Data Sources

Data sources available for use by the ICS community

Platforms

ICS supported platforms.

Teams

ICS Teams


Menu Button Menu Button

Resource Group: i2rdc3-prod-rg-k8s

Overview

The resource group i2rdc3-prod-rg-k8s hosts resources primarily focused on a Kubernetes cluster using Azure Kubernetes Service (AKS). The key components include virtual machine scale sets that serve as the node pool for the AKS, managed identities for secure access, load balancers for traffic handling, managed disks for storage, and network security groups to govern access.

Resources

  1. Managed Disks

    • Type: Microsoft.Compute/disks
    • Names:
      • pvc-2cefecae-ab14-43b8-bb6b-b46756402db2
      • pvc-5c7b7a82-7173-4e3d-9870-a026388f2fc9
      • pvc-d053b488-115c-4681-aeee-cf199725313f
    • Purpose: These disks are used as persistent storage volumes for the Kubernetes pods. Each has attributes like size, IOPS, and network access policies. They are encrypted at rest using the platform key.
    • Relationships:

  2. Virtual Machine Scale Sets

    • Type: Microsoft.Compute/virtualMachineScaleSets
    • Name: aks-agentpool-30146885-vmss
    • Purpose: Manages a group of identical virtual machines (VMs) to provide scalability for the Kubernetes cluster. It includes configurations for the operating system and storage, and is also responsible for scaling up or down based on load.
    • Relationships: This ties into the managed disks for VM storage and networking configurations for connectivity.

  3. Load Balancers

    • Types:
      • Microsoft.Network/loadBalancers
        • Name: kube-apiserver
        • Purpose: This load balancer handles external traffic coming to the Kubernetes API server. It is configured to route to backend pools with fixed IP addresses (10.25.46.215, 10.25.46.216).
      • Name: kubernetes-internal
        • Purpose: A load balancer that manages internal traffic between services in the AKS.
    • Relationships: Both load balancers are associated with the scale sets and help distribute traffic effectively.

  4. Network Security Groups (NSGs)

    • Type: Microsoft.Network/networkSecurityGroups
    • Name: aks-agentpool-12857252-nsg
    • Purpose: NSGs contain rules that allow or deny traffic to resources within the Azure virtual network. Currently, this NSG does not have any specific rules defined, which may pose a risk if not configured.

  5. User Assigned Identities

    • Type: Microsoft.ManagedIdentity/userAssignedIdentities
    • Names:
      • azurekeyvaultsecretsprovider-i2rdc3-prod-aks
      • i2rdc3-prod-aks-agentpool
    • Purpose: Provide a mechanism for secure access to Azure resources without storing credentials in code.

  6. Extensions for VMSS

    • Purpose: These include Billing, AKS Linux Extension, and Custom Script extensions to support various functionalities and monitor resource usage.

Data Storage

The resource group utilizes managed disks for persisting data related to Kubernetes workloads. Each disk is configured for specific Kubernetes persistent volume claims (PVCs) with encryption and redundancy based on storage type:

  • Disk Sizes: Each disk is 8 GB, designed for various pods.
  • Storage Types: Disks utilize StandardSSD_LRS for cost-effectiveness compared to performance, considering Kubernetes use cases.

Networking

The virtual network configuration is as follows:

  • Virtual Network: The resource group connects to an internal virtual network identified by i2rdc3-prod-vnet01.
  • Subnets:
    • k8s-api-subnet: Hosts the API server with a private IP (10.25.46.212) and backend pool IPs for load balancer (10.25.46.215, 10.25.46.216).
    • k8s-subnet: Hosts connections for the virtual machine scale sets. It does not specify individual private IPs here, but will allocate them based on the VM requirements.

Virtual Network Peerings

There aren’t any specific peerings indicated in this template. If interconnectivity between different virtual networks is needed, it should be configured separately.

Security Overview

  • Encryption: All managed disks have encryption enabled at rest.
  • NSG Configuration: The absence of rules in the NSG can expose the cluster to unwanted traffic. It is essential to define inbound and outbound rules to restrict access based on the principle of least privilege.
  • Public Network Access: Managed disks have public accessibility enabled. It's advisable to restrict this setting if disks do not require public access, to reduce attack vectors.

Other Information

  • Cost Management: Utilize the Azure portal to monitor costs associated with VMSS and keep track of Azure usage, avoiding over-provisioned resources.
  • Scalability: The architecture is designed for scale, where VMSS can automatically scale based on demand, with Azure automatically managing availability across zones.
  • Operational Best Practices: It’s recommended to integrate services like Azure Monitor and Azure Security Center for ongoing compliance and security assessments.

In summary, this ARM template configures a foundational architecture for an Azure Kubernetes Service environment leveraging Azure's scalable and manageable infrastructure with strong emphasis on security and storage. Further configurations should focus on solidifying security measures and optimizing for performance based on workload characteristics.

Note: This document was generated using the Azure Assistants script and an LLM

Table of Contents

Updated on October 29, 2024