azure / enterprise-scale-for-aks Goto Github PK

Hi Guy and Ayobami,

The conversations that I have with customers are often using PowerPoint, since it allows us to customize design based on the customer's situation. For example, starting with the PowerPoint slide attached.

There isn't a specific diagram from docs.microsoft.com that I need in PowerPoint form right now, but I often recreate them in PowerPoint manually, so it would be great if there was a more efficient way, such as being able to download the diagram from docs.

Do you think these would become more available in either PowerPoint or Visio format?

Customizability of the diagrams is important, and I think providing customizable diagrams (e.g. in Visio/PowerPoint format) would increase usage of the content in the Cloud Adoption Framework and ESLZ, not only by Microsoft employees supporting customers/partners, but also customers and partners themselves.

Descriptions in following sections are mixing keyvault and container registry resources:

https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/08-workload.md#provide-yourself-access-to-create-secrets-in-your-key-vault

https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/Terraform/08-workload.md#provide-yourself-access-to-create-secrets-in-your-key-vault

Most Enterprise customers use kubenet to preserve IP addresses . This template uses Azure CNI. It would be good to capture an option to pass in kubenet and also any downstream impact that it might cause on the other components.

Describe the bug
The AKS deployment has the adminGroupID hardcoded. This should be set as an env var or at least documented how to create your own
https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/AKS-Deployment/aks-eslz-aks.parameters.json#L25

In the step: https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/03-Setup-supporting-components.md

There is a hardcoded value for the subscription in:

https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/Infrastructure-Deployment/Supporting-components/Parameters/aks-eslz-containerregistry.parameters.json#L24

To Reproduce
Steps to reproduce the behavior:

# az deployment group create --name ACR --resource-group $SUPPORTING_RESOURCEGROUP --template-file ../Templates/aks-eslz-containerregistry.template.json --parameters @aks-eslz-containerregistry.parameters.json

(DeploymentFailed) At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.                                     [1m-25.5s]

If you look at the deployment, this is the following error:

{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"LinkedAuthorizationFailed","message":"The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/join/action' on scope '/subscriptions/df8428d4-bc25-4601-b458-1c8533ceec0b/resourcegroups/aks-eslz-arm/providers/Microsoft.Network/privateEndpoints/acr-pe', however the current tenant '72f988bf-86f1-41af-91ab-2d7cd011db47' is not authorized to access linked subscription '82e70289-bf40-45f9-8476-eab93d2031f4'."}]}

Expected behavior
If I replaced 82e70289-bf40-45f9-8476-eab93d2031f4 with my subscription, it works.

It would be helpful if we could document the exact set of differences with AKS secure baseline (Terraform, more modular etc.). The ask is important since customers might have already referred the secure baseline in some capacity as a starting point.

In the docs, you have to deploy a helm package that includes Bitnami:

helm repo add bitnami https://charts.bitnami.com/bitnami

helm install ratings bitnami/mongodb --namespace ratingsapp --set auth.username=,auth.password=,auth.database=ratingsdb

After deployment, in the ratingsapp namespace, the pod ratings-mongodb-client will not run, it has ImagePullBackOff error:

Warning Failed 19m (x4 over 21m) kubelet Failed to pull image "docker.io/bitnami/mongodb:4.4.10-de": rpc error: code = NotFound desc = failed to pull and unpack image "do
cker.io/bitnami/mongodb:4.4.10-de": failed to resolve reference "docker.io/bitnami/mongodb:4.4.10-de": docker.io/bitnami/mongodb:4.4.10-de: not found

This is more than likely coming from the chart being downloaded, but it is not accessible.

I am not sure if this container is needed, but if it is, this needs to be corrected.

I think this part is a bit misleading: "The policies applied by the platform foundation would trickle down to the Enterprise-scale for AKS landingzone subscription."
There is a "Platform" management group, but policies applied to the Platform management group are not inherited in the Landing zones management group.

The AKS Secure Baseline does not use AGIC:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks#deploy-ingress-resources

However, this repo does. I think it would be valuable to have the two repos be consistent. (Preferably use the Secure Baseline standard)

There are a few add-ons like azure pod identity, azure key vault csi driver secret store and similar which dont exist in Terraform. Request to document the impact of using those as part of the provisioning process. Ex - they would get deleted if the terraform script is run again etc.

On page:
https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/04-Setup-Addons-and-AKS.md

there is a broken image. I tried to issue a PR, but I couldn't find the image, so it might not have been committed.