Enforcing Security Policies on Azure Kubernetes Service for AI Deployments

Question

Pulumi · Accepted Answer

Enforcing security is paramount, especially when dealing with AI deployments where sensitive data might be involved. In Azure Kubernetes Service (AKS), security can be increased through several means, such as enabling Role-Based Access Control (RBAC), using Azure Active Directory for authentication, applying network policies, and integrating Azure Security Center for threat protection and compliance.

In Pulumi, creating an Azure Kubernetes Service (AKS) cluster with enhanced security features involves using the ManagedCluster class from the azure-native package. This entails setting properties on the ManagedCluster resource that enforce security, such as enabling RBAC and integrating Azure AD.

To ensure that your cluster is secure, you would typically follow steps such as these:

Create an Azure Active Directory service principal or use a user-assigned managed identity for the AKS cluster to interact with other Azure resources securely.
Enable RBAC on your AKS cluster to control access to the Kubernetes API.
Define your network policies to control incoming and outgoing traffic to pods within a Kubernetes cluster.

I'll provide you with a Python program that does just that—creates an AKS cluster with RBAC enabled and an Azure Active Directory integration. Here's a detailed breakdown of the steps involved:

Import the necessary Pulumi modules and create a resource group where our AKS will live.
Create an Active Directory application and service principal for AKS to use when interacting with Azure resources.
Define the managed cluster with an AAD profile for integration and enable RBAC.
Export the kubeconfig file so you can interact with your AKS cluster using kubectl.

Let's write the Pulumi program that sets up a secure AKS cluster:

import pulumi
import pulumi_azure_native as azure_native
import pulumi_azuread as azuread

# Create a new resource group
resource_group = azure_native.resources.ResourceGroup("resource_group")

# Create an Azure AD application for AKS
app = azuread.Application(
    "app",
    display_name="myapp"
)

# Create a service principal for the Azure AD application
sp = azuread.ServicePrincipal(
    "service_principal",
    application_id=app.application_id
)

# Create a service principal password
sp_password = azuread.ServicePrincipalPassword(
    "sp_password",
    service_principal_id=sp.id,
    value="my-super-strong-password",
    end_date="2099-01-01T00:00:00Z"  # Set to a value far in the future
)

# Define the AKS managed cluster with RBAC and AAD integration
managed_cluster = azure_native.containerservice.ManagedCluster(
    "managed_cluster",
    resource_group_name=resource_group.name,
    agent_pool_profiles=[{
        "count": 3,
        "max_pods": 110,
        "mode": "System",
        "name": "agentpool",
        "os_type": "Linux",
        "vm_size": "Standard_DS2_v2",
    }],
    dns_prefix="myaksdns",
    enable_rbac=True,
    kubernetes_version="1.18.14",
    linux_profile={
        "adminUsername": "adminuser",
        "ssh": {
            "publicKeys": [{
                "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3b... user@azure",
            }],
        },
    },
    service_principal_profile={
        "clientId": app.application_id,
        "secret": sp_password.value,
    },
    identity={
        "type": "SystemAssigned",
    },
    # Enable Azure AD integration
    aad_profile={
        "managed": True,
        "enableAzureRBAC": True,
        "adminGroupObjectIDs": ["<AAD-Group-ID>"],  # Replace with your Azure AD group ID
    }
)

# Export the kubeconfig file
kubeconfig = pulumi.Output.secret(managed_cluster.kube_config_raw)

pulumi.export("kubeconfig", kubeconfig)

Please make sure to replace the <AAD-Group-ID> with your actual Azure Active Directory group ID and set your SSH public key. You'll also need to secure your Service Principal password properly, rather than hard-coding it as done in this example. This program is functional, but aspects such as secret management for the service principal password and SSH keys should be handled according to best security practices which could involve using a secret manager.

By applying and running the above Pulumi program with the Pulumi CLI, an AKS cluster with a strong security posture will be provisioned. You'll manage this cluster using the output kubeconfig file, which you'd use with kubectl to deploy your AI applications securely.