Azure Arc for Hybrid Cloud Management.
In my last blogpost I wrote about Azure Arc enabled Kubernetes and Container Insights with Alerting and Actions
In the following steps I will install some containers (Pods) on my Azure Arc enabled Kubernetes so I have some data to work with in my MVP LAB. I did that with Microsoft Visual Studio Code and with Helm predefined templates. Install the VSCode and install the Kubernetes extension, more information here
In the following steps we install DAPR and Redis on the Azure Arc enabled Kubernetes.
When you open your Kubernetes Cluster
Click then on Helm Repos
There you see Dapr repo.
Click on version 1.6.0.
Right click on version 1.6.0
Click on Install.
Dapr is installed by default on the Azure Arc enabled Kubernetes.
Type in Powershell :
dapr status -k
You will see the running pods of Dapr.
Dapr Dashboard is running
Important: This is running in a test environment and is now http.
For production you have to make it save!
Azure Arc Services and Azure Defender for Containers will help you with that.
Installing Redis in the same way.
Kubectl get pods
You will see the running Dapr and Redis pods.
Now we have installed two products on the Azure Arc enabled Kubernetes Cluster by default, but security is not in place based on best practices. For Dapr you have security best practices to follow and Security for Redis.
But next to these security best practices from the software vendor, we also have Microsoft Azure Arc Security (Preview) on this kubernetes Cluster active. In the following steps you will see Security rules, Fixes and Azure Policies for Azure Arc Kubernetes to make your environment more secure and compliant.
Click on your Azure Arc enabled Kubernetes Cluster
This is my Dockkube.
Click then on Security (preview)
Here you see that I don’t have Azure Policy active to be compliant
on my Azure Arc enabled Kubernetes Cluster.
A lot of security issues are managed by policies.
Click on View Additional recommendations in Defender for Cloud
See Related recommendation (17)
Here you see all the dependent policies for your Azure Arc enabled Kubernetes Cluster.
Select your Azure Arc Enabled Kubernetes Cluster (Dockkube)
Click on Fix
Confirm and click on Fix 1 resource.
Remediation in progress.
It can take some minutes to see your resources in the Healthy state.
Just refresh 😉
In Azure Policy you will see how Compliant you are with your
Azure Arc enabled Kubernetes.
Click on the ASC compliance.
Here you see the 10 Policies that are not Compliant.
Select a policy which is not compliant like here
Kubernetes Cluster containers should only use allowed images
Click on Details
Here you see the Component ID’s on my Azure Arc enabled Kubernetes Cluster
which are not compliant on this policy 😉
See the Tab bar, you are now on Component Compliance
Click on Policies tab
Dubbel click on the policy.
From here you can Assign the policy to your Azure Arc enabled Kubernetes Cluster.
See the TAB bar for deploying this policy.
Set your Managed Identity for deploying your policy.
Here you can read more how Remediation security works
More information on Microsoft Docs :
Microsoft Azure Defender for Cloud Containers
Defender Plans for Azure Arc Enabled Kubernetes Clusters (Preview)
I have set these.
(Security Recommendations can take some time)
Security (preview) on your Azure Arc enabled Kubernetes Cluster
Here you get the Remediation steps to do and the Information.
There is information link to Mitre ATT&CK site.
And more information via a link to the Kubernetes site:
Resource Management for Pods and Containers
A New example and you can see the Affected Components
on my Azure Arc enabled Kubernetes Cluster Dockkube.
When you work in a DevOps way with Kubernetes containers and microservices, you want them as secure as possible. With application security and best practices from the software vendors. Security monitoring and compliance are important to keep you in control and to keep your environment safe. With Azure Arc enabled Kubernetes you get Azure Defender for Containers and Azure policy for security compliance to your Kubernetes Cluster.
Important: This is still in preview and should not be used in production environment yet until Microsoft makes it General Available for the world. Now you can test it in your test environment like me in my MVPLAB.