At this point, you should have an AKS cluster fully deployed and the Red Dog application up and running in your subscription.
- The Azure Container Registry (ACR) resource should reside in your resource group and in the same Azure region
- If geo-replication is required, use the Premium SKU
- The managed identity for the AKS Kubelet should have pull access at a minimum to your ACR instance
- Automate image scanning to ensure any images created for the app are properly scanned for vulnerabilities
- Multiple options for this scenario:
- Microsoft Defender for Containers. https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-containers-enable
- Qualys. https://www.qualys.com
- Aqua Security. https://www.aquasec.com
- Twistlock (Prisma)
- Anchore. https://anchore.com
- Grype (OSS). https://github.com/anchore/grype
- Falco. https://falco.org
- Multiple options for this scenario:
- Read details on Private Endpoints with ACR. For this workshop, we will be setting up GitHub Actions and this step should be skipped (for simplicity)
- Create an ACR resource
- Ensure that the managed identity for the AKS Kubelet (created earlier in the workshop) has access to pull images from the ACR https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication-managed-identity?tabs=azure-cli
- Manually push copies of the Red Dog services to your ACR (automation will be handled in a later module)
- Setup automated image scanning for Red Dog container images using one of the following:
- Microsoft Defender for Cloud. https://docs.microsoft.com/en-us/azure/container-registry/scan-images-defender
- GitHub Action Scanning. https://docs.microsoft.com/en-us/azure/container-registry/github-action-scan
- Use a custom tool such as:
- Qualys
- Anchore
- For production, we recommend using a Enterprise grade tool such as Aqua Security or Prisma/Twistlock
Useful links: