8 hours 33 minutes
Hello, Siberians. Welcome to this lesson on azure community service security. This lesson. It's part of the six month you off the is that 500 Microsoft Azure security technologist costs now for simplicity. I refer to the aggravation a que has going forward some quick information on what will be covering in this lesson,
well stuck out with an overview off. A ks would then review the architecture of on a ks cluster as this is important to understanding
how to properly implement security and finally would discuss some A care security best practices. Let's get right into this
a joke. Amenities service, Issa managed communities orchestration service. And what this means is that a ks makes it simple to deploy and manage a kubernetes cluster
in Hajer by allowing us to offload a lot off the provisioning and management responsibilities to Microsoft. Why we for cost on our applications?
There's also off us multiple communities visions on as new visions off communities becomes available are kloster can be upgraded ages in the original Pato or using. I just see a light on during the upgrade for says the notes are carefully Condoned on drained to minimize disruption to run in the application.
The good feeling is this is simplified, and this has managed for house.
Also, it has benefits from the rich ecosystem off native communities. So the ecosystem off development
on management's tools like em chat or using draft or even communities extensions for ideas like Fisher's to decode haul off these tools and technologies work seamlessly with a key has
because it is the same a B high that communities is using. Now let's review the component of an HKS architecture as a mentioned. This will help us to understand out properly, implement security. First, we have the master, and the master is responsible for the coordination and orchestration off our A ks cluster,
each a ks close. Steinhauser has its own dedicated communities master, and it provides components like the FBI sever on the Schadler. This master is managed by Microsoft. Then we have the notes and the notes at veteran machines that runs the content, advised walk loads and supporting services like load balances and ingress controllers.
Not in a ks azure virtual machines. Andi, they could be Lennox or they could be windows. And actually we can also have a mix of both Windows and Lennox,
regardless of whether way using Windows Arlen knocks the continent. Runtime is the Mobi container engine, which is what dark eyes based on.
And finally we have. The pot on a part represents a single instance off our continent sized application parts typically have a want one relationship with a container, but they had van scenario sway. Part may contain multiple containers, so let's look at security from all these perspectives.
First, from the perspective
off the master the for security Best practice control access to the A P I sever using kubernetes role based access control. Another fast to connect the company's FBI sever. We have toe authenticate, and we can have a key s integrated with azure 80 and use our back to control the level of access
the Azure Communities service. Close that mineral. We allow a user to assume the cluster. Adam Monroe. Andi has your communities seven. Close the use of Oh, we allow the user to assume the cluster user vote on. We can configure. These is involved is access control.
The second best practice is the limit access to the A P. I sever using auto advised i P address ranges by the photo. The kubernetes AP I use is a public I p address on a fully qualified the men name. With access from any I pee on the Internet, we can limit thes access toe eyepiece that we trust. Our best practice is to create a fully private cluster.
We have the option to create a fully private cluster by implementing the same private endpoint on private link technology that we looked at when we talked about a see how, in a private cluster, the control plane or the A P I sever
as internal I P addresses, which helps to limits the A P. I sever access to our virtual network. The next best practice regularly upgrades the cluster control plane communities vision whenever in new vision off communities released. Microsoft makes this available, but we have to upgrade it. I used in the pato or using a command line to,
from the perspective of the North, one out of security best practices. First of all, apply operating system updates to notes,
and this varies the painted on whether we ever for mental Lennox notes auto windows nuts. They're your platform, for example, automatically applies operating system security approaches to the Knox notes, and it does this on a nightly basis. However, even operating system reboot is needed from obvious to be fully applied. That reboot is not automatically performed. We can marry on every board. Still knocks note. A common approach is to use cure it, which is an open source. We boots Damon for communities to automates. This process for Windows note Windows updates does not automatically run on. Apply the letters updates. So we need to apply Windows update using our own processes, or the images can also be updated during the close out grade.
From the perspective of the pot, the best practice is to use part identity because containers running in a key as me also needs to access services like storage account or platform database, or even key voting Hajer and using apart identity is the best way to implements these. The good thing is that each part can be assigned a unique
azure lady managed identity.
So, for example, we have two parts running on our A ks note. We can assign a part I dentist apart. One on the application running in that part can use the identity to obtain a talking from azure Haiti, and the application continues that took in tow Access services in hasher dependent on the level off our back authorization. It is important to follow the principle off this privilege when a signing access to part identities,
as if the application running on the part is compromised.
An attack I can take on the permission assigned to that identity from a network security perspective you mention that note are deployed into a private virtual network. Daycares automatically creates a network security group with default rules. Toe. Allow TLS traffic to the communities AP a seven.
However, if wanted to control traffic, Father, we can create our own security groups to
implements this. We should pay attention, though not to modify the manage network security group that a KS creates and manages, and also when we're configuring our network security groups, which will ensure that we do not enable conflicting rules
that blocks need. That's traffic. So maybe traffic needed for cluster management, for example that will not be good.
We can also use communities, natural policy, toe control, network traffic between pots, and this can be done based on partly bells off, based on communities name spaces, for example, the policy displayed on the screen Onley allows access to part with the data back and label from parts
with a Web front end liberal.
And finally, we can use the application. Get with Web application firewall for Web content advised application toe provide that added layer off security against Web application traits. Their holder security best practices that we can follow for eight years. I'll just summarize them here very quickly.
You can use community secretes to start keys and secrets. Another approach is to use part identities with azure key votes.
Can you spot policies Toe control allowed containers? So, for example, we can prevent content as running as world's op. Prevent containers. Using privileged mode is in part security policies. We can limit actions that containers can perform. So, for example, we can use the app Pamela Knox, Cannell Security model
toe. Restrict access to sensitively knocks locations.
Here are some supplemental links for further studies on the topics covered in this lesson. Here's a sum before recovered in this lesson, we started with a discussion on a KS overview, but then reviewed the A ks architecture. Talking about the cluster, the master notes and the pots and finally
were revealed a ks security best practices
from all these different components off the Ekeus architecture.
Thanks very much for watching on. I'll see you in the next lesson.