WEBVTT 0:00:02.560000 --> 0:00:06.760000 Welcome to part two of configure a.k.a. 0:00:06.760000 --> 0:00:11.840000 security. In this video, we are going to take a look at the following 0:00:11.840000 --> 0:00:16.780000 topics. We're going to start out talking about Kubernetes certificates 0:00:16.780000 --> 0:00:23.400000 and secrets. Then we're going to look at Azure Kubernetes service security. 0:00:23.400000 --> 0:00:27.820000 And finally, in terms of topics, we'll take a look at Kubernetes networking. 0:00:27.820000 --> 0:00:33.280000 And then I'm going to demonstrate Kubernetes security as well as networking. 0:00:33.280000 --> 0:00:36.800000 Let's go ahead and let's jump right in. 0:00:36.800000 --> 0:00:40.300000 We're going to start talking about certificates and secrets. 0:00:40.300000 --> 0:00:47.040000 These are the way that you interact with Kubernetes and Kubernetes interacts 0:00:47.040000 --> 0:00:49.640000 with the environment. 0:00:49.640000 --> 0:00:54.320000 First of all, there are a number of certificates that are used by Kubernetes. 0:00:54.320000 --> 0:00:59.620000 When you create a cluster, there is a cluster certificate authority that 0:00:59.620000 --> 0:01:01.300000 is created on the API server. 0:01:01.300000 --> 0:01:04.980000 Now, if you're using Kubernetes, or Azure Kubernetes service, of course, 0:01:04.980000 --> 0:01:09.240000 that's going to be managed by Azure. 0:01:09.240000 --> 0:01:12.980000 And then what happens is the Kubernetes, which are the actual processes 0:01:12.980000 --> 0:01:18.320000 that run on the nodes, they set up a certificate signing request from 0:01:18.320000 --> 0:01:21.580000 the cluster CA. Nice and simple. 0:01:21.580000 --> 0:01:28.380000 And then within each machine, you've got the ETCD database, key value 0:01:28.380000 --> 0:01:31.840000 store, and it's going to store the cluster, or the certificate from the 0:01:31.840000 --> 0:01:38.860000 cluster CA. And also, you have a CA for data replication. 0:01:38.860000 --> 0:01:43.760000 Now the API aggregator, which should also be running on the master server 0:01:43.760000 --> 0:01:50.980000 within your Azure Kubernetes service, certificates for API communication. 0:01:50.980000 --> 0:01:56.380000 The service account that is used to interact with Azure itself, you've 0:01:56.380000 --> 0:02:00.280000 got that token on each node, and there's a client certificate for authentication 0:02:00.280000 --> 0:02:06.760000 into the node. Now, secrets are things that you would use as part of your 0:02:06.760000 --> 0:02:09.360000 overall workload. 0:02:09.360000 --> 0:02:14.460000 So your pod needs to communicate with a database, need to authenticate 0:02:14.460000 --> 0:02:15.400000 into that database. 0:02:15.400000 --> 0:02:19.720000 That's where you're going to see the actual secrets. 0:02:19.720000 --> 0:02:25.360000 Now, secrets, as I said, they're used for sensitive pod data. 0:02:25.360000 --> 0:02:31.300000 You can create them with the Kubernetes API, and they're stored in a temporary 0:02:31.300000 --> 0:02:41.120000 file server. Now, let's talk a little bit about some of the Kubernetes 0:02:41.120000 --> 0:02:43.840000 service. First of all, security center. 0:02:43.840000 --> 0:02:51.100000 Kubernetes integrates with security center, and it's pretty straightforward. 0:02:51.100000 --> 0:02:56.720000 You get recommendations from security center, and that's really what you 0:02:56.720000 --> 0:03:01.160000 have. I'm going to show you this, very cool capabilities. 0:03:01.160000 --> 0:03:05.180000 It's like any other compute, or really any other service, where security 0:03:05.180000 --> 0:03:11.720000 center really does become the center of, well, applying security. 