MicrosoftDocs
diff --git a/‎articles/aks/concepts-security.md
Lines changed: 29 additions & 7 deletions b/‎articles/aks/concepts-security.md
Lines changed: 29 additions & 7 deletions
diff --git a/‎articles/azure-arc/data/create-data-controller-direct-cli.md
Lines changed: 43 additions & 39 deletions b/‎articles/azure-arc/data/create-data-controller-direct-cli.md
Lines changed: 43 additions & 39 deletions
@@ -2,34 +2,50 @@
 title: Concepts - Security in Azure Kubernetes Services (AKS)
 description: Learn about security in Azure Kubernetes Service (AKS), including master and node communication, network policies, and Kubernetes secrets.
 services: container-service
-author: georgewallace
+author: miwithro
 ms.topic: conceptual
-ms.date: 03/11/2021
-ms.author: gwallace
+ms.date: 11/11/2021
+ms.author: miwithro
 ---
 
 # Security concepts for applications and clusters in Azure Kubernetes Service (AKS)
 
-Cluster security protects your customer data as you run application workloads in Azure Kubernetes Service (AKS). 
+Container security protects the entire end-to-end pipeline from build to the application workloads running in Azure Kubernetes Service (AKS).
 
-Kubernetes includes security components, such as *network policies* and *Secrets*. Meanwhile, Azure includes components like network security groups and orchestrated cluster upgrades. AKS combines these security components to:
+The Secure Supply Chain includes the build environment and registry.
+
+Kubernetes includes security components, such as *pod security standards* and *Secrets*. Meanwhile, Azure includes components like Active Directory, Microsoft Defender for Cloud, Azure Policy, Azure Key Vault, network security groups and orchestrated cluster upgrades. AKS combines these security components to:
+* Provide a complete Authentication and Authorization story.
+* Leverage AKS Built-in Azure Policy to secure your applications.
+* End-to-End insight from build through your application with Microsoft Defender for Containers.
 * Keep your AKS cluster running the latest OS security updates and Kubernetes releases.
 * Provide secure pod traffic and access to sensitive credentials.
 
 This article introduces the core concepts that secure your applications in AKS:
 
 - [Security concepts for applications and clusters in Azure Kubernetes Service (AKS)](#security-concepts-for-applications-and-clusters-in-azure-kubernetes-service-aks)
-  - [Master security](#master-security)
+  - [Build security](#build-security)
+  - [Registry security](#registry-security)
+  - [Cluster security](#cluster-security)
   - [Node security](#node-security)
     - [Compute isolation](#compute-isolation)
   - [Cluster upgrades](#cluster-upgrades)
     - [Cordon and drain](#cordon-and-drain)
   - [Network security](#network-security)
     - [Azure network security groups](#azure-network-security-groups)
+  - [Application Security](#application-security)
   - [Kubernetes Secrets](#kubernetes-secrets)
   - [Next steps](#next-steps)
 
-## Master security
+## Build Security
+
+As the entry point for the Supply Chain it is important to conduct static analysis of image builds before they are promoted down the pipeline. This includes vulnerability and compliance assessment.  It is not about failing off a build because it has a high vulnerability, as that will break development, it is about looking at the "Vendor Status" to segment based on vulnerabilities that are actionable by the development teams.  Also leverage "Grace Periods" to allow developers time to remediate identified issues. 
+
+## Registry Security
+
+Assessing the vulnerability state of the image in the Registry will detect drift and will also catch images that didn't come from your build environment. Use [Notary V2](https://github.com/notaryproject/notaryproject) to attach signatures to your images to ensure deployments are coming from a trusted location.
+
+## Cluster security
 
 In AKS, the Kubernetes master components are part of the managed service provided, managed, and maintained by Microsoft. Each AKS cluster has its own single-tenanted, dedicated Kubernetes master to provide the API Server, Scheduler, etc.
 
