Awesome
<!-- BEGIN_TF_DOCS -->Kubespot (Azure)
<img src="http://assets.opszero.com/images/auditkube.png" width="200px" />Compliance Oriented Kubernetes Setup for AWS, Google Cloud and Microsoft Azure.
Kubespot is an open source terraform module that attempts to create a complete compliance-oriented Kubernetes setup on AWS, Google Cloud and Azure. These add additional security such as additional system logs, file system monitoring, hard disk encryption and access control. Further, we setup the managed Redis and SQL on each of the Cloud providers with limited access to the Kubernetes cluster so things are further locked down. All of this should lead to setting up a HIPAA / PCI / SOC2 being made straightforward and repeatable.
This covers how we setup your infrastructure on AWS, Google Cloud and Azure. These are the three Cloud Providers that we currently support to run Kubernetes. Further, we use the managed service provided by each of the Cloud Providers. This document covers everything related to how infrastructure is setup within each Cloud, how we create an isolated environment for Compliance and the commonalities between them.
Tools & Setup
brew install kubectl kubernetes-helm google-cloud-sdk terraform
Keys
How to get key for cluster creation (client id and secret)
- Sign in to Azure portal
- Navigate to the Azure Active Directory
- Select "App registrations"
- If there is application already use existing one or create new one as follows
- Click on the "New registration" button to create a new application registration
- select the appropriate supported account type (e.g., "Accounts in this organizational directory only")
- Click on the "Register" button to create the application.
- After application is created, Under "Certificates & secrets," click on the "New client secret" button to create a new client secret.
- Copy the client id and client secret and pass it to cluster creation opszero module
Deployment
terraform init
terraform plan
terraform apply -auto-approve
Teardown
terraform destroy -auto-approve
Providers
| Name | Version |
|---|---|
| <a name="provider_azuread"></a> azuread | n/a |
| <a name="provider_azurerm"></a> azurerm | n/a |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| <a name="input_ad_group_ids"></a> ad_group_ids | ActiveDirectory Groups that have access to this cluster | list | [] | no |
| <a name="input_ad_user_ids"></a> ad_user_ids | ActiveDirectory users that have access to the kubernetes admin group and attached to the cluster | list | [] | no |
| <a name="input_cidr"></a> cidr | The address space that is used the virtual network | string | "10.0.0.0" | no |
| <a name="input_client_id"></a> client_id | The Client ID which should be used when authenticating as a service principal | string | n/a | yes |
| <a name="input_client_secret"></a> client_secret | The application password to be used when authenticating using a client secret | string | n/a | yes |
| <a name="input_environment_name"></a> environment_name | Name of the environment to create resources | string | n/a | yes |
| <a name="input_mariadb_sql_enabled"></a> mariadb_sql_enabled | Specify whether the mariadb is enabled | bool | false | no |
| <a name="input_mariadb_sql_version"></a> mariadb_sql_version | Specify the version of MariaDB to use. Possible values are 10.2 and 10.3 | string | "10.2" | no |
| <a name="input_nodes_desired_capacity"></a> nodes_desired_capacity | The number of Amazon EC2 instances that should be running in the group | number | 1 | no |
| <a name="input_postgres_sql_enabled"></a> postgres_sql_enabled | Specify whether postgres sql is enabled | bool | false | no |
| <a name="input_postgres_sql_version"></a> postgres_sql_version | Specify the version of PostgreSQL to use. Valid values are 9.5, 9.6, 10, 10.0, and 11 | string | "11" | no |
| <a name="input_redis_capacity"></a> redis_capacity | The size of the Redis cache to deploy | number | 1 | no |
| <a name="input_redis_enabled"></a> redis_enabled | Specify whether the redis cluster is enabled | bool | false | no |
| <a name="input_redis_family"></a> redis_family | The SKU family/pricing group to use. Valid values are C (for Basic/Standard SKU family) and P (for Premium) | string | "C" | no |
| <a name="input_redis_shard_count"></a> redis_shard_count | Only available when using the Premium SKU The number of Shards to create on the Redis Cluster | number | 0 | no |
| <a name="input_redis_sku_name"></a> redis_sku_name | The SKU of Redis to use. Possible values are Basic, Standard and Premium | string | "Standard" | no |
| <a name="input_region"></a> region | The Azure Region where the Resource Group should exist. | string | "Central US" | no |
| <a name="input_registry_enabled"></a> registry_enabled | Specify whether the container registry is enabled | bool | false | no |
| <a name="input_sql_master_password"></a> sql_master_password | The Password associated with the administrator_login for the PostgreSQL/MariaDB Server | string | "" | no |
| <a name="input_sql_master_username"></a> sql_master_username | The Administrator login for the PostgreSQL/MariabDB Server | string | "" | no |
| <a name="input_sql_sku_name"></a> sql_sku_name | Specify the SKU Name for this PostgreSQL Server | string | "GP_Gen5_2" | no |
| <a name="input_sql_storage_in_mb"></a> sql_storage_in_mb | Max storage allowed for a MariaDB server | number | 10240 | no |
Resources
| Name | Type |
|---|---|
| azuread_group.cluster | resource |
| azurerm_container_registry.acr | resource |
| azurerm_kubernetes_cluster.cluster | resource |
| azurerm_mariadb_database.default | resource |
| azurerm_mariadb_server.default | resource |
| azurerm_mariadb_virtual_network_rule.default | resource |
| azurerm_postgresql_database.qa | resource |
| azurerm_postgresql_server.default | resource |
| azurerm_postgresql_virtual_network_rule.default | resource |
| azurerm_redis_cache.default | resource |
| azurerm_resource_group.cluster | resource |
| azurerm_route_table.cluster | resource |
| azurerm_subnet.cluster | resource |
| azurerm_subnet_route_table_association.cluster | resource |
| azurerm_virtual_network.cluster | resource |
Outputs
| Name | Description |
|---|---|
| <a name="output_subnet_id"></a> subnet_id | n/a |
🚀 Built by opsZero!
<a href="https://opszero.com"><img src="https://opszero.com/wp-content/uploads/2024/07/opsZero_logo_svg.svg" width="300px"/></a>
Since 2016 opsZero has been providing Kubernetes expertise to companies of all sizes on any Cloud. With a focus on AI and Compliance we can say we seen it all whether SOC2, HIPAA, PCI-DSS, ITAR, FedRAMP, CMMC we have you and your customers covered.
We provide support to organizations in the following ways:
- Modernize or Migrate to Kubernetes
- Cloud Infrastructure with Kubernetes on AWS, Azure, Google Cloud, or Bare Metal
- Building AI and Data Pipelines on Kubernetes
- Optimizing Existing Kubernetes Workloads
We do this with a high-touch support model where you:
- Get access to us on Slack, Microsoft Teams or Email
- Get 24/7 coverage of your infrastructure
- Get an accelerated migration to Kubernetes
Please schedule a call if you need support.
<br/><br/>
<div style="display: block"> <img src="https://opszero.com/wp-content/uploads/2024/07/aws-advanced.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-public-sector.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-eks.png" width="150px" /> </div> <!-- END_TF_DOCS -->