Right after Kubernetes 1.21, the way Capabilities(7) worked in Kubernetes changed. At that version, a change in the upstream code enforced that Capabilities will only work when runAsUser is set to 0 - meaning root. This is somewhat counterintuitive to what most of us would expect but code goes into the reasoning and how to work with Capabilities after 1.21.
This is part one of a two part post on container image signing and runtime verification. In this post, we'll walk through the notation project and its ability to sign container images, using the Notary project specification. In the next post, we'll walk through setting up gatekeeper and ratify to perform policy based runtime verification of images.
NOTE: The manifest files used in this post can be found here
In the prior post, we ran through using the notation cli tool to sign images in Azure Container Registry. If you havent gone through that post, I recommend you start there at Part 1 - Image Signing with Notation
In this walkthrough we'll use the Gatekeeper project and AKS Policy to create a policy that resticts the host name on a Kubernetes Ingress. The host names used for validation will be provided via parameters on the Azure Policy assignment.
The following provides guidance on the minimum roles needed by an AKS user to get their credentials and interact with a namespace we'll create called 'sample-app'.
This walkthrough demonstates the setup of the new Azure App Gateway for Containers (hereafter AGC) managed ingress controller on a cluster configured with egress traffic forced to an Azure Firewall and with the cluster configured with outboundType Route Table.
Thanks to Daniel Neumann for the original article we used to get this started, which you can find here.
Thanks to Ray Kao for working out a bunch of bugs we hit and dropping some sweet PRs.
All of the Terraform files can be found here.
The following walkthrough shows how you can using Azure Workload Identity with the AKS Workload Identity add-on along with MSAL