RBAC fix, doc consistency, minor improvements.

01-prerequisites.md

@@ -53,9 +53,11 @@ This is the starting point for the instructions on deploying the [AKS Baseline r
 
    > :twisted_rightwards_arrows: If you have forked this reference implementation repo, you'll be able to customize some of the files and commands for a more personalized and production-like experience; ensure references to this git repository mentioned throughout the walk-through are updated to use your own fork.
 
+   > :warning: Make sure you use https (and not ssh) to clone the repository. (The remote URL will later be used to configure GitOps using Flux which requires an https endpoint to work properly.)
+
    ```bash
-   git clone https://github.com/mspnp/aks-secure-baseline.git
-   cd aks-secure-baseline
+   git clone https://github.com/mspnp/aks-baseline.git
+   cd aks-baseline
    ```
 
    > :bulb: The steps shown here and elsewhere in the reference implementation use Bash shell commands. On Windows, you can use the [Windows Subsystem for Linux](https://docs.microsoft.com/windows/wsl/about) to run Bash.

04-networking.md

@@ -94,7 +94,7 @@ The following two resource groups will be created and populated with networking
 
    ```bash
    RESOURCEID_SUBNET_NODEPOOLS=$(az deployment group show -g rg-enterprise-networking-spokes -n spoke-BU0001A0008 --query properties.outputs.nodepoolSubnetResourceIds.value -o json)
-   echo RESOURCEID_VNET_HUB: $RESOURCEID_SUBNET_NODEPOOLS
+   echo RESOURCEID_SUBNET_NODEPOOLS: $RESOURCEID_SUBNET_NODEPOOLS
 
    # [This takes about ten minutes to run.]
    az deployment group create -g rg-enterprise-networking-hubs -f networking/hub-regionA.bicep -p location=eastus2 nodepoolSubnetResourceIds="${RESOURCEID_SUBNET_NODEPOOLS}"

05-bootstrap-prep.md

@@ -79,7 +79,8 @@ We'll be bootstrapping this cluster with the Flux GitOps agent as installed as a
    Now commit changes to repository.
 
    ```bash
-   git commit -a -m "Update image source to use my ACR instance instead of a public container registry."
+   git add ./cluster-manifests/cluster-baseline-settings/kured.yaml
+   git commit -m "Update image source to use my ACR instance instead of a public container registry."
    git push
    ```
 

06-aks-cluster.md

@@ -9,8 +9,11 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi
    > If you cloned this repo, then the value will be the original mspnp GitHub organization's repo, which will mean that your cluster will be bootstraped using public container images. If instead you forked this repo, then the GitOps repo will be your own repo, and your cluster will be bootstrapped using container images references based on the values in your repo's manifest files. On the prior instruction page you had the oppertunity to update those manifests to use your ACR instance. For guidance on using a private bootstrapping repo, see [Private bootstrapping repository](./cluster-manifests/README.md#private-bootstrapping-repository).
 
    ```bash
-   GITOPS_REPOURL=$(git config --get remote.origin.url)
-   echo GITOPS_REPOURL: $GITOPS_REPOURL
+   GITOPS_REPOURL_AKS_BASELINE=$(git config --get remote.origin.url)
+   echo GITOPS_REPOURL_AKS_BASELINE: $GITOPS_REPOURL_AKS_BASELINE
+
+   GITOPS_CURRENT_BRANCH_NAME_AKS_BASELINE=$(git branch --show-current)
+   echo GITOPS_CURRENT_BRANCH_NAME_AKS_BASELINE: $GITOPS_CURRENT_BRANCH_NAME_AKS_BASELINE
    ```
 
 1. Deploy the cluster ARM template.
@@ -20,7 +23,7 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi
 