0:03:11.720000 --> 0:03:15.660000 There's also, and this is one I think is really, really important, and 0:03:15.660000 --> 0:03:17.500000 that is restricted IPs. 0:03:17.500000 --> 0:03:22.120000 Not that security center isn't important, it is, but it also kind of comes 0:03:22.120000 --> 0:03:25.740000 standard, so you don't really have to do too much, other than know that 0:03:25.740000 --> 0:03:28.320000 it's there, and use it. 0:03:28.320000 --> 0:03:34.020000 But now, let's talk a moment about restricted IPs. 0:03:34.020000 --> 0:03:39.340000 Now, when we've got Kubernetes nodes, and we'll talk about this, our Kubernetes 0:03:39.340000 --> 0:03:47.800000 nodes are subject to standard network controls. 0:03:47.800000 --> 0:03:49.440000 You can actually set up NSGs. 0:03:49.440000 --> 0:03:54.780000 In fact, Kubernetes is going to manage NSGs for you for workloads, for 0:03:54.780000 --> 0:04:03.340000 pods, actually for services that you've got configured in your cluster. 0:04:03.340000 --> 0:04:09.220000 But the Kubernetes control plane is managed by Azure, right? 0:04:09.220000 --> 0:04:15.600000 So you don't have access to the networking for the control plane, because, 0:04:15.600000 --> 0:04:19.320000 well, it's all internal to Azure. 0:04:19.320000 --> 0:04:24.780000 So what you want to do is you want to put up a control here, and the way 0:04:24.780000 --> 0:04:32.400000 that you do that is by implementing restricted IPs. 0:04:32.400000 --> 0:04:44.000000 There is a Azure CLI command, az, aks update, and you would fill it all 0:04:44.000000 --> 0:04:49.700000 out, and you would add any authorized IP ranges. 0:04:49.700000 --> 0:04:55.060000 Simple as that. And that's simple, but for me, that's huge. 0:04:55.060000 --> 0:05:01.120000 Very important, because you are protecting access to your cluster. 0:05:01.120000 --> 0:05:09.140000 If somebody gets the cluster administrator password somehow, if that gets 0:05:09.140000 --> 0:05:15.720000 compromised, then they've got your AKS unless you restrict access to it. 0:05:15.720000 --> 0:05:16.860000 So kind of think about this. 0:05:16.860000 --> 0:05:20.700000 For me, I think about this as defense in depth, and it really aligns with 0:05:20.700000 --> 0:05:26.020000 what goes on with service endpoints, which I'm also a very big fan of. 0:05:26.020000 --> 0:05:33.540000 All right. Now, next thing I want to talk about is pod policy. 0:05:33.540000 --> 0:05:38.320000 Okay. Now pod policy is in preview as of June 2020. 0:05:38.320000 --> 0:05:45.240000 All right. And you can see the link to the article, the Markzoff Docs 0:05:45.240000 --> 0:05:47.060000 article on pod policy. 0:05:47.060000 --> 0:05:54.460000 You set up pod policy and it controls the types of pods that can be provisioned 0:05:54.460000 --> 0:05:57.020000 and the requirements for those pods. 0:05:57.020000 --> 0:06:02.680000 And I've got an example of a yaml, I'd say yaml content. 0:06:02.680000 --> 0:06:08.060000 And this is pretty much a wide open yaml content, yaml pod policy, excuse 0:06:08.060000 --> 0:06:10.840000 me. And again, you can look that up. 0:06:10.840000 --> 0:06:12.000000 I'm not going to go deep into it. 0:06:12.000000 --> 0:06:17.600000 It is in preview, but definitely if you're going to have a number of users 0:06:17.600000 --> 0:06:23.220000 that are adding pods or generating pods, you definitely want to take a 0:06:23.220000 --> 0:06:27.620000 look in controlling what the pods can do and allowing users to then have 0:06:27.620000 --> 0:06:30.380000 those policies assigned to them. 0:06:30.380000 --> 0:06:35.220000 Now, the other thing that we've got is Kubernetes networking. 0:06:35.220000 --> 0:06:38.680000 And what's pretty cool about Kubernetes is that Kubernetes is what I like 0:06:38.680000 --> 0:06:41.480000 to call a quasi platform as a service. 0:06:41.480000 --> 0:06:44.480000 You create it in a single step. 0:06:44.480000 --> 0:06:49.900000 All right. I just have my AZ AKS create and set it up and do all that. 0:06:49.900000 --> 0:06:51.840000 And it's one step and everything gets created. 