New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Azure Kubernetes Service Approval Accelerator #72
Conversation
Thank you for your contribution and Welcome to our Open Source Community! To make sure your pull request is accepted successfully, we ask all our open source contributors to sign a Contributor License Agreement. Having reviewed our contributor list, we require a CLA for the following people : (@tmewett). If you need help obtaining a CLA, please read the Requirements for Contributions section of our CLA wiki or email help@finos.org with your questions. Thanks once again for your contribution. Let us work with you to make the CLA process quick, easy and efficient so we can move forward with reviewing and accepting your pull request. cc @finos-admin |
Congratulation @tmewett for raising your first Cloud Service Certification pull request and blazing the Azure Kubernetes trail. I have assigned you as the pull request owner and have tagged @peterrhysthomas for review. 🚀 🚀 🚀 You will also noticed the FINOS CLA Bot flagging your pull request. I will email you and the CodeThink team separately to get a FINOS CLA signed so we can remove this error. Great work! 💯 💯 💯 |
Hi James, yes I can attend, though I don't have much to add - will be good to get some initial thoughts on it though |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Tom,
This looks good for now, although I find a few sections lacking.
-
IP firewall rules, aside from the Azure fw rules, there should be a mention of enforcing network policies/istio for securing inter pod communication
-
Underlying OS, does not mention what the node's host OS is and if it has been hardened by Azure or not.
-
There is no mention of cluster networking/cluster access. How to ensure that the cluster and nodes are private, etc.
-
Encryption of ETCD is not mentioned
-
Specific minimal permissions to grant in Azure RBAC for accessing cluster. Eg: Devs should have role x, admins should have role y
This PR has been superseded by #90 as per the following comment by @TLATER #90 (comment) |
It no doubt needs some work, so I'm opening for initial review.
I'm not sure what the CSP Access and Dependent Services security domains refer to (they were left blank in the Azure PostgreSQL Accelerator), so I've left them blank.
I also considered adding an Azure Storage Accelerator to move detail to and expand on relevant sections. I may create that and commit it later on.
I can reformat this into a table before merge.