    ```bash
    # [This takes about 18 minutes.]
-   az deployment group create -g rg-bu0001a0008 -f cluster-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE} clusterAdminAadGroupObjectId=${AADOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE} a0008NamespaceReaderAadGroupObjectId=${AADOBJECTID_GROUP_A0008_READER_AKS_BASELINE} k8sControlPlaneAuthorizationTenantId=${TENANTID_K8SRBAC_AKS_BASELINE} appGatewayListenerCertificate=${APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE} aksIngressControllerCertificate=${AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE} domainName=${DOMAIN_NAME_AKS_BASELINE} gitOpsBootstrappingRepoHttpsUrl=${GITOPS_REPOURL}
+   az deployment group create -g rg-bu0001a0008 -f cluster-stamp.bicep -p targetVnetResourceId=${RESOURCEID_VNET_CLUSTERSPOKE_AKS_BASELINE} clusterAdminAadGroupObjectId=${AADOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE} a0008NamespaceReaderAadGroupObjectId=${AADOBJECTID_GROUP_A0008_READER_AKS_BASELINE} k8sControlPlaneAuthorizationTenantId=${TENANTID_K8SRBAC_AKS_BASELINE} appGatewayListenerCertificate=${APP_GATEWAY_LISTENER_CERTIFICATE_AKS_BASELINE} aksIngressControllerCertificate=${AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64_AKS_BASELINE} domainName=${DOMAIN_NAME_AKS_BASELINE} gitOpsBootstrappingRepoHttpsUrl=${GITOPS_REPOURL_AKS_BASELINE} gitOpsBootstrappingRepoBranch=${GITOPS_CURRENT_BRANCH_NAME_AKS_BASELINE}
    ```
 
    > Alteratively, you could have updated the [`azuredeploy.parameters.prod.json`](./azuredeploy.parameters.prod.json) file and deployed as above, using `-p "@azuredeploy.parameters.prod.json"` instead of providing the individual key-value pairs.
@@ -94,7 +97,7 @@ Now that your [ACR instance is deployed and ready to support cluster bootstrappi
            sed "s#<azure-ad-aks-admin-group-object-id>#${AADOBJECTID_GROUP_CLUSTERADMIN_AKS_BASELINE}#g" | \
            sed "s#<azure-ad-aks-a0008-group-object-id>#${AADOBJECTID_GROUP_A0008_READER_AKS_BASELINE}#g" | \
            sed "s#<domain-name>#${DOMAIN_NAME_AKS_BASELINE}#g" | \
-           sed "s#<bootstrapping-repo-https-url>#${GITOPS_REPOURL}#g" \
+           sed "s#<bootstrapping-repo-https-url>#${GITOPS_REPOURL_AKS_BASELINE}#g" \
            > .github/workflows/aks-deploy.yaml
        ```
 

09-secret-management-and-ingress-controller.md

@@ -97,7 +97,7 @@ Previously you have configured [workload prerequisites](./08-workload-prerequisi
    :warning: Deploying the traefik `traefik.yaml` file unmodified from this repo will be deploying your workload to take dependencies on a public container registry. This is generally okay for learning/testing, but not suitable for production. Before going to production, ensure _all_ image references are from _your_ container registry or another that you feel confident relying on.
 
    ```bash
-   kubectl create -f https://raw.githubusercontent.com/mspnp/aks-secure-baseline/main/workload/traefik.yaml
+   kubectl create -f https://raw.githubusercontent.com/mspnp/aks-baseline/main/workload/traefik.yaml
    ```
 
 1. Wait for Traefik to be ready.

10-workload.md

@@ -46,10 +46,9 @@ The cluster now has an [Traefik configured with a TLS certificate](./08-secret-m
    > You should expect a `403` HTTP response from your ingress controller if you attempt to connect to it _without_ going through the App Gateway. Likewise, if any workload other than the ingress controller attempts to reach the workload, the traffic will be denied via network policies.
