Azure Kubernetes Service (AKS) introduces Deployment Safeguards, a feature designed to enforce Kubernetes best practices through Azure Policy controls. This guide provides a step-by-step walkthrough on how to set up and leverage Deployment Safeguards for more secure and compliant Kubernetes deployments.
Understanding Deployment Safeguards
Deployment Safeguards are designed to enforce Kubernetes best practices through Azure Policy controls within your AKS cluster. This feature offers a dual-level configuration:
– Warning: Generates warning messages in the code terminal for non-compliant cluster configurations, alerting you without blocking the request.
– Enforcement: Ensures only compliant configurations are deployed by denying any that don’t meet the best practices.
Upon configuring Deployment Safeguards, they programmatically assess your clusters for compliance at creation or update time, providing aggregated compliance information across your workloads via Azure Policy’s compliance dashboard.
To fully leverage Deployment Safeguards, it’s crucial to understand the policies that govern this feature. Below is a table detailing each policy and the Kubernetes resource it targets.
Deployment Safeguard Policy | Targeted Kubernetes Resource |
[Preview]: Cannot Edit Individual Nodes | Node |
Kubernetes cluster containers CPU and memory resource limits shouldn’t exceed specified limits | Pod |
[Preview]: Must Have Anti Affinity Rules Set | Deployment, StatefulSet, ReplicationController, ReplicaSet |
[Preview]: No AKS Specific Labels | Deployment, StatefulSet, Replicaset |
Kubernetes cluster containers should only use allowed images | Pod |
[Preview]: Reserved System Pool Taints | Node |
Ensure cluster containers have readiness or liveness probes configured | Pod |
Kubernetes clusters should use Container Storage Interface (CSI) driver StorageClass | StorageClass |
[Preview]: Kubernetes cluster containers should only pull images when image pull secrets are present | Pod |
[Preview]: Kubernetes cluster should implement accurate Pod Disruption Budgets | Deployment, ReplicaSet, StatefulSet |
[Preview]: Kubernetes cluster services should use unique selectors | Service |
Refer to this table as you plan and execute your deployments to ensure they align with Azure’s best practices for security and efficiency.
Getting Ready: Prerequisites
Before we jump into the how-to, ensure you’ve got the following ready to go:
– Azure Policy Add-on for AKS: This needs to be enabled for Deployment Safeguards to work their magic.
– AKS-Preview Extension (v2.0.0b1 or later): This is crucial for accessing the latest and greatest features in AKS.
FAQs: Navigating Common Concerns
– Delayed Warnings and Enforcement: It may take up to 35 minutes for Azure Policy to sync with your cluster when enabled for the first time. Additionally, switching between Warning and Enforcement levels could take up to 15 minutes to take effect.
– Deployments Admitted Despite Non-compliance: Due to the fail-open model of Gatekeeper enforcement, there might be instances where deployments not following best practices are still admitted. This is designed to ensure that deployments are not unduly blocked due to validation skips.
How to Set Up Deployment Safeguards
Here’s your step-by-step guide to getting Deployment Safeguards up and running:
Step 1: Install the AKS-Preview CLI Extension
First things first, let’s get the necessary CLI extension installed and updated.
–To install:
1 |
az extension add --name aks-preview |
– To update (making sure you’re on the latest version):
1 |
az extension update --name aks-preview |
Step 2: Register for Deployment Safeguards Preview
Next up, you’ll need to register the SafeguardsPreview
feature flag. This might take a few minutes to reflect as ‘Registered’.
– To register:
1 |
az feature register --namespace Microsoft.ContainerService --name SafeguardsPreview |
– Check the registration status:
1 |
az feature show --namespace Microsoft.ContainerService --name SafeguardsPreview |
Once registered, refresh your resource provider registration with:
1 |
az provider register --namespace Microsoft.ContainerService |
Step 3: Enable Deployment Safeguards on Your AKS Cluster
With the setup out of the way, it’s time to enable Deployment Safeguards for your cluster.
– For a new cluster, specify the safeguards level upon creation:
1 |
az aks create --name aks-safeguards --resource-group rg-aks-safeguards --enable-addons azure-policy --safeguards-level Warning |
–To update an existing cluster, simply set the safeguards level:
1 |
az aks update --name aks-safeguards --resource-group rg-aks-safeguards --safeguards-level Enforcement |
Step 4: Excluding Namespaces (Optional)
Need some namespaces to fly under the radar? Exclude them from Deployment Safeguards like so:
1 |
az aks update --name aks-safeguards --resource-group rg-aks-safeguards --safeguards-level Warning --safeguards-excluded-ns ns1,ns2 |
Step 5: Verifying Compliance
After deploying your resources, verify your cluster’s compliance via your CLI, terminal, or the Azure Policy dashboard in the Azure portal. This will ensure your cluster is adhering to the best practices safeguarded by your new settings.
After about 35 minutes we can try a test using the below command:
1 2 3 4 5 6 7 8 9 10 11 12 |
kubectl apply -f - <<EOF apiVersion: v1 kind: Pod metadata: name: my-pod labels: kubernetes.azure.com/cluster: reserved-example spec: containers: - name: my-container image: nginx EOF |
If you have enabled Deployment Safeguards with warning you will recieve a Warning for each failed policy, but the object will still deploy. If you chose Enforcement then the object would not have been deployed.
Wrapping Up
Deployment Safeguards are your first line of defence against the common pitfalls of Kubernetes deployments. By implementing these steps, you’re not just deploying; you’re deploying with confidence. Remember, while warnings are helpful, enforcement ensures your deployments are not just compliant but consistent and secure.
0 Comments