0:06:51.840000 --> 0:06:57.360000 But you still have really the infrastructure components and you have direct 0:06:57.360000 --> 0:07:01.600000 access to those except, of course, for the master server. 0:07:01.600000 --> 0:07:04.320000 Right. And that's being managed by Azure by definition. 0:07:04.320000 --> 0:07:08.740000 But in terms of your nodes, in terms of the networking for the nodes, 0:07:08.740000 --> 0:07:09.980000 that's all available to you. 0:07:09.980000 --> 0:07:15.760000 And what's really interesting is there's pretty cool combination of AKS 0:07:15.760000 --> 0:07:19.420000 doing things automatically, but also you being able to go in there and 0:07:19.420000 --> 0:07:21.400000 really change as you know. 0:07:21.400000 --> 0:07:22.660000 And you need now you do want to be careful. 0:07:22.660000 --> 0:07:24.140000 Make sure you know what you're doing. 0:07:24.140000 --> 0:07:26.640000 If you go in and change some of the. 0:07:26.640000 --> 0:07:32.000000 Some of the infrastructure resources because you don't want to break your 0:07:32.000000 --> 0:07:33.760000 AKS, obviously. All right. 0:07:33.760000 --> 0:07:34.440000 But what do we have? 0:07:34.440000 --> 0:07:35.780000 Right. What do we have listed here? 0:07:35.780000 --> 0:07:37.900000 And we're kind of looking at some of these things right here and we'll 0:07:37.900000 --> 0:07:38.920000 just go through them. 0:07:38.920000 --> 0:07:46.480000 And really the fact that AKS is in a virtual network, it means that your 0:07:46.480000 --> 0:07:48.800000 NSCs and routing tables apply. 0:07:48.800000 --> 0:07:54.620000 And in fact, by default, the network is locked down. 0:07:54.620000 --> 0:07:59.980000 You can also actually deploy Kubernetes into an existing virtual network. 0:07:59.980000 --> 0:08:02.560000 You can also peer other virtual networks. 0:08:02.560000 --> 0:08:05.140000 So it is a virtual network. 0:08:05.140000 --> 0:08:07.200000 And I think that's pretty cool. 0:08:07.200000 --> 0:08:12.180000 All right. Now you've got private cluster capability. 0:08:12.180000 --> 0:08:17.760000 Meaning that you can just have it so it's it doesn't even ever put out 0:08:17.760000 --> 0:08:20.480000 public IPs. And we'll see that in a moment. 0:08:20.480000 --> 0:08:23.640000 You can also set up network policy. 0:08:23.640000 --> 0:08:27.420000 Now this is another form of policy within Kubernetes. 0:08:27.420000 --> 0:08:33.940000 And what this does is it defines ingress and egress controls for the cluster 0:08:33.940000 --> 0:08:39.100000 itself. Kubernetes is this cluster, but you want to get to the services 0:08:39.100000 --> 0:08:41.060000 within it. Right. 0:08:41.060000 --> 0:08:42.200000 Typically, I mean, not always. 0:08:42.200000 --> 0:08:44.540000 You may have just a background service that's just running. 0:08:44.540000 --> 0:08:47.240000 Right. But if you're providing something, let's say like a web app, then 0:08:47.240000 --> 0:08:49.860000 of course you won't use it to be able to get to that web app. 0:08:49.860000 --> 0:08:53.480000 Right. Well, setting up an ingress controller and setting up network policy 0:08:53.480000 --> 0:08:57.040000 are going to allow you to, well, control that. 0:08:57.040000 --> 0:09:02.960000 Now, as far as ingress control, ingress control is a standard capability 0:09:02.960000 --> 0:09:05.320000 within Kubernetes. 0:09:05.320000 --> 0:09:07.220000 Okay. And it's extendable. 0:09:07.220000 --> 0:09:10.120000 In other words, you can plug in different ingress controllers. 0:09:10.120000 --> 0:09:14.620000 Think of it at the most basic level as a load balancer. 0:09:14.620000 --> 0:09:19.280000 Right. Because that is actually the default ingress controller for AKS. 0:09:19.280000 --> 0:09:25.640000 Okay. Now another option for ingress control is HTTP application routing. 