You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: AKS-Hybrid/concepts-security.md
+2-3Lines changed: 2 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,7 +32,7 @@ The following table describes the security-hardening aspects of AKS on Azure Sta
32
32
| 1 | Because the AKS host has access to all of the workload (target) clusters, this cluster can be a single point of compromise. However, access to the AKS host is carefully controlled as the management cluster's purpose is limited to provisioning workload clusters and collecting aggregated cluster metrics. |
33
33
| 2 | To reduce deployment cost and complexity, workload clusters share the underlying Windows Server. However, depending on the security needs, admins can choose to deploy a workload cluster on a dedicated Windows Server. When workload clusters share the underlying Windows Server, each cluster is deployed as a virtual machine, which ensures strong isolation guarantees between the workload clusters. |
34
34
| 3 | Customer workloads are deployed as containers and share the same virtual machine. The containers are process-isolated from one another, which is a weaker form of isolation compared to strong isolation guarantees offered by virtual machines. |
35
-
| 4 | Containers communicate with each other over an overlay network. Admins can configure Calico policies to define networking isolation rules between containers. [Calico](./calico-networking-policy.md) supports both Windows and Linux containers and is an open-source product that is supported as-is.|
35
+
| 4 | Containers communicate with each other over an overlay network. Admins can configure Calico policies to define networking isolation rules between containers. Calicopolicy support on AKS Arc is only for Linux containers, and is supported as-is. |
36
36
5 | Communication between built-in Kubernetes components of AKS on Azure Stack HCI, including communication between the API server and the container host, is encrypted via certificates. AKS offers an out-of-the-box certificate provisioning, renewal, and revocation for built-in certificates. |
37
37
6 | Communication with the API server from Windows client machines is secured using Microsoft Entra credentials for users. |
38
38
7 | For every release, Microsoft provides the VHDs for AKS VMs on Azure Stack HCI and applies the appropriate security patches when needed. |
@@ -61,12 +61,11 @@ This section describes the built-in security features that are currently availab
61
61
| Rotate encryption keys of the Kubernetes secret store (etcd) using the Key Management Server (KMS) plug-in. | Plug-in for integrating and orchestrating key rotation with specified KMS provider. To learn more, see [Encrypt etcd secrets](./encrypt-secrets.md). |
62
62
| Real-time threat monitoring for containers that supports workloads for both Windows and Linux containers. | Integration with Azure Defender for Kubernetes connected to Azure Arc, which is offered as a public preview feature until the GA release of Kubernetes threat detection for Kubernetes connected to Azure Arc. For more information, see [Defend Azure Arc enabled Kubernetes clusters](/azure/security-center/defender-for-kubernetes-azure-arc?tabs=k8s-deploy-asc%2ck8s-verify-asc%2ck8s-remove-arc). |
63
63
| Microsoft Entra identity for Windows workloads. | Use [gMSA integration for Windows workloads](./prepare-windows-nodes-gmsa.md) to configure the Microsoft Entra identity. |
64
-
| Support for Calico policies to secure traffic between pods |To use Calico policies, see [Secure traffic between pods using network policies](./calico-networking-policy.md). |
64
+
| Support for Calico policies to secure traffic between pods |Containers communicate with each other over an overlay network. Admins can configure Calico policies to define networking isolation rules between containers. Calico policy support on AKS Arc is only for Linux containers, and is supported as-is. |
65
65
66
66
## Next steps
67
67
68
68
In this topic, you learned about the concepts for securing AKS enabled by Azure Arc, and about securing applications on Kubernetes clusters.
69
69
70
70
-[Secure communication with certificates](./secure-communication.md)
71
71
-[Encrypt etcd secrets](./encrypt-secrets.md)
72
-
-[Secure traffic between pods using network policies](./calico-networking-policy.md)
0 commit comments