@@ -112,6 +128,11 @@ If you provide your own subnet for your AKS cluster (whether using Azure CNI or
 
 To limit network traffic between pods in your cluster, AKS offers support for [Kubernetes network policies][network-policy]. With network policies, you can allow or deny specific network paths within the cluster based on namespaces and label selectors.
 
+## Application Security
+
+To protect pods running on AKS leverage [Azure Defender for Kubernetes][azure-defender-for-kubernetes] to detect and restrict cyber attacks against your applications running in your pods.  Run continual scanning to detect drift in the vulnerability state of your application and implement a "blue/green/canary" process to patch and replace the vulnerable images. 
+
+
 ## Kubernetes Secrets
 
 With a Kubernetes *Secret*, you inject sensitive data into pods, such as access credentials or keys. 
@@ -150,6 +171,7 @@ For more information on core Kubernetes and AKS concepts, see:
 [encryption-atrest]: ../security/fundamentals/encryption-atrest.md
 
 <!-- LINKS - Internal -->
+[azure-defender-for-kubernetes]: ../defender-for-cloud/container-security.md
 [aks-daemonsets]: concepts-clusters-workloads.md#daemonsets
 [aks-upgrade-cluster]: upgrade-cluster.md
 [aks-aad]: ./managed-aad.md
 
@@ -7,7 +7,7 @@ ms.reviewer: mikeray
 services: azure-arc
 ms.service: azure-arc
 ms.subservice: azure-arc-data
-ms.date: 11/03/2021
+ms.date: 11/12/2021
 ms.topic: overview
 ---
 
@@ -29,7 +29,7 @@ Creating an Azure Arc data controller in **direct** connectivity mode involves t
 > [!NOTE]
 > Currently, this step can only be performed from the portal. For details, see [Release notes](release-notes.md). 
 
-## Create an Azure Arc-enabled data services extension
+## Step 1: Create an Azure Arc-enabled data services extension
 
 Use the k8s-extension CLI to create a data services extension.
 
@@ -40,11 +40,15 @@ Set the following environment variables, which will be then used in next step.
 #### Linux
 
 ``` terminal
-# where you want the connected cluster resource to be created in Azure 
+## variables for Azure location, extension and namespace
 export subscription=<Your subscription ID>
 export resourceGroup=<Your resource group>
-export resourceName=<name of your connected kubernetes cluster>
+export clusterName=<name of your connected kubernetes cluster>
 export location=<Azure location>
+export adsExtensionName="ads-ext" 
+export namespace="arcds"
+
+## variables for Metrics and Monitoring dashboard credentials
 export AZDATA_LOGSUI_USERNAME=<username for Kibana dashboard>
 export AZDATA_LOGSUI_PASSWORD=<password for Kibana dashboard>
 export AZDATA_METRICSUI_USERNAME=<username for Grafana dashboard>
@@ -53,11 +57,15 @@ export AZDATA_METRICSUI_PASSWORD=<password for Grafana dashboard>
 
 #### Windows PowerShell
 ``` PowerShell
-# where you want the connected cluster resource to be created in Azure 
+## variables for Azure location, extension and namespace
 $ENV:subscription="<Your subscription ID>"
 $ENV:resourceGroup="<Your resource group>"
-$ENV:resourceName="<name of your connected kubernetes cluster>"
+$ENV:clusterName="<name of your connected kubernetes cluster>"
 $ENV:location="<Azure location>"
+$ENV:adsExtensionName="<name of Data controller extension" 
+$ENV:namespace="namespace where extension and data controller will be deployed"
+
+## variables for Metrics and Monitoring dashboard credentials
 $ENV:AZDATA_LOGSUI_USERNAME="<username for Kibana dashboard>"
 $ENV:AZDATA_LOGSUI_PASSWORD="<password for Kibana dashboard>"
 $ENV:AZDATA_METRICSUI_USERNAME="<username for Grafana dashboard>"
@@ -69,63 +77,62 @@ $ENV:AZDATA_METRICSUI_PASSWORD="<password for Grafana dashboard>"
 #### Linux
 
 ```bash
-az k8s-extension create -c ${resourceName} -g ${resourceGroup} --name ${ADSExtensionName} --cluster-type connectedClusters --extension-type microsoft.arcdataservices --auto-upgrade false --scope cluster --release-namespace arc --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper
+az k8s-extension create --cluster-name ${clusterName} --resource-group ${resourceGroup} --name ${adsExtensionName} --cluster-type connectedClusters --extension-type microsoft.arcdataservices --auto-upgrade false --scope cluster --release-namespace ${namespace} --config Microsoft.CustomLocation.ServiceAccount=sa-arc-bootstrapper
 
-az k8s-extension show -g ${resourceGroup} -c ${resourceName} --name ${ADSExtensionName} --cluster-type connectedclusters
+az k8s-extension show --resource-group ${resourceGroup} --cluster-name ${resourceName} --name ${adsExtensionName} --cluster-type connectedclusters
 ```
 
 #### Windows PowerShell
 ```PowerShell
-$ENV:ADSExtensionName="ads-extension"
 
-az k8s-extension create -c "$ENV:resourceName" -g "$ENV:resourceGroup" --name "$ENV:ADSExtensionName" --cluster-type connectedClusters --extension-type microsoft.arcdataservices --auto-upgrade false --scope cluster --release-namespace arc --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper
+az k8s-extension create --cluster-name $ENV:clusterName --resource-group $ENV:resourceGroup --name $ENV:adsExtensionName --cluster-type connectedClusters --extension-type microsoft.arcdataservices --auto-upgrade false --scope cluster --release-namespace $ENV:namespace --config Microsoft.CustomLocation.ServiceAccount=sa-arc-bootstrapper
 
-az k8s-extension show -g "$ENV:resourceGroup" -c "$ENV:resourceName" --name "$ENV:ADSExtensionName" --cluster-type connectedclusters
+az k8s-extension show --resource-group $ENV:resourceGroup --cluster-name $ENV:clusterName --name $ENV:adsExtensionName --cluster-type connectedclusters
 ```
 
 #### Deploy Azure Arc data services extension using private container registry and credentials
 
 Use the below command if you are deploying from your private repository:
 
 ```azurecli
-az k8s-extension create -c "<connected cluster name>" -g "<resource group>" --name "<extension name>" --cluster-type connectedClusters --extension-type microsoft.arcdataservices --scope cluster --release-namespace "<namespace>" --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper --config imageCredentials.registry=<registry info> --config imageCredentials.username=<username> --config systemDefaultValues.image=<registry/repo/arc-bootstrapper:<imagetag>> --config-protected imageCredentials.password=$ENV:DOCKER_PASSWORD --debug
+az k8s-extension create --cluster-name "<connected cluster name>" --resource-group "<resource group>" --name "<extension name>" --cluster-type connectedClusters --extension-type microsoft.arcdataservices --scope cluster --release-namespace "<namespace>" --config Microsoft.CustomLocation.ServiceAccount=sa-arc-bootstrapper --config imageCredentials.registry=<registry info> --config imageCredentials.username=<username> --config systemDefaultValues.image=<registry/repo/arc-bootstrapper:<imagetag>> --config-protected imageCredentials.password=$ENV:DOCKER_PASSWORD --debug
 ```
 