0:09:25.640000 --> 0:09:35.720000 What that does is it actually ties your AKS into an Azure DNS zone, public 0:09:35.720000 --> 0:09:41.940000 DNS zone. And so every time you provision a new set of pods, actually 0:09:41.940000 --> 0:09:44.880000 really every time you provision an application that's got some kind of 0:09:44.880000 --> 0:09:50.420000 external end point, right, that's actually automatically going to generate 0:09:50.420000 --> 0:09:53.560000 an entry into this DNS. 0:09:53.560000 --> 0:09:54.720000 And you can control that. 0:09:54.720000 --> 0:09:55.780000 And it's kind of interesting. 0:09:55.780000 --> 0:10:00.980000 However, it's generally recommended against in production more for development 0:10:00.980000 --> 0:10:03.900000 and testing. Okay. 0:10:03.900000 --> 0:10:16.260000 Now let's take a look at a quick demonstration of Azure security and networking. 0:10:16.260000 --> 0:10:17.900000 Excuse me, Kubernetes security. 0:10:17.900000 --> 0:10:20.200000 It is an Azure, but it's Kubernetes specifically. 0:10:20.200000 --> 0:10:25.560000 What I want to do is I want to take us over to the security center. 0:10:25.560000 --> 0:10:30.340000 Just take a quick look at what's in security center for Kubernetes. 0:10:30.340000 --> 0:10:35.740000 And then I want to take a look at networking, both how you can restrict 0:10:35.740000 --> 0:10:40.620000 networking, but also what happens with networking in that infrastructure 0:10:40.620000 --> 0:10:45.540000 layer when you start adding applications that have a public or at least 0:10:45.540000 --> 0:10:47.000000 an exposed end point. 0:10:47.000000 --> 0:10:50.260000 So let's go ahead and let's take a look. 0:10:50.260000 --> 0:10:59.320000 Okay. It's not quite in the right place. 0:10:59.320000 --> 0:11:02.340000 All right. Here I am and I didn't think about the order I was going to 0:11:02.340000 --> 0:11:03.380000 do this, which is fine. 0:11:03.380000 --> 0:11:04.980000 We'll come back to this in a second. 0:11:04.980000 --> 0:11:08.320000 I'm going to go to security center right off the bat. 0:11:08.320000 --> 0:11:12.780000 And I am, of course, going to ignore my security score. 0:11:12.780000 --> 0:11:15.400000 Eventually I'll get that up much better. 0:11:15.400000 --> 0:11:18.300000 And I'm going to go to compute and apps. 0:11:18.300000 --> 0:11:21.620000 I'm actually going to pop over to container services. 0:11:21.620000 --> 0:11:25.460000 All right. And what you'll see with container services is that I've got 0:11:25.460000 --> 0:11:28.100000 this container service here. 0:11:28.100000 --> 0:11:33.240000 And it's telling me that I am missing one of four recommendations. 0:11:33.240000 --> 0:11:39.700000 So if I go in there, okay, now it's telling me that pod security policies 0:11:39.700000 --> 0:11:43.400000 should be defined on Kubernetes services. 0:11:43.400000 --> 0:11:48.040000 And if I click down into that, it'll tell me, okay, what's the threat, 0:11:48.040000 --> 0:11:53.880000 elevation privilege, what's my remediation, manual remediation. 0:11:53.880000 --> 0:11:57.020000 All right. And so then I can click that and that's going to take me over 0:11:57.020000 --> 0:12:01.260000 to documentation on how to set up pod security, which again is going to 0:12:01.260000 --> 0:12:06.480000 keep someone from escalating their privileges with, by being able to create 0:12:06.480000 --> 0:12:08.980000 pods that maybe have more rights than they do. 0:12:08.980000 --> 0:12:14.000000 All right. Now, if I look at past assessments, so I've got authorized 0:12:14.000000 --> 0:12:17.820000 IP ranges should be defined on Kubernetes service. 0:12:17.820000 --> 0:12:24.520000 Kubernetes service should be upgraded to a non vulnerable Kubernetes version 0:12:24.520000 --> 0:12:29.520000 and role-based access control should be used on Kubernetes service. 0:12:29.520000 --> 0:12:36.880000 Now, both of the last two are really things that I did just as part of 0:12:36.880000 --> 0:12:38.960000 setting up the way I set up Kubernetes. 