Aks Baseline Regulated Versions Save

Implementation updates

• Migrated from Azure AD Pod Identity to Workload Identity - #66
• Replaced OSS implementation of Flux with AKS Flux extension - #71
• Updated AKS to 1.26 - #75 & #82
• Updated kured - #76
• Updated to latest Azure monitoring config - #76
• Updated nginx to 1.6.4 - #77 & #80
• Updated falco to 0.33.1 - #78
• Enabled syslog capture - #84 & #85

Walkthrough updates

• Used role assignments instead of Key Vault policies for out-of-band certificate management - #67

Implementation updates

• Updated resource providers in cluster stamp to latest API versions - #65
• Enabled zone redundancy in Azure Container Registry - #65
• Updated to AKS 1.23.12 - #65
• Fixed a :bug: introduced in v1.23.3.0 where networking components were misconfigured - #65 (HT: @ferantivero)
• Migrate cluster resources to bicep - #65

Walkthrough updates

None.

Implementation updates

• Updated nginx ingress controller version - #59
• Updated Open Service Mesh config - #59
• Updated to AKS 1.23.3 - #60
• Updated Application Gateway subnet to align with product recommendations - #60
• Update Kured to 1.9.2 - #60
• Migrate subscription deployment to bicep - #62
• Migrate networking deployments to bicep - #63

Walkthrough updates

• Update to reflect the jumpbox process has been moved to bicep. - #58
• Pulling kube-webhook-certgen from GCR instead of docker.io - #61
• Updates for the breaking az ad changes - #64

Implementation Updates

• Replaced Microsoft Defender for container registries and Microsoft Defender for Kubernetes with Microsoft Defender for Containers - #57

Walkthrough Updates

• no changes

Implementation Updates

• Updated to AKS 1.22.4 - #55
• Updated to nginx 1.1.0 (required for Kubernetes 1.22) - #55
• Updated the SecretProviderClass for ingress controller cert to GA'd version - #55
• Update to latest kured - #53

Walkthrough Updates

• Better handling of common network watcher RG naming patterns - #55
• Remove preview feature registration instructions for those features that have shipped - #54

Implementation Updates

• Allowed Virtual Network Gateways in the hub resource group - #38
• Use some of the added resource tagging functionality - #39
• Enabled paid SLA by default - #40
• Add SAN and Key Usage extensions to self-signed, browser-facing cert for better support - #40
• Updated Microsoft.Insights/scheduledQueryRules API to latest - #47, #51
• Updated providers/diagnosticSettings to latest to support log category groups (such as on Azure Firewall) - #48, #49
• Fixed issue where kubectl wasn't installing on the jumpbox due to a recent FQDN change by GitHub which required a firewall rule change - #49
• Updated to latest Open Service Mesh config format and implement new required IngressBackend resource for mesh ingress - #52 (HT: @cwash05)

Walkthrough Updates

• Added some draw.io versions of the diagrams for easy reference - #41 (HT: @dcasati)
• Minor quality of life improvements throughout - #40, #42 (HT: @thepaulmacca), #45

• Update Web Application Firewall to OWASP 3.2 rules. - #37
• Add links into the Azure Architecture Center PCI-DSS 3.2.1 article series at relevant points. - #37

• Explicitly set public DNS for private cluster to disabled - #31
• Updated all PodDisruptionBudget resources to v1 now that it's GA in 1.21 - #32
• Azure Policy for "Require HTTPS ingress" now demands a redirect annotation for nginx, added it. - #32
• Open Service Mesh 0.9.x now uses a different config system than 0.8.x did, updated to the new system. - #33
• Added Prometheus metric scraping to nginx ingress controller and updated saved query to no loner reference Traefik metrics (Fixes #26) - #34
• Updated nginx ingress controller to latest release - #35
• Updated Falco to latest release - #36

• Update to AKS 1.21.2 - #28
• Remove node pools from NTP allowance in the FW as that is no longer required (chronyd sources from host) - #28
• Restrict jumpbox NTP usage to just ntp.ubuntu.com - #28

• Update to AKS 1.21.1 - #25
• disable usage of --admin (and other local accounts) - https://github.com/mspnp/aks-baseline-regulated/commit/cc671125e9f125904a89305ad45d59516eac68cd