 
    ```bash
-   kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}}]' --override-type json
+   kubectl run curl -n a0008 -i --tty --rm --image=mcr.microsoft.com/azure-cli --overrides='[{"op":"add","path":"/spec/containers/0/resources","value":{"limits":{"cpu":"200m","memory":"128Mi"}}}]' --override-type json  --env="DOMAIN_NAME=${DOMAIN_NAME_AKS_BASELINE}"
 
    # From within the open shell now running on a container inside your cluster
-   DOMAIN_NAME="contoso.com" # <-- Change to your custom domain value if a different one was used
    curl -kI https://bu0001a0008-00.aks-ingress.$DOMAIN_NAME -w '%{remote_ip}\n'
    exit
    ```

11-validation.md

@@ -26,8 +26,12 @@ This section will help you to validate the workload is exposed correctly and res
 
 1. Browse to the site (e.g. <https://bicycle.contoso.com>).
 
+   > :bulb: Remember to include the protocol prefix `https://` in the URL you type in the address bar of your browser.
+
    > :bulb: A TLS warning will be present due to using a self-signed certificate. You can ignore it or import the self-signed cert (`appgw.pfx`) to your user's trusted root store.
 
+   Refresh the web page a couple of times and observe the value `Host name` displayed at the bottom of the page. As the Traefik Ingress Controller balances the requests between the two pods hosting the web page, the host name will change from one pod name to the other throughtout your queries.
+
 ## Validate reader access to the a0008 namespace. _Optional._
 
 When setting up [Azure AD security groups](./03-aad.md) you created a group to be used as a "reader" for the namespace a0008. If you want to experience this RBAC example, you'll want to add a user to that group.
@@ -48,7 +52,11 @@ Your workload is placed behind a Web Application Firewall (WAF), which has rules
 
 1. Browse to the site with the following appended to the URL: `?sql=DELETE%20FROM` (e.g. <https://bicycle.contoso.com/?sql=DELETE%20FROM>).
 1. Observe that your request was blocked by Application Gateway's WAF rules and your workload never saw this potentially dangerous request.
-1. Blocked requests (along with other gateway data) will be visible in the attached Log Analytics workspace. Execute the following query to show WAF logs, for example.
+1. Blocked requests (along with other gateway data) will be visible in the attached Log Analytics workspace. 
+
+   Browse to the Application Gateway in the resource group `rg-bu0001-a0008` and navigate to the _Logs_ blade. Execute the following query below to show WAF logs and see that the request was rejected due to a _SQL Injection Attack_ (field _Message_).
+
+   > :warning: Note that it may take a couple of minutes until the logs are transferred from the Application Gateway to the Log Analytics Workspace. So be a little patient if the query does not immediatly return results after sending the https request in the former step. 
 
    ```
    AzureDiagnostics
@@ -77,15 +85,14 @@ Azure Monitor is configured to [scrape Prometheus metrics](https://docs.microsof
 - [Traefik](./workload/traefik.yaml) (in the `a0008` namespace)
 - [Kured](./cluster-baseline-settings/kured.yaml) (in the `cluster-baseline-settings` namespace)
 
+ :bulb: This reference implementation ships with two saved queries (_All collected Prometheus information_ and _Nodes reboot required by kured_) as an example of how you can write your own and manage them via ARM templates. 
+
 ### Steps
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select your Log Analytic Workspace resource.
-1. Click _Saved Searches_.
-
-   :bulb: This reference implementation ships with some saved queries as an example of how you can write your own and manage them via ARM templates.
-
-1. Type _Prometheus_ in the filter.
+1. Select your Log Analytic Workspace resource and open the _Logs_ blade.
+1. In the popup _Queries_ select _Legacy category_ in the drop down field in the upper left corner. 
+1. Select _Prometheus_ in the section list on the left.
 1. You are able to select and execute the saved query over the scraped metrics.
 
 ## Validate Workload Logs
@@ -95,7 +102,7 @@ The example workload uses the standard dotnet logger interface, which are captur
 ### Steps
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select your Log Analytic Workspace resource.
+1. Select your Log Analytic Workspace resource and open the _Logs_ blade.
 1. Execute the following query
 
    ```
@@ -121,13 +128,13 @@ Azure will generate alerts on the health of your cluster and adjacent resources.
 An alert based on [Azure Monitor for containers information using a Kusto query](https://docs.microsoft.com/azure/azure-monitor/insights/container-insights-alerts) was configured in this reference implementation.
