Securing Azure Kubernetes Service (AKS) Clusters for AI Workloads with Locks
PythonSecuring an Azure Kubernetes Service (AKS) cluster is crucial when deploying AI workloads, or any application, due to the sensitive nature of the data and the operations being performed. In Azure, you can enhance security by implementing locks to prevent accidental deletion or modification of your AKS resources. In this Pulumi program, we'll set up an AKS cluster and apply a lock to secure it.
Pulumi allows us to define our infrastructure as code, meaning we can programmatically set up all necessary resources and configure their properties accordingly.
In this infrastructure, we will:
- Create a new AKS cluster.
- Apply a lock to the AKS cluster resource to prevent accidental deletion or modification.
We'll use the
azure-native
Pulumi provider to work with Azure resources. This provider uses the Azure Resource Manager (ARM) REST API directly and provides stronger types and more detailed and complete coverage of Azure services.Let's walk through the Pulumi program step by step:
import pulumi import pulumi_azure_native as azure_native from pulumi_azure_native import containerservice, authorization # Create a new resource group for the AKS cluster resource_group = azure_native.resources.ResourceGroup('myResourceGroup') # Use an existing VNet & Subnet or create new ones. For brevity, assuming existing VNet and subnet IDs have been provided. vnet_subnet_id = 'existing-vnet-subnet-id' # Create an AKS cluster aks_cluster = containerservice.ManagedCluster( resource_name='myAKSCluster', resource_group_name=resource_group.name, identity=containerservice.ManagedClusterIdentityArgs( type="SystemAssigned" ), # Assuming a default configuration for the AKS cluster # You can define detailed configurations like: DNS prefix, the version of Kubernetes, agent pool profile etc. # It might require setting up an Azure AD service principal or managed identity, # which goes beyond the scope of this basic infrastructure setup. ... network_profile=containerservice.ContainerServiceNetworkProfileArgs( network_plugin='azure', service_cidr='10.0.0.0/16', dns_service_ip='10.0.0.10', docker_bridge_cidr='172.17.0.1/16', vnet_subnet_id=vnet_subnet_id, ), ) # Apply a CanNotDelete lock to the AKS cluster lock = authorization.ManagementLockByScope( 'akslLock', scope=aks_cluster.id, level='CanNotDelete', # Locks can also have notes and a lock type. notes='Prevent accidental deletion of the AKS Cluster', ) # Export the AKS cluster's Kubernetes version and the ID of the lock pulumi.export('aks_cluster_version', aks_cluster.kubernetes_version) pulumi.export('lock_id', lock.id)
In this program, we initialize the Pulumi Azure provider and define a resource group, which acts as a logical container for our resources. We then provision an AKS cluster inside this group with a simple configuration. We also specify a lock on the AKS cluster by using its unique resource ID and setting the lock level to "CanNotDelete". This will prevent the cluster from being deleted without first removing the lock.
Lastly, we output the Kubernetes version of the AKS cluster as well as the lock ID so that they can be easily accessed from the Pulumi service or CLI.
Please ensure you have the Azure CLI installed and configured for authentication or use a Service Principal with the appropriate roles assigned. This program assumes that you've already set this up.