Merge pull request #18181 from richardtaylorrt/main

ttorble · web-flow · commit f427cd83d672 · 2025-07-15T09:46:04.000+01:00
Add the security book content to the docs for AKS Arc on Azure Local
diff --git a/AKS-Arc/TOC.yml b/AKS-Arc/TOC.yml
@@ -199,6 +199,21 @@
       href: connectivity-troubleshoot.md
     - name: Cluster status stuck during upgrade
       href: cluster-upgrade-status.md
+  - name: Security
+    items:  
+    - name: Security book - recommendations and best practices
+      href: /azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+      displayName: security, best practices, recommendations
+    - name: Securing your platform
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-platform?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your workloads
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-workloads?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your operations
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-operations?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your data
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-data?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your network
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-network?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
   - name: Reference
     items:
     - name: Azure CLI
diff --git a/AKS-Arc/azure-rbac-local.md b/AKS-Arc/azure-rbac-local.md
@@ -222,3 +222,4 @@ az role definition delete -n "AKS Arc Deployment Reader"
 - [Access and identity options](concepts-security-access-identity.md) for AKS enabled by Azure Arc
 - [Create an Azure service principal with Azure CLI](/cli/azure/azure-cli-sp-tutorial-1)
 - Available Azure permissions for [Hybrid + Multicloud](/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/concepts-security-access-identity.md b/AKS-Arc/concepts-security-access-identity.md
@@ -154,3 +154,4 @@ The following table contains a summary of how users can authenticate to Kubernet
 
 - To get started with Kubernetes RBAC for Kubernetes authorization, see [Control access using Microsoft Entra ID and Kubernetes RBAC](kubernetes-rbac-local.md)
 - To get started with Azure RBAC for Kubernetes authorization, see [Use Azure RBAC for Kubernetes Authorization](azure-rbac-local.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/configure-ssh-keys.md b/AKS-Arc/configure-ssh-keys.md
@@ -80,3 +80,4 @@ For information about error messages that can occur when you create and deploy a
 - [Connect to Windows or Linux worker nodes with SSH](ssh-connect-to-windows-and-linux-worker-nodes.md)
 - [Restrict SSH access to specific IP addresses](restrict-ssh-access.md)
 - [Get on-demand logs for troubleshooting](get-on-demand-logs.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/enable-authentication-microsoft-entra-id.md b/AKS-Arc/enable-authentication-microsoft-entra-id.md
@@ -75,3 +75,4 @@ Enable Microsoft Entra authentication on your existing Kubernetes cluster using
 - [Access and identity options for AKS enabled by Azure Arc](concepts-security-access-identity.md)
 - [Microsoft Entra integration with Kubernetes RBAC](kubernetes-rbac-local.md)
 - [Use Azure role-based access control (RBAC) for Kubernetes authorization](azure-rbac-local.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/encrypt-etcd-secrets.md b/AKS-Arc/encrypt-etcd-secrets.md
@@ -105,6 +105,7 @@ If you encounter any errors with the KMS plugin, follow the procedure on the [Tr
 
 ## Next steps
 
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
 - [Create Kubernetes clusters](aks-create-clusters-cli.md#deploy-the-application-and-load-balancer)
 - [Deploy a Linux application on a Kubernetes cluster](deploy-linux-application.md)
 
diff --git a/AKS-Arc/kubernetes-rbac-entra-id.md b/AKS-Arc/kubernetes-rbac-entra-id.md
@@ -236,3 +236,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod
 ## Next steps
 
 - [Learn more about security in AKS Arc on Windows Server](concepts-security.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/kubernetes-rbac-local.md b/AKS-Arc/kubernetes-rbac-local.md
@@ -250,3 +250,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod
 ## Next steps
 
 - [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/restrict-ssh-access.md b/AKS-Arc/restrict-ssh-access.md
@@ -42,3 +42,4 @@ This command does two things: it limits the scope of the command, and it also li
 
 - [Restrict SSH access (AKS on Azure Local 22H2)](restrict-ssh-access-22h2.md)
 - [AKS enabled by Arc overview](aks-overview.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/retrieve-admin-kubeconfig.md b/AKS-Arc/retrieve-admin-kubeconfig.md
@@ -19,3 +19,4 @@ ms.reviewer: leslielin
 ## Next steps
 
 - [Use Azure RBAC for Kubernetes authorization](azure-rbac-23h2.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/ssh-connect-to-windows-and-linux-worker-nodes.md b/AKS-Arc/ssh-connect-to-windows-and-linux-worker-nodes.md
@@ -78,3 +78,4 @@ If you encounter SSH login issues, verify that your IP address is included in th
 
 - [Use SSH keys to get on-demand logs for troubleshooting](get-on-demand-logs.md)
 - [Configure SSH keys for an AKS Arc cluster](configure-ssh-keys.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).
diff --git a/AKS-Arc/workload-identity.md b/AKS-Arc/workload-identity.md
@@ -351,3 +351,5 @@ az aksarc delete -n $aks_cluster_name -g $resource_group_name
 
 In this article, you deployed a Kubernetes cluster and configured it to use a workload identity in preparation for application workloads to
 authenticate with that credential. Now you're ready to deploy your application and configure it to use the workload identity with the latest version of the [Azure Identity client library](/azure/active-directory/develop/reference-v2-libraries).
+
+You can also help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).

Original file line number	Diff line number	Diff line change
`@@ -154,3 +154,4 @@ The following table contains a summary of how users can authenticate to Kubernet`
`154`	`154`
`155`	`155`	`- To get started with Kubernetes RBAC for Kubernetes authorization, see [Control access using Microsoft Entra ID and Kubernetes RBAC](kubernetes-rbac-local.md)`
`156`	`156`	`- To get started with Azure RBAC for Kubernetes authorization, see [Use Azure RBAC for Kubernetes Authorization](azure-rbac-local.md)`
	`157`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`
Original file line number	Diff line number	Diff line change
`@@ -236,3 +236,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod`
`236`	`236`	`## Next steps`
`237`	`237`
`238`	`238`	`- [Learn more about security in AKS Arc on Windows Server](concepts-security.md)`
	`239`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`
Original file line number	Diff line number	Diff line change
`@@ -250,3 +250,4 @@ Error from server (Forbidden): pods is forbidden: User cannot list resource "pod`
`250`	`250`	`## Next steps`
`251`	`251`
`252`	`252`	`- [Azure role-based access control (Azure RBAC)](/azure/role-based-access-control/overview)`
	`253`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`
Original file line number	Diff line number	Diff line change
`@@ -42,3 +42,4 @@ This command does two things: it limits the scope of the command, and it also li`
`42`	`42`
`43`	`43`	`- [Restrict SSH access (AKS on Azure Local 22H2)](restrict-ssh-access-22h2.md)`
`44`	`44`	`- [AKS enabled by Arc overview](aks-overview.md)`
	`45`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`
Original file line number	Diff line number	Diff line change
`@@ -19,3 +19,4 @@ ms.reviewer: leslielin`
`19`	`19`	`## Next steps`
`20`	`20`
`21`	`21`	`- [Use Azure RBAC for Kubernetes authorization](azure-rbac-23h2.md)`
	`22`	`+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).`