0:12:38.960000 --> 0:12:42.700000 Okay. Now, the authorized IP range is I actually had to fix that. 0:12:42.700000 --> 0:12:46.300000 And let's see if I can pull that up without. 0:12:46.300000 --> 0:12:56.240000 Nope. Nope. There's a lot going on here. 0:12:56.240000 --> 0:13:00.620000 Oh, you know what? 0:13:00.620000 --> 0:13:04.980000 I won't even try that. 0:13:04.980000 --> 0:13:07.240000 If we go over, because I can just get over there pretty easily. 0:13:07.240000 --> 0:13:19.180000 If I go there, mediation, and this is just what I used anyways, and it's 0:13:19.180000 --> 0:13:21.880000 on the update. There we go. 0:13:21.880000 --> 0:13:24.540000 You can see this here. 0:13:24.540000 --> 0:13:32.560000 I just ran an AZ AKS update, and I added API server authorized IP ranges, 0:13:32.560000 --> 0:13:41.680000 and I put in the IPs that I want to allow access to the underlying cluster. 0:13:41.680000 --> 0:13:43.480000 Huge capability. 0:13:43.480000 --> 0:13:48.500000 Very important. So it's Security Center, pretty straightforward. 0:13:48.500000 --> 0:13:52.500000 Okay. Now, what I want to do is let's go to my resource group. 0:13:52.500000 --> 0:13:56.300000 Now, you would think I created a resource group, demo K8S. 0:13:56.300000 --> 0:13:57.840000 I'm going to go in there to do everything. 0:13:57.840000 --> 0:14:07.060000 Absolutely not. Which allows me to do some things like scale. 0:14:07.060000 --> 0:14:08.920000 Look at my node pools. 0:14:08.920000 --> 0:14:11.400000 Do a little bit of network configuration. 0:14:11.400000 --> 0:14:15.140000 Okay. Really, if I just want HTTP application routing, but there's not 0:14:15.140000 --> 0:14:17.060000 that much that I can do there. 0:14:17.060000 --> 0:14:27.320000 Instead, when you provision an Azure Kubernetes service, you get a second 0:14:27.320000 --> 0:14:30.460000 resource group. Okay. 0:14:30.460000 --> 0:14:32.880000 And so here's my resource group. 0:14:32.880000 --> 0:14:35.880000 Notice that I've got a network security group. 0:14:35.880000 --> 0:14:39.180000 Yeah, I've got a route table. 0:14:39.180000 --> 0:14:40.940000 I've got a virtual machine scale set. 0:14:40.940000 --> 0:14:42.060000 Those are my nodes. 0:14:42.060000 --> 0:14:43.660000 The actual virtual network. 0:14:43.660000 --> 0:14:45.760000 A public IP address. 0:14:45.760000 --> 0:14:49.880000 Load balancer. And another public IP address. 0:14:49.880000 --> 0:14:55.560000 Okay. Cool. Now, what I want to do is if I have, for example, going here 0:14:55.560000 --> 0:15:01.760000 to a KS Vnet, and I use my favorite tool in the world, which is the dias. 0:15:01.760000 --> 0:15:02.680000 And I use my diagram. 0:15:02.680000 --> 0:15:06.360000 Okay. Here's my diagram. 0:15:06.360000 --> 0:15:14.060000 And you can see, okay, I've got my subnet. 0:15:14.060000 --> 0:15:18.080000 I've got my NSG associated with the subnet. 0:15:18.080000 --> 0:15:20.700000 I've got some route tables associated with the subnet. 0:15:20.700000 --> 0:15:28.060000 I've got the network interface that is managed for the node pool. 0:15:28.060000 --> 0:15:36.340000 And right now the node pool has one instance, instance in zero. 0:15:36.340000 --> 0:15:45.340000 And I've got my, these are actually my NSGs. 0:15:45.340000 --> 0:15:47.840000 Okay. And then I've got Kubernetes. 0:15:47.840000 --> 0:15:49.700000 That's my router. 0:15:49.700000 --> 0:15:52.920000 A couple of endpoints. 0:15:52.920000 --> 0:15:59.760000 All right. Now, let's take a look at my route table. 0:15:59.760000 --> 0:16:10.080000 Okay. So here I've got, you can see here one route and one subnet. 0:16:10.080000 --> 0:16:13.720000 Well, I don't want to delete. 0:16:13.720000 --> 0:16:16.360000 All right. So this is saying, okay, if it's going to 10 dot two four four 0:16:16.360000 --> 0:16:18.420000 dot one dot zero, 24. 