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select _Alerts_, then _Manage Rule Alerts_.
-1. There is an alert called "PodFailedScheduledQuery" that will be triggered based on the custom query response.
+1. Select _Alerts_, then _Alert Rules_.
+1. There is an alert titled "[your cluster name] Scheduled Query for Pod Failed Alert" that will be triggered based on the custom query response.
 
 An [Azure Advisor Alert](https://docs.microsoft.com/azure/advisor/advisor-overview) was configured as well in this reference implementation.
 
 1. In the Azure Portal, navigate to your AKS cluster resource group (`rg-bu0001a0008`).
-1. Select _Alerts_, then _Manage Rule Alerts_.
+1. Select _Alerts_, then _Alert Rules_.
 1. There is an alert called "AllAzureAdvisorAlert" that will be triggered based on new Azure Advisor alerts.
 
 A series of metric alerts were configured as well in this reference implementation.
@@ -151,7 +158,7 @@ If you configured your third-party images to be pulled from your Azure Container
    | where OperationName == 'Pull'
    ```
 
-1. You should see logs for CSI, kured, memcached, and traefik. You'll see multiple for some as the image was pulled to multiple nodes to satisfy ReplicaSet/DaemonSet placement.
+1. You should see logs for kured. You'll see multiple for some as the image was pulled to multiple nodes to satisfy ReplicaSet/DaemonSet placement.
 
 ## Next step
 

CONTRIBUTING.md

@@ -43,13 +43,13 @@ If your issue appears to be a bug, and hasn't been reported, open a new issue. H
 * **Related Issues** - has a similar issue been reported before?
 * **Suggest a Fix** - if you can't fix the bug yourself, perhaps you can point to what might be causing the problem (line of code or commit)
 
-You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/mspnp/aks-secure-baseline/issues/new].
+You can file new issues by providing the above information at the corresponding repository's issues link: https://github.com/mspnp/aks-baseline/issues/new].
 
 ### <a name="submit-pr"></a> Submitting a Pull Request (PR)
 
 Before you submit your Pull Request (PR) consider the following guidelines:
 
-* Search the repository (<https://github.com/mspnp/aks-secure-baseline/pulls>) for an open or closed PR
+* Search the repository (<https://github.com/mspnp/aks-baseline/pulls>) for an open or closed PR
   that relates to your submission. You don't want to duplicate effort.
 
 * Make your changes in a new git fork:

cluster-stamp.bicep

@@ -63,9 +63,9 @@ var acrPullRole = '${subscription().id}/providers/Microsoft.Authorization/roleDe
 var managedIdentityOperatorRole = '${subscription().id}/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830'
 var keyVaultReader = '${subscription().id}/providers/Microsoft.Authorization/roleDefinitions/21090545-7ca7-4776-b22c-e363652d74d2'
 var keyVaultSecretsUserRole = '${subscription().id}/providers/Microsoft.Authorization/roleDefinitions/4633458b-17de-408a-b874-0445c86b69e6'
-var clusterAdminRole = '${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b'
-var serviceClusterUserRole = '${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4abbcc35-e782-43d8-92c5-2d3f1bd2253f'
-var clusterReaderRole = '${subscription().subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f6c6a51-bcf8-42ba-9220-52d62157d7db'
+var clusterAdminRoleId = 'b1ff04bb-8a4e-4dc4-8eb5-8693973ce19b'
+var serviceClusterUserRoleId = '4abbcc35-e782-43d8-92c5-2d3f1bd2253f'
+var clusterReaderRoleId = '7f6c6a51-bcf8-42ba-9220-52d62157d7db'
 var subRgUniqueString = uniqueString('aks', subscription().subscriptionId, resourceGroup().id)
 
 var clusterName = 'aks-${subRgUniqueString}'
@@ -1458,7 +1458,7 @@ resource mcAadAdminGroupClusterAdminRole_roleAssignment 'Microsoft.Authorization
   scope: mc
   name: guid('aad-admin-group', mc.id, clusterAdminAadGroupObjectId)
   properties: {
-    roleDefinitionId: clusterAdminRole
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', clusterAdminRoleId)
     description: 'Members of this group are cluster admins of this cluster.'
