Challenge 05 - AKS Security

< Previous Challenge - Home - Next Challenge >

Introduction

This challenge will cover the implementation of different security technologies in AKS.

Description

You need to fulfill these requirements to complete this challenge:

• Make sure that the ingress controller is the only pod that can communicate to the Web pods
• Make sure that the API pods can only be accessed by the web pods or the ingress controller pods
• Make sure that no LoadBalancer services with a public IP address can be created in the Kubernetes cluster
• Add a second node pool to the cluster, and differentiate between user and system node pools
• Make sure that access to the application over the ingress controller is encrypted with SSL, if you hadn’t configured it already
• Kubernetes administrators must authenticate to the cluster using their AAD credentials

Success Criteria

• Participants can demonstrate that the network security controls are in place
• Application workloads are physically separated (in different nodes) from control plane workloads
• Access to the application via the ingress controller is carried out over SSL
• AAD authentication is required before being able to run any kubectl operation on the cluster

Advanced Challenges (Optional)

• Make sure that the flag --admin is never required when using the command az aks get-credentials

Learning Resources

These docs might help you achieving these objectives:

• Policy in AKS
• Open Policy Agent
• Kubernetes Network Policies
• AKS Overview