►
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Sponsored Session: Microsoft Azure - Kubernetes Ecosystem in Azure
Speakers: Sean KcKenna
Leverage the best of the Kubernetes ecosystem in Azure, with policy, service mesh, secrets management, and gitops.
A
How
you
can
do
secrets
management
with
the
csi
secret
store
driver,
applied
policy
and
governance
with
the
open
policy
agent
in
azure
policy,
how
you
can
consume
kubernetes
best
practices
with
azure
advisor
and
troubleshoot
with
azure
diagnostics,
and
then
how
you
can
manage
heterogeneous
kubernetes
environments
with
azure
arc.
So,
let's
dive
in.
A
When
it
comes
to
security,
a
good
place
to
start
is
azure
security
center,
which
provides
deep
integration
with
aks.
To
begin,
you'll
want
to
look
at
asc's
assessment
of
your
cluster's
security
posture
checking
for
security
best
practices.
In
this
case,
asc,
has
identified
that
we
have
not
limited
network
access
to
the
kubernetes
api
server.
Creating
a
broad
attack,
vector
in
each
case,
asc,
provides
helpful
pointers
to
documentation
which
help
you
take
action
on
the
recommendation.
A
Once
your
environment
is
in
production,
you'll
want
to
be
alerted
about
potential
threats.
Azure
security
center
is
continually
monitoring
the
kubernetes
audit
log.
Looking
for
suspicious
activity
that
may
suggest
an
attack
in
this
case,
azure
security
center
has
identified
that
a
pod
is
accessing
a
sensitive
host
volume.
A
A
A
A
A
A
Now,
when
I
create
an
assignment,
I
have
the
opportunity
to
create
a
scope
which
means
choosing
the
azure
subscription
and
optionally.
The
resource
group
that
I
want
to
have
that
policy
apply
to
then
I
can
optionally
choose
a
set
of
excluded
resources
if
there
are
resources
within
that
scope
that
I
don't
want
to
have
their
policy
applied
to
next
up,
I
choose
the
policy
definition,
and
this
is
where
we
can
see
the
set
of
built-in
policies
that
are
available.
A
A
Now,
in
this
case,
we're
adding
this
policy
to
an
existing
cluster.
We
want
to
make
sure
that
we're
not
breaking
any
existing
workflows
that
our
developers
may
have
so
I'm
actually
going
to
change
this
to
audit,
which
means
that
any
resources
that
are
out
of
compliance
will
be
audited
will
be
visible
within
the
azure
policy
ui.
They
will
not
immediately
block
deployments
of
those
resources.
A
And
this
is
where
I'll
be
able
to
get
a
view
of
my
compliance
state
relative
to
that
policy.
Definition
that
I
just
deployed
now.
Initially
this
is
going
to
be
in
a
not
started
state.
It
will
take
a
few
minutes
for
the
policy
to
get
deployed
to
that
set
of
clusters
and
for
the
audit
to
run
and
for
those
results
to
be
reported
back
up
into
azure
policy
invisible
in
this
ui
and
then
on
an
ongoing
basis.
That
audit
will
happen
every
15
minutes.
A
A
Now,
there's
no
doubt
that
kubernetes
has
a
lot
of
powerful
capabilities
and
there
are
many
patterns
emerging
in
the
community
about
how
to
use
them,
but
those
may
not
always
be
obvious
to
newcomers
with
azure
advisor.
We
can
make
personalized
recommendations
for
best
practices.
You
may
want
to
consider
based
on
our
experience,
working
with
thousands
and
thousands
of
customers.
A
In
this
case,
we've
detected
a
few
improvements
that
could
be
made
to
this
cluster,
including
the
application
of
pod
disruption
budgets.
A
way
of
ensuring
application
availability
is
maintained
during
voluntary
disruption.
Events
like
cluster
upgrades
or
scaling
operations
advisor
includes
links
out
to
azure
documentation
to
make
those
recommendations
actionable.
A
A
A
So
far,
we've
exclusively
been
looking
at
aks-based
clusters,
but
most
customers
are
supporting
a
much
broader
set
of
environments
and
looking
for
a
common
platform
across
them
with
azure
arc,
you
can
easily
connect
any
conformant
kubernetes
cluster
into
azure,
then
view
and
manage
it
alongside
your
aks
clusters.
So
let's
take
a
look
at
how
that
works
as
a
simplified
approximation
of
an
on-premises
environment.
I'm
going
to
create
a
kind
cluster
here
on
my
laptop
kind
stands
for
kubernetes
in
docker
and
is
a
simple
way
to
run
a
one-node
kubernetes
cluster
inside
of
a
docker
container.