     principalId: clusterAdminAadGroupObjectId
     principalType: 'Group'
@@ -1470,31 +1470,31 @@ resource mcAadAdminGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authori
   scope: mc
   name: guid('aad-admin-group-sc', mc.id, clusterAdminAadGroupObjectId)
   properties: {
-    roleDefinitionId: serviceClusterUserRole
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', serviceClusterUserRoleId)
     description: 'Members of this group are cluster users of this cluster.'
     principalId: clusterAdminAadGroupObjectId
     principalType: 'Group'
   }
   dependsOn: []
 }
 
-resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
+resource maAadA0008ReaderGroupClusterReaderRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && !(empty(a0008NamespaceReaderAadGroupObjectId)) && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
   scope: nsA0008
   name: guid('aad-a0008-reader-group', mc.id, a0008NamespaceReaderAadGroupObjectId)
   properties: {
-    roleDefinitionId: clusterReaderRole
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', clusterReaderRoleId)
     principalId: a0008NamespaceReaderAadGroupObjectId
     description: 'Members of this group are cluster admins of the a0008 namespace in this cluster.'
     principalType: 'Group'
   }
   dependsOn: []
 }
 
-resource maAadA0008ReaderGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
+resource maAadA0008ReaderGroupServiceClusterUserRole_roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = if (isUsingAzureRBACasKubernetesRBAC && !(empty(a0008NamespaceReaderAadGroupObjectId)) && (!(a0008NamespaceReaderAadGroupObjectId == clusterAdminAadGroupObjectId))) {
   scope: mc
   name: guid('aad-a0008-reader-group-sc', mc.id, a0008NamespaceReaderAadGroupObjectId)
   properties: {
-    roleDefinitionId: serviceClusterUserRole
+    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', serviceClusterUserRoleId)
     principalId: a0008NamespaceReaderAadGroupObjectId
     description: 'Members of this group are cluster users of this cluster.'
     principalType: 'Group'

inner-loop-scripts/shell/1-cluster-stamp.sh

@@ -43,7 +43,7 @@ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
         -subj "/CN=*.aks-ingress.contoso.com/O=Contoso Aks Ingress"
 AKS_INGRESS_CONTROLLER_CERTIFICATE_BASE64=$(cat traefik-ingress-internal-aks-ingress-tls.crt | base64 | tr -d '\n')
 
-# WARNING: Below hasn't yet been updated for Azure Key Vault RBAC support that came in https://github.com/mspnp/aks-secure-baseline/releases/tag/v1.21.2.2
+# WARNING: Below hasn't yet been updated for Azure Key Vault RBAC support that came in https://github.com/mspnp/aks-baseline/releases/tag/v1.21.2.2
 
 # AKS Cluster Creation. Advance Networking. AAD identity integration. This might take about 10 minutes
 # Note: By default, this deployment will allow unrestricted access to your cluster's API Server.
@@ -82,7 +82,7 @@ echo ""
 echo "# Creating AAD Groups and users for the created cluster"
 echo ""
 
-# unset errexit as per https://github.com/mspnp/aks-secure-baseline/issues/69
+# unset errexit as per https://github.com/mspnp/aks-baseline/issues/69
 set +e
 echo $'Ensure Flux has created the following namespace and then press Ctrl-C'
 kubectl get ns a0008 --watch

saveenv.sh

@@ -4,10 +4,12 @@
 # the page they are created on. Then a user can source this file to restore those environment 
 # variables if their shell session is reset for some reason.
 
-cat > aks_baseline.env << EOF
+DIR_NAME=$(dirname "$0")
+
+cat > $DIR_NAME/aks_baseline.env << EOF
 #!/bin/bash
 
 $(env | sed -n "s/\(.*_AKS_BASELINE=\)\(.*\)/export \1'\2'/p" | sort)
 EOF
 
-cat aks_baseline.env
+cat $DIR_NAME/aks_baseline.env