This quick start is aimed to take the provisioning of AKS beyond a simple "az aks create" command and to include the minimum that most of my customers have required for a production workload. I am also working on a different deployment model for AKS to sit in a hub and spoke architecure and will update with a link to the repository when it is complete. This example already includes a range of useful features which should help most people move forward with producing a production like environment.
- RBAC cluster
- Helm and Tiller included in the cluster
- Tiller per namespace with relevant Service Account and role bindings
- Generation of SSH keys
- Traefik for ingress
- Cluster on a dedicated VNet
- Created Service Principal for cluster nodes
- Service Principal assigned as Network Contributor with Resource Group
- Application Gateway V2 with WAF in front of Traefik
- Custom domain on App Gateway
- Creation and assignment of DNS record
- Creation and assignment of Let's Encrypt certificate to App Gateway
- Monitoring solutions installed
- Container Insights through Azure Monitor
- Monitoring Metrics Publisher
- Demo App
- Network Policy
- Accepted policy for Traefik -> api
- Blocked policy for Traefik -> blocked
- Switch to use Nginx (Used by more customers)
- Include Pod Identity
- Once Pod Identity is included switch to use App Gateway as ingress controller
- Azure AD SPs for Container Registry RBAC. Reader for cluster and Contributor for DevOps Pipeline
- Dev Spaces
- Move Service Principal role assignment to Subnet rather than the whole Resource Group
Start by cloning or forking this repository, we will then setup Terraform with a Service Principal and a remote storage account, so we can automate the provisioning of the environment.