  For example
 ```azurecli
-az k8s-extension create -c "my-connected-cluster" -g "my-resource-group" --name "arc-data-services" --cluster-type connectedClusters --extension-type microsoft.arcdataservices --scope cluster --release-namespace "arc" --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper --config imageCredentials.registry=mcr.microsoft.com --config imageCredentials.username=arcuser --config systemDefaultValues.image=mcr.microsoft.com/arcdata/arc-bootstrapper:latest --config-protected imageCredentials.password=$ENV:DOCKER_PASSWORD --debug
+az k8s-extension create --cluster-name "my-connected-cluster" --resource-group "my-resource-group" --name "arc-data-services" --cluster-type connectedClusters --extension-type microsoft.arcdataservices --scope cluster --release-namespace "arc" --config Microsoft.CustomLocation.ServiceAccount=sa-bootstrapper --config imageCredentials.registry=mcr.microsoft.com --config imageCredentials.username=arcuser --config systemDefaultValues.image=mcr.microsoft.com/arcdata/arc-bootstrapper:latest --config-protected imageCredentials.password=$ENV:DOCKER_PASSWORD --debug
 ```
 
 
 > [!NOTE]
-> The Arc data services extension install can take a couple of minutes to finish.
+> The Arc data services extension install can take a few minutes to complete.
 
 ### Verify the Arc data services extension is created
 
-You can verify if  the Azure Arc-enabled data services extension is created either from the portal or by connecting directly to the Azure Arc-enabled Kubernetes cluster. 
+You can verify the status of the deployment of Azure Arc-enabled data services extension  either from the portal or by connecting directly to the Azure Arc-enabled Kubernetes cluster. 
 
-#### Azure portal
+#### Check status from Azure portal
 1. Log in to the Azure portal and browse to the resource group where the Kubernetes connected cluster resource is located.
 1. Select the Azure Arc-enabled kubernetes cluster (Type = "Kubernetes - Azure Arc") where the extension was deployed.
 1. In the navigation on the left side, under **Settings**, select **Extensions**.
 1. You should see the extension that was created earlier in an installed state.
 
 :::image type="content" source="media/deploy-data-controller-direct-mode-prerequisites/dc-extensions-dashboard.png" alt-text="Extensions dashboard":::
 
-#### kubectl CLI
+#### Check status using kubectl CLI
 
 1. Connect to your Kubernetes cluster via a Terminal window.
 1. Run the below command and ensure the (1) namespace mentioned above is created and (2) the `bootstrapper` pod is in 'running' state before proceeding to the next step.
 
 ``` console
-kubectl get pods -n <name of namespace used in the json template file above>
+kubectl get pods --name <name of namespace used in the json template file above>
 ```
 
 For example, the following example gets the pods from `arc` namespace.
 
 ```console
 #Example:
-kubectl get pods -n arc
+kubectl get pods --name arc
 ```
 
 ## Retrieve the managed identity and grant roles
@@ -150,7 +157,7 @@ az role assignment create --assignee $Env:MSI_OBJECT_ID --role "Monitoring Metri
 
 ```
 
-## Create a custom location using custom location CLI extension
+## Step 2: Create a custom location using ```customlocation``` CLI extension
 
 A custom location is an Azure resource that is equivalent to a namespace in a Kubernetes cluster.  Custom locations are used as a target to deploy resources to or from Azure. Learn more about custom locations in the [Custom locations on top of Azure Arc-enabled Kubernetes documentation](../kubernetes/conceptual-custom-locations.md).
 
@@ -160,24 +167,22 @@ A custom location is an Azure resource that is equivalent to a namespace in a Ku
 
 ```bash
 export clName=mycustomlocation
-export clNamespace=arc
-export hostClusterId=$(az connectedk8s show -g ${resourceGroup} -n ${resourceName} --query id -o tsv)
-export extensionId=$(az k8s-extension show -g ${resourceGroup} -c ${resourceName} --cluster-type connectedClusters --name ${ADSExtensionName} --query id -o tsv)
 
