running"
|
||||
},
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-F",
|
||||
"fqdn": "cluster-F-00000000.hcp.region.azmk8s.io",
|
||||
"azurePortalFQDN": "cluster-F-00000000.portal.hcp.region.azmk8s.io",
|
||||
|
@ -586,7 +586,7 @@
|
|||
"powerState": {
|
||||
"code": "Running"
|
||||
},
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"nodeLabels": {},
|
||||
"mode": "System",
|
||||
"osType": "Linux",
|
||||
|
@ -793,7 +793,7 @@
|
|||
"ResourceName": "cluster-G",
|
||||
"Name": "cluster-G",
|
||||
"Properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-G",
|
||||
"fqdn": "cluster-G-00000000.nnn.region.azmk8s.io",
|
||||
"agentPoolProfiles": [
|
||||
|
@ -805,7 +805,7 @@
|
|||
"vnetSubnetID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A",
|
||||
"maxPods": 30,
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"osType": "Linux",
|
||||
"enableAutoScaling": false,
|
||||
"availabilityZones": null
|
||||
|
@ -968,7 +968,7 @@
|
|||
"ResourceName": "cluster-H",
|
||||
"Name": "cluster-H",
|
||||
"Properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-H",
|
||||
"fqdn": "cluster-H-00000000.nnn.region.azmk8s.io",
|
||||
"agentPoolProfiles": [
|
||||
|
@ -980,7 +980,7 @@
|
|||
"vnetSubnetID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A",
|
||||
"maxPods": 30,
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"osType": "Linux",
|
||||
"enableAutoScaling": false,
|
||||
"availabilityZones": []
|
||||
|
@ -1147,7 +1147,7 @@
|
|||
"ResourceName": "cluster-I",
|
||||
"Name": "cluster-I",
|
||||
"Properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-I",
|
||||
"fqdn": "cluster-I-00000000.nnn.region.azmk8s.io",
|
||||
"agentPoolProfiles": [
|
||||
|
@ -1165,7 +1165,7 @@
|
|||
"powerState": {
|
||||
"code": "Running"
|
||||
},
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"mode": "System",
|
||||
"osType": "Linux",
|
||||
"osSKU": "Ubuntu",
|
||||
|
@ -1188,7 +1188,7 @@
|
|||
"powerState": {
|
||||
"code": "Running"
|
||||
},
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"mode": "User",
|
||||
"osType": "Linux",
|
||||
"osSKU": "Ubuntu",
|
||||
|
@ -1357,7 +1357,7 @@
|
|||
"ResourceName": "cluster-J",
|
||||
"Name": "cluster-J",
|
||||
"Properties": {
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-J",
|
||||
"fqdn": "cluster-J-00000000.nnn.region.azmk8s.io",
|
||||
"agentPoolProfiles": [
|
||||
|
@ -1369,7 +1369,7 @@
|
|||
"vnetSubnetID": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/vnet-A/subnets/subnet-A",
|
||||
"maxPods": 30,
|
||||
"type": "VirtualMachineScaleSets",
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"osType": "Linux",
|
||||
"enableAutoScaling": false,
|
||||
"availabilityZones": null
|
||||
|
@ -1542,7 +1542,7 @@
|
|||
"powerState": {
|
||||
"code": "Running"
|
||||
},
|
||||
"kubernetesVersion": "1.27.7",
|
||||
"kubernetesVersion": "1.27.9",
|
||||
"dnsPrefix": "cluster-K",
|
||||
"fqdn": "cluster-K-00000000.hcp.eastus.azmk8s.io",
|
||||
"azurePortalFQDN": "cluster-K-00000000.portal.hcp.eastus.azmk8s.io",
|
||||
|
@ -1563,7 +1563,7 @@
|
|||
"powerState": {
|
||||
"code": "Running"
|
||||
},
|
||||
"orchestratorVersion": "1.27.7",
|
||||
"orchestratorVersion": "1.27.9",
|
||||
"mode": "System",
|
||||
"osType": "Linux",
|
||||
"osSKU": "Ubuntu",
|
||||
|
|
Загрузка…
Ссылка в новой задаче