Platform

The OSDU™ private instance solution implements industry-leading best practices for security and operational excellence on Azure Kubernetes Service (AKS). These practices are aligned with Microsoft's Secure Future Initiative and are designed to provide a robust, secure, and efficient platform while maintaining developer productivity.

Learning Opportunity

For more details on Microsoft's security focus, refer to the Microsoft Secure Future Initiative.

This solution implements comprehensive best practices across security controls and operational excellence. The implemented controls and features help ensure:

Strong security posture through infrastructure and application security controls
Operational efficiency through automation and DevOps practices
Reliable performance through proper scaling and maintenance procedures
Simplified maintenance through automated updates and proper backup strategies

Learning Opportunity

For more details on Microsoft's Cluster Best Practices, refer to the AKS Best Practices.

Security Controls

Infrastructure Security

Cluster Protection
- Microsoft Defender for Containers
  
  Comprehensive security monitoring and protection for containerized assets including clusters, nodes, workloads, registries and images.
- Kubernetes RBAC and Microsoft Entra ID
  
  Granular access control by granting users, groups, and service accounts only the minimum required permissions through role-based policies and enhanced Azure authentication.
- Node Resource Group Lockdown
  
  Prevent unauthorized changes to node resource group resources using NRGLockdownPreview feature.

Node Security
- Azure Linux
  
  Azure Linux Container Host is optimized for container workloads on AKS, based on Microsoft's CBL-Mariner Linux distribution.
- Disable SSH Access
  
  Improve security by disabling SSH access to nodes at both cluster and node pool levels using DisableSSHPreview feature.

Network Security
- API VNet Integration
  
  Kubernetes API server projection into the VNET where AKS is deployed.
- Private Cluster
  
  Enable private cluster mode providing public network access without exposure of the AKS API server to the internet.
- CNI Overlay
  
  Enhanced network security with overlay networking, providing logical separation between pod and node networks.
- NAT Gateway
  
  Managed outbound internet connectivity with network isolation capabilities.
- Service Mesh
  
  Istio service mesh for secure service-to-service communication, traffic management, and observability.

Application Security

Container Security
- Image Cleaner
  
  Automatic identification and removal of unused images to reduce vulnerability surface.

Pod Security
- Workload Identity
  
  Enable pods to authenticate against Azure services using Microsoft Entra workload identities.
- Secrets Management
  
  Integrate Azure Key Vault with Secrets Store CSI Driver for secure runtime secrets management.
- Policy Controls
  
  Enforce Kubernetes best practices through Azure Policy deployment safeguards.

Operational Excellence

Automation & DevOps

Deployment & Operations
- GitOps
  
  Git-based infrastructure and application deployment management.
- Verified Modules
  
  Pre-validated infrastructure modules for consistent and secure deployments.
- App Configuration
  
  Managed service for feature flags and configuration management.

Scalability & Performance

Performance & Scaling
- Node Auto Provisioning
  
  Automatic node provisioning for optimal cluster sizing and cost efficiency.
- KEDA
  
  Event-driven autoscaling for Kubernetes workloads.
- Vertical Pod Autoscaler
  
  Automated resource allocation optimization for pods based on usage patterns.

Maintenance & Updates

System Updates
- Automatic Upgrades
  
  Stay current on new features and bug fixes with automated Kubernetes version upgrades.
- Node OS Updates
  
  Linux nodes in AKS get security patches through their distro update channel nightly.