Provision Secure AKS cluster with GitOps and CAPI

AKS Attributes

It is convenient to define a cluster with a Flux HelmRelease definition that points to a Helm chart with all necessary CRDs such as cluster, control plane, agent pool, etc. CAPI/CAPZ will use them to provision a cluster in Azure. HelmRelease also specifies values for the Helm chart such as cluster name, resource group name, agent pools names, network plugins and so on. This is a good place to configure AKS attributes in compliance with Secure AKS requirements.

Infrastructure Workloads

As it was described in the previous post a workload cluster is provisioned by CAPI/CAPZ controller running on a management cluster. Once a new cluster is up and running, Flux controller, working on the same management cluster, will remotely install “Infrastructure Workloads” recommended by Secure AKS baseline :

  • AAD Pod Managed Identity
  • Azure Key Vault CSI secret provider
  • Azure Monitor Prometheus Scraping
  • Kured
  • Ingress and Egress network policies



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store