-az customlocation create -g ${resourceGroup} -n ${clName} --namespace ${clNamespace} \
-  --host-resource-id ${hostClusterId} \
-  --cluster-extension-ids ${extensionId} --location eastus
+export hostClusterId=$(az connectedk8s show --resource-group ${resourceGroup} --name ${clusterName} --query id -o tsv)
+export extensionId=$(az k8s-extension show --resource-group ${resourceGroup} --cluster-name ${clusterName} --cluster-type connectedClusters --name ${adsExtensionName} --query id -o tsv)
+
+az customlocation create --resource-group ${resourceGroup} --name ${clName} --namespace ${namespace} --host-resource-id ${hostClusterId} --cluster-extension-ids ${extensionId} --location ${location}
 ```
 
 #### Windows PowerShell
 ```PowerShell
 $ENV:clName="mycustomlocation"
-$ENV:clNamespace="arc"
 
-$ENV:hostClusterId=(az connectedk8s show -g $ENV:resourceGroup -n $ENV:resourceName --query id -o tsv)
-$ENV:extensionId=(az k8s-extension show -g $ENV:resourceGroup -c $ENV:resourceName --cluster-type connectedClusters --name $ENV:ADSExtensionName --query id -o tsv)
 
-az customlocation create -g $ENV:resourceGroup -n $ENV:clName --namespace $ENV:clNamespace --host-resource-id $ENV:hostClusterId --cluster-extension-ids $ENV:extensionId
+$ENV:hostClusterId=(az connectedk8s show --resource-group $ENV:resourceGroup --name $ENV:clusterName --query id -o tsv)
+$ENV:extensionId=(az k8s-extension show --resource-group $ENV:resourceGroup --cluster-name $ENV:clusterName --cluster-type connectedClusters --name $ENV:adsExtensionName --query id -o tsv)
+
+az customlocation create --resource-group $ENV:resourceGroup --name $ENV:clName --namespace $ENV:namespace --host-resource-id $ENV:hostClusterId --cluster-extension-ids $ENV:extensionId
 ```
 
 ## Validate  the custom location is created
@@ -188,31 +193,30 @@ From the terminal, run the below command to list the custom locations, and valid
 az customlocation list -o table
 ```
 
-## Create the Azure Arc data controller
+## Step 3: Create the Azure Arc data controller
 
 After the extension and custom location are created, proceed to deploy the Azure Arc data controller as follows.
 
 ```
-az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --profile-name <profile name>  --auto-upload-logs true --custom-location <name of custom location>
+az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --profile-name <profile name>  --auto-upload-logs true --auto-upload-metrics true --custom-location <name of custom location>
 # Example
-az arcdata dc create -n arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --profile-name azure-arc-aks-premium-storage  --auto-upload-logs true --custom-location mycustomlocation
+az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --profile-name azure-arc-aks-premium-storage  --auto-upload-logs true --auto-upload-metrics true --custom-location mycustomlocation
 ```
 
 If you want to create the Azure Arc data controller using a custom configuration template, follow the steps described in [Create custom configuration profile](create-custom-configuration-template.md) and provide the path to the file as follows:
 
 ```
-az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --path ./azure-arc-custom  --auto-upload-logs true --custom-location <name of custom location>
+az arcdata dc create --name <name> --resource-group <resourcegroup> --location <location> --connectivity-mode direct --path ./azure-arc-custom  --auto-upload-logs true --auto-upload-metrics true --custom-location <name of custom location>
 # Example
-az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --path ./azure-arc-custom  --auto-upload-logs true --custom-location mycustomlocation
+az arcdata dc create --name arc-dc1 --resource-group my-resource-group --location eastasia --connectivity-mode direct --path ./azure-arc-custom  --auto-upload-logs true --auto-upload-metrics true --custom-location mycustomlocation
 ```
 
+## Monitor the status of Azure Arc data controller deployment
 
-## Monitor the creation
-
-When the Azure portal deployment status shows the deployment was successful, you can check the status of the Arc data controller deployment on the cluster as follows:
+The deployment status of the Arc data controller on the cluster can be monitored as follows:
 
 ```console
-kubectl get datacontrollers -n arc
+kubectl get datacontrollers --name arc
 ```
 
 ## Next steps