azure / enterprise-scale-for-aks Goto Github PK
View Code? Open in Web Editor NEWEnterprise Scale for AKS Reference Implementation Repo
License: MIT License
Enterprise Scale for AKS Reference Implementation Repo
License: MIT License
Hi Guy and Ayobami,
The conversations that I have with customers are often using PowerPoint, since it allows us to customize design based on the customer's situation. For example, starting with the PowerPoint slide attached.
There isn't a specific diagram from docs.microsoft.com that I need in PowerPoint form right now, but I often recreate them in PowerPoint manually, so it would be great if there was a more efficient way, such as being able to download the diagram from docs.
Do you think these would become more available in either PowerPoint or Visio format?
Customizability of the diagrams is important, and I think providing customizable diagrams (e.g. in Visio/PowerPoint format) would increase usage of the content in the Cloud Adoption Framework and ESLZ, not only by Microsoft employees supporting customers/partners, but also customers and partners themselves.
Descriptions in following sections are mixing keyvault and container registry resources:
Most Enterprise customers use kubenet to preserve IP addresses . This template uses Azure CNI. It would be good to capture an option to pass in kubenet and also any downstream impact that it might cause on the other components.
Describe the bug
The AKS deployment has the adminGroupID hardcoded. This should be set as an env var or at least documented how to create your own
https://github.com/Azure/Enterprise-Scale-for-AKS/blob/main/Scenarios/AKS-Secure-Baseline-PrivateCluster/ARM/AKS-Deployment/aks-eslz-aks.parameters.json#L25
There is a hardcoded value for the subscription in:
To Reproduce
Steps to reproduce the behavior:
# az deployment group create --name ACR --resource-group $SUPPORTING_RESOURCEGROUP --template-file ../Templates/aks-eslz-containerregistry.template.json --parameters @aks-eslz-containerregistry.parameters.json
(DeploymentFailed) At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details. [1m-25.5s]
If you look at the deployment, this is the following error:
{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.","details":[{"code":"LinkedAuthorizationFailed","message":"The client has permission to perform action 'Microsoft.Network/virtualNetworks/subnets/join/action' on scope '/subscriptions/df8428d4-bc25-4601-b458-1c8533ceec0b/resourcegroups/aks-eslz-arm/providers/Microsoft.Network/privateEndpoints/acr-pe', however the current tenant '72f988bf-86f1-41af-91ab-2d7cd011db47' is not authorized to access linked subscription '82e70289-bf40-45f9-8476-eab93d2031f4'."}]}
Expected behavior
If I replaced 82e70289-bf40-45f9-8476-eab93d2031f4 with my subscription, it works.
It would be helpful if we could document the exact set of differences with AKS secure baseline (Terraform, more modular etc.). The ask is important since customers might have already referred the secure baseline in some capacity as a starting point.
In the docs, you have to deploy a helm package that includes Bitnami:
helm repo add bitnami https://charts.bitnami.com/bitnami
helm install ratings bitnami/mongodb --namespace ratingsapp --set auth.username=,auth.password=,auth.database=ratingsdb
After deployment, in the ratingsapp namespace, the pod ratings-mongodb-client will not run, it has ImagePullBackOff error:
Warning Failed 19m (x4 over 21m) kubelet Failed to pull image "docker.io/bitnami/mongodb:4.4.10-de": rpc error: code = NotFound desc = failed to pull and unpack image "do
cker.io/bitnami/mongodb:4.4.10-de": failed to resolve reference "docker.io/bitnami/mongodb:4.4.10-de": docker.io/bitnami/mongodb:4.4.10-de: not found
This is more than likely coming from the chart being downloaded, but it is not accessible.
I am not sure if this container is needed, but if it is, this needs to be corrected.
I think this part is a bit misleading: "The policies applied by the platform foundation would trickle down to the Enterprise-scale for AKS landingzone subscription."
There is a "Platform" management group, but policies applied to the Platform management group are not inherited in the Landing zones management group.
The AKS Secure Baseline does not use AGIC:
https://docs.microsoft.com/en-us/azure/architecture/reference-architectures/containers/aks/secure-baseline-aks#deploy-ingress-resources
However, this repo does. I think it would be valuable to have the two repos be consistent. (Preferably use the Secure Baseline standard)
There are a few add-ons like azure pod identity, azure key vault csi driver secret store and similar which dont exist in Terraform. Request to document the impact of using those as part of the provisioning process. Ex - they would get deleted if the terraform script is run again etc.
there is a broken image. I tried to issue a PR, but I couldn't find the image, so it might not have been committed.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.