Home

Awesome

<!-- BEGIN_TF_DOCS -->

Kubespot (Azure)

<img src="http://assets.opszero.com/images/auditkube.png" width="200px" />

Compliance Oriented Kubernetes Setup for AWS, Google Cloud and Microsoft Azure.

Kubespot is an open source terraform module that attempts to create a complete compliance-oriented Kubernetes setup on AWS, Google Cloud and Azure. These add additional security such as additional system logs, file system monitoring, hard disk encryption and access control. Further, we setup the managed Redis and SQL on each of the Cloud providers with limited access to the Kubernetes cluster so things are further locked down. All of this should lead to setting up a HIPAA / PCI / SOC2 being made straightforward and repeatable.

This covers how we setup your infrastructure on AWS, Google Cloud and Azure. These are the three Cloud Providers that we currently support to run Kubernetes. Further, we use the managed service provided by each of the Cloud Providers. This document covers everything related to how infrastructure is setup within each Cloud, how we create an isolated environment for Compliance and the commonalities between them.

Tools & Setup

brew install kubectl kubernetes-helm google-cloud-sdk terraform

Keys

How to get key for cluster creation (client id and secret)

  1. Sign in to Azure portal
  2. Navigate to the Azure Active Directory
  3. Select "App registrations"
  4. If there is application already use existing one or create new one as follows
  5. Click on the "New registration" button to create a new application registration
  6. select the appropriate supported account type (e.g., "Accounts in this organizational directory only")
  7. Click on the "Register" button to create the application.
  8. After application is created, Under "Certificates & secrets," click on the "New client secret" button to create a new client secret.
  9. Copy the client id and client secret and pass it to cluster creation opszero module

Deployment

terraform init
terraform plan
terraform apply -auto-approve

Teardown

terraform destroy -auto-approve

Providers

NameVersion
<a name="provider_azuread"></a> azureadn/a
<a name="provider_azurerm"></a> azurermn/a

Inputs

NameDescriptionTypeDefaultRequired
<a name="input_ad_group_ids"></a> ad_group_idsActiveDirectory Groups that have access to this clusterlist[]no
<a name="input_ad_user_ids"></a> ad_user_idsActiveDirectory users that have access to the kubernetes admin group and attached to the clusterlist[]no
<a name="input_cidr"></a> cidrThe address space that is used the virtual networkstring"10.0.0.0"no
<a name="input_client_id"></a> client_idThe Client ID which should be used when authenticating as a service principalstringn/ayes
<a name="input_client_secret"></a> client_secretThe application password to be used when authenticating using a client secretstringn/ayes
<a name="input_environment_name"></a> environment_nameName of the environment to create resourcesstringn/ayes
<a name="input_mariadb_sql_enabled"></a> mariadb_sql_enabledSpecify whether the mariadb is enabledboolfalseno
<a name="input_mariadb_sql_version"></a> mariadb_sql_versionSpecify the version of MariaDB to use. Possible values are 10.2 and 10.3string"10.2"no
<a name="input_nodes_desired_capacity"></a> nodes_desired_capacityThe number of Amazon EC2 instances that should be running in the groupnumber1no
<a name="input_postgres_sql_enabled"></a> postgres_sql_enabledSpecify whether postgres sql is enabledboolfalseno
<a name="input_postgres_sql_version"></a> postgres_sql_versionSpecify the version of PostgreSQL to use. Valid values are 9.5, 9.6, 10, 10.0, and 11string"11"no
<a name="input_redis_capacity"></a> redis_capacityThe size of the Redis cache to deploynumber1no
<a name="input_redis_enabled"></a> redis_enabledSpecify whether the redis cluster is enabledboolfalseno
<a name="input_redis_family"></a> redis_familyThe SKU family/pricing group to use. Valid values are C (for Basic/Standard SKU family) and P (for Premium)string"C"no
<a name="input_redis_shard_count"></a> redis_shard_countOnly available when using the Premium SKU The number of Shards to create on the Redis Clusternumber0no
<a name="input_redis_sku_name"></a> redis_sku_nameThe SKU of Redis to use. Possible values are Basic, Standard and Premiumstring"Standard"no
<a name="input_region"></a> regionThe Azure Region where the Resource Group should exist.string"Central US"no
<a name="input_registry_enabled"></a> registry_enabledSpecify whether the container registry is enabledboolfalseno
<a name="input_sql_master_password"></a> sql_master_passwordThe Password associated with the administrator_login for the PostgreSQL/MariaDB Serverstring""no
<a name="input_sql_master_username"></a> sql_master_usernameThe Administrator login for the PostgreSQL/MariabDB Serverstring""no
<a name="input_sql_sku_name"></a> sql_sku_nameSpecify the SKU Name for this PostgreSQL Serverstring"GP_Gen5_2"no
<a name="input_sql_storage_in_mb"></a> sql_storage_in_mbMax storage allowed for a MariaDB servernumber10240no

Resources

NameType
azuread_group.clusterresource
azurerm_container_registry.acrresource
azurerm_kubernetes_cluster.clusterresource
azurerm_mariadb_database.defaultresource
azurerm_mariadb_server.defaultresource
azurerm_mariadb_virtual_network_rule.defaultresource
azurerm_postgresql_database.qaresource
azurerm_postgresql_server.defaultresource
azurerm_postgresql_virtual_network_rule.defaultresource
azurerm_redis_cache.defaultresource
azurerm_resource_group.clusterresource
azurerm_route_table.clusterresource
azurerm_subnet.clusterresource
azurerm_subnet_route_table_association.clusterresource
azurerm_virtual_network.clusterresource

Outputs

NameDescription
<a name="output_subnet_id"></a> subnet_idn/a

🚀 Built by opsZero!

<a href="https://opszero.com"><img src="https://opszero.com/wp-content/uploads/2024/07/opsZero_logo_svg.svg" width="300px"/></a>

Since 2016 opsZero has been providing Kubernetes expertise to companies of all sizes on any Cloud. With a focus on AI and Compliance we can say we seen it all whether SOC2, HIPAA, PCI-DSS, ITAR, FedRAMP, CMMC we have you and your customers covered.

We provide support to organizations in the following ways:

We do this with a high-touch support model where you:

Please schedule a call if you need support.

<br/><br/>

<div style="display: block"> <img src="https://opszero.com/wp-content/uploads/2024/07/aws-advanced.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-public-sector.png" width="150px" /> <img src="https://opszero.com/wp-content/uploads/2024/07/AWS-eks.png" width="150px" /> </div> <!-- END_TF_DOCS -->