Whitelist Ingress Access into AKS Clusters
If you read my last post on setting up ExternalDNS and CertManager on AKS you may have noticed that ingress to published services is open to Internet traffic. In this post I’ll look at two simple ways to lock down services so that only specific addresses have ingress access. First we’ll cover how to setup a network security group on the agent pool subnet to limit access and then we’ll take a look at some features of NGINX that offer a bit more flexibility to who has access to what. We’ll also look at some changes we’ll need to make to cert-manager once ingress is locked down.
Automate DNS and SSL Certificates on AKS
In a recent project I was asked to configure Kubernetes so that it could create and manage DNS records automatically. This automatic management comes via Ingress objects created in Kubernetes. Hostnames specified in ingress objects automatically get DNS records created. This is exactly what the Kubernete’s project ExternalDNS does. Unfortuately, even though there is a section for configuring it on Azure, it wasn’t straightforward to get working. This post walks through getting it up and running and also demonstrates its usage in Azure Government.
AKS with cert-manager and Prometheus
In this post we’ll take a look at a new script that I wrote to quickly build a Kubernetes (AKS) cluster with several core components preconfigured and installed out of the box. As a CSA for Microsoft I sometimes need to create an AKS cluster that goes beyond the cluster you get with the az command and I got tired of installing ingress controllers, cert-manager, and the like over and over. If your use case is similar to mine you should get some usefulness from this.