In an era where security is paramount, the Azure Kubernetes Service (AKS) has taken a significant leap forward with the introduction of Trusted Launch in its preview phase. This cool new feature is all about giving your AKS nodes – which are basically the backbone of your AKS clusters – a massive security boost, underpinned by Generation 2 virtual machines (VMs). Let’s dive into what makes Trusted Launch so special and how you can start using it.
Understanding Trusted Launch
Trusted Launch is not just a feature; it’s a comprehensive security framework composed of several coordinated infrastructure technologies, each designed to add an additional layer of defence against advanced threats. It empowers administrators with the capability to deploy AKS nodes, complete with verified and signed bootloaders, OS kernels, and drivers, ensuring the integrity of the entire boot chain.
Key Components of Trusted Launch
– Virtual TPM (vTPM):At the heart of Trusted Launch lies the virtualized version of a hardware Trusted Platform Module (TPM), compliant with the TPM 2.0 specification. This dedicated secure vault outside the reach of VMs provides a robust mechanism for attestation by measuring the entire boot chain. It enables remote attestation by the cloud, allowing for platform health checks and trust-based decisions.
– Secure Boot: Secure Boot acts as the foundation of Trusted Launch, ensuring that only signed operating systems and drivers can boot. It establishes a “root of trust” for your VM’s software stack, preventing the installation of malware-based rootkits and boot kits.
Important Limitations to Consider
While Trusted Launch brings a lot of exciting features to the table, there are a few limitations you should be aware of:
- Windows Server Woes: Unfortunately, cluster nodes running the Windows Server operating system aren’t supported yet.
- FIPS and ARM64: If your node pools are FIPS enabled or based on ARM64, Trusted Launch (preview) won’t be able to protect them just yet.
- Availability Sets vs. VM Scale Sets: Remember, Availability Sets are out of the game here; only Virtual Machine Scale Sets can join the Trusted Launch party.
- GPU Node Pools: Want Secure Boot with your GPU node pools? You’ll need to skip installing the GPU driver for now. For more details, it’s worth checking out the guidance on skipping GPU driver installation.
- Ephemeral OS Disks: Good news – ephemeral OS disks can get cozy with Trusted Launch across all regions. However, keep in mind not all virtual machine sizes are compatible. For the nitty-gritty on which sizes make the cut, take a look at the Trusted Launch ephemeral OS sizes info.
Getting Started with Trusted Launch
Before diving into the world of Trusted Launch, there are a few prerequisites:
- Ensure your Azure CLI is version 2.44.1 or later.
- Install the aks-preview Azure CLI extension version 1.0.0b6 or later.
- Register the TrustedLaunchPreview feature in your Azure subscription.
- Trusted Launch is supported on AKS version 1.25.2 and higher and only supports Azure Generation 2 VMs.
Installing the aks-preview Extension
Begin by installing the aks-preview extension with the following command:
| 1 | az extension add --name aks-preview | 
And then, update to the latest version of the extension:
| 1 | az extension update --name aks-preview | 
Registering the TrustedLaunchPreview Feature Flag
Register the TrustedLaunchPreview feature flag to get started:
| 1 | az feature register --namespace "Microsoft.ContainerService" --name "TrustedLaunchPreview" | 
This command registers the feature flag with your Azure subscription. It can take a short while to finish.
Confirm that the registration is complete by running:
| 1 | az feature show --namespace "Microsoft.ContainerService" --name "TrustedLaunchPreview" | 
Wait until the status shows ‘Registered’.
After registration, refresh the Microsoft.ContainerService resource provider using:
| 1 | az provider register --namespace Microsoft.ContainerService | 
Now let’s look at the commands for Trusted Launch.
Deploying a New Cluster with Trusted Launch
Creating a new AKS cluster with Trusted Launch switched on is a breeze. Just use the az aks create command and flick the switches for Secure Boot and vTPM:
| 1 | az aks create --name trustedLaunchCluster --resource-group rg-trustedlaunch --enable-secure-boot --enable-vtpm --enable-managed-identity --generate-ssh-keys | 
This command will create a cluster called trustedLaunchCluster in the resource group rg-trustedlaunch. Make sure you change these to your need.
Adding and Updating Node Pools
Want to add a new node pool with all this security goodness? Or maybe upgrade an existing one? No problem:
| 1 | az aks nodepool add --resource-group rg-trustedlaunch -–cluster-name trustedLaunchCluster --name mynodepool --node-count 3 --enable-vtpm --enable-secure-boot | 
This command will create a node pool called mynodepool on cluster called trustedLaunchCluster in the resource group rg-trustedlaunch. Make sure you change these to your need.
Updating is just as easy, ensuring your nodes are wearing their security armor:
| 1 | az aks nodepool update --cluster-name trustedLaunchCluster --resource-group rg-trustedlaunch --name mynodepool --enable-secure-boot --enable-vtpm | 
This command will update a node pool called mynodepool on cluster called trustedLaunchCluster in the resource group rg-trustedlaunch. Make sure you change these to your need.
Conclusion
Trusted Launch is here to turn your AKS nodes into Fort Knox. It’s like giving them a security shield that blocks the bad stuff right from the get-go. With just a few steps, you can get this protection up and running, giving you peace of mind and keeping your AKS clusters safe and sound. Try it out and see how it takes your AKS security to the next level!
 
													 
													 
													
0 Comments