Development

0 % Development items are ✓
    • DEVELOPMENT
    • DEVELOPMENT
    • DEVELOPMENT
    • DEVELOPMENT
    • DEVELOPMENT
    • DEVELOPMENT
    • RESILIENCY
    • SECURITY
  • When pods need access to other Azure services, such as Cosmos DB, Key Vault, or Blob Storage, the pod needs access credentials. These access credentials could be defined with the container image or injected as a Kubernetes secret, but need to be manually created and assigned. Often, the credentials are reused across pods, and aren't regularly rotated. Managed identities for Azure resources (currently implemented as an associated AKS open source project) let you automatically request access to services through Azure AD. You don't manually define credentials for pods, instead they request an access token in real time, and can use it to access only their assigned services.

    Documentation

    • SECURITY
  • Documentation

    • SECURITY
    • RESOURCES
    • RESOURCES
    • SECURITY
    • SECURITY
    • SECURITY
  • Use a tool that allows for the restriction of builds with enough granularity to not break development. All Critical CVE's are not the same, so being able to restrict builds based on Critical or High vulnerabilities with a Vendor fix, but allowing builds to continue if that Critical vulnerability is 'Open'

    • SECURITY
  • Identifying an image running as 'root' before it get deployed, or opening up port 80 or 22

    • SECURITY

Image management

0 % Image management items are ✓
    • SECURITY
    • SECURITY
    • SECURITY
  • On build, the image is secured based on the threshold set, but now while in the registry a new issue is discovered. You need to ensure that the image can not be deployed until the issue is remediated.

    Documentation

    • SECURITY
    • SECURITY
    • NETWORK
    • SECURITY
    • SECURITY

Cluster setup

0 % Cluster setup items are ✓
  • Documentation

    • Documentation

        • SECURITY
        • SECURITY
      • By using a private cluster, you can ensure that network traffic between your API server and your node pools remains on the private network only. Because the API server has a private address, it means that to access it for administration or for deployment, you need to set up private connection, like using a 'jumpbox' (i.e.: Azure Bastion)

        • SECURITY
      • Documentation

        • RESOURCES
        • RESOURCES
        • RESOURCES
      • Documentation

          • SECURITY
          • SECURITY
          • SECURITY

        Disaster Recovery

        0 % Disaster Recovery items are ✓
          • DEVOPS
          • RESILIENCY
          • RESILIENCY
          • RESILIENCY
          • NETWORK
          • RESILIENCY
          • STORAGE
          • RESILIENCY

        Storage

        0 % Storage items are ✓
          • STORAGE
        • Different types and sizes of nodes are available. Each node (underlying VM) size provides a different amount of core resources such as CPU and memory. These VM sizes have a maximum number of disks that can be attached. Storage performance also varies between VM sizes for the maximum local and attached disk IOPS (input/output operations per second). If your applications require Azure Disks as their storage solution, plan for and choose an appropriate node VM size. The amount of CPU and memory isn't the only factor when you choose a VM size. The storage capabilities are also important.

          • STORAGE
          • STORAGE
        • Understand the limitations of the different approaches to data backups and if you need to quiesce your data prior to snapshot. Data backups don't necessarily let you restore your application environment of cluster deployment.

          • STORAGE
          • RESILIENCY
        • Service state refers to the in-memory or on-disk data that a service requires to function. State includes the data structures and member variables that the service reads and writes. Depending on how the service is architected, the state might also include files or other resources that are stored on the disk. For example, the state might include the files a database uses to store data and transaction logs.

          • STORAGE
          • RESILIENCY

        Network

        0 % Network items are ✓
        • While Kubenet is the default Kubernetes network plugin, the Container Networking Interface (CNI) is a vendor-neutral protocol that lets the container runtime make requests to a network provider. The Azure CNI assigns IP addresses to pods and nodes, and provides IP address management (IPAM) features as you connect to existing Azure virtual networks. Each node and pod resource receives an IP address in the Azure virtual network, and no additional routing is needed to communicate with other resources or services.

          Documentation

          • NETWORK
        • As an example, using CNI, you need one IP for each node + one spare for a new node in case of cluster upgrade, and you need an IP for each pod which can represent hundred of IP addresses

          • NETWORK
          • NETWORK
          • NETWORK
          • NETWORK
          • SECURITY
        • Network policy is a Kubernetes feature that lets you control the traffic flow between pods. You can choose to allow or deny traffic based on settings such as assigned labels, namespace, or traffic port. The use of network policies gives a cloud-native way to control the flow of traffic. As pods are dynamically created in an AKS cluster, the required network policies can be automatically applied. Don't use Azure network security groups to control pod-to-pod traffic, use network policies.

          • NETWORK
          • NETWORK
          • NETWORK
          • SECURITY

        Resource Management

        0 % Resource Management items are ✓
          • RESILIENCY
          • RESOURCE MANAGEMENT
          • RESILIENCY
          • RESOURCE MANAGEMENT
          • RESILIENCY
          • RESOURCE MANAGEMENT
          • RESILIENCY
          • RESOURCE MANAGEMENT

        Multi Tenancy

        0 % Multi Tenancy items are ✓
          • RESILIENCY
          • NETWORK
          • RESILIENCY

        Windows

        0 % Windows items are ✓
          • WINDOWS
          • WINDOWS
          • WINDOWS
          • WINDOWS
          • WINDOWS
          • WINDOWS
          • WINDOWS

        Cluster Maintenance

        0 % Cluster Maintenance items are ✓

        Report and navigation

        • 0/27 ✓ high priority
        • 0/38 ✓ medium priority
        • 0/11 ✓ low priority
        X