0:16:18.420000 --> 0:16:22.520000 So anything under 10 dot two four four dot one, it's going to go to 10 0:16:22.520000 --> 0:16:23.140000 dot two four dot one. 0:16:23.140000 --> 0:16:24.720000 And then it's going to go to 30 dot zero dot four. 0:16:24.720000 --> 0:16:26.780000 Okay. So I was going to get it out of there. 0:16:26.780000 --> 0:16:29.520000 And then that's going to apply to the subnet. 0:16:29.520000 --> 0:16:34.140000 And that is where my virtual machine scale set is. 0:16:34.140000 --> 0:16:35.640000 That's not terribly exciting. 0:16:35.640000 --> 0:16:38.840000 What I think is more interesting and will become more interesting as we 0:16:38.840000 --> 0:16:40.520000 go are these two things. 0:16:40.520000 --> 0:16:42.360000 All right. Right now. 0:16:42.360000 --> 0:16:45.420000 This is my network security group. 0:16:45.420000 --> 0:16:49.860000 And it's a standard network security group except for this item right 0:16:49.860000 --> 0:16:52.840000 here with a priority of 500. 0:16:52.840000 --> 0:16:58.840000 And it's going out to our it's coming in from the Internet to a specific 0:16:58.840000 --> 0:17:02.380000 destination IP address. 0:17:02.380000 --> 0:17:06.860000 Interesting. All right. 0:17:06.860000 --> 0:17:10.780000 And that'll be interesting in a hopefully more interesting in just a moment. 0:17:10.780000 --> 0:17:15.720000 All right. And if I go to my load balancer, I'm going to load balancing 0:17:15.720000 --> 0:17:19.000000 rules. Notice I have one load balancing rule. 0:17:19.000000 --> 0:17:21.160000 This TCPA. All right. 0:17:21.160000 --> 0:17:23.100000 So what is all of this? 0:17:23.100000 --> 0:17:37.200000 Well, if I go to my AKS, I'm going to say, kubecontrol get service. 0:17:37.200000 --> 0:17:42.000000 Okay. Right now I have one service. 0:17:42.000000 --> 0:17:45.540000 Notice the external IP address. 0:17:45.540000 --> 0:17:49.460000 And I added that service in like 48 minutes ago. 0:17:49.460000 --> 0:18:05.540000 Okay. But what I want to do is I'm going to apply another one. 0:18:05.540000 --> 0:18:07.760000 Another deployment. 0:18:07.760000 --> 0:18:10.700000 Okay. So I've got an deployment. 0:18:10.700000 --> 0:18:23.000000 And now if I go and I get service, wait for that to get an external IP 0:18:23.000000 --> 0:18:37.700000 address. So we'll hang out for that for a minute. 0:18:37.700000 --> 0:18:46.200000 There we go. I've got a new external IP address. 0:18:46.200000 --> 0:18:52.760000 Notice that IP address, 5291, 2118, we'll stop that. 0:18:52.760000 --> 0:18:54.700000 I'm going to go back. 0:18:54.700000 --> 0:18:57.360000 I didn't mean to go back that far. 0:18:57.360000 --> 0:19:00.060000 Get that guy back. 0:19:00.060000 --> 0:19:02.720000 Let's try again. 0:19:02.720000 --> 0:19:04.680000 There we go. Okay. 0:19:04.680000 --> 0:19:09.360000 So let's go here and go back to load balancing. 0:19:09.360000 --> 0:19:13.360000 And eventually there will actually be two load balancing rules. 0:19:13.360000 --> 0:19:18.700000 Okay. Also, if I look at front end IP configuration, I actually have a 0:19:18.700000 --> 0:19:22.360000 couple different front end IP addresses. 0:19:22.360000 --> 0:19:26.680000 So remember we've got 5291.188. 0:19:26.680000 --> 0:19:30.000000 There's that guy plus the 20, 20.185. 0:19:30.000000 --> 0:19:32.640000 So that's actually my first service. 0:19:32.640000 --> 0:19:34.740000 And that is my second service. 0:19:34.740000 --> 0:19:45.780000 And if I go back to my NSG, there is now a second NSG inbound security 0:19:45.780000 --> 0:19:51.920000 role that's going to be in the first place. 0:19:51.920000 --> 0:19:58.180000 And then finally it was coming into 20.185, 72, 746, and now 52. 0:19:58.180000 --> 0:20:02.460000 Right? And so I think that's actually pretty cool because what that means 0:20:02.460000 --> 0:20:09.160000 is that Azure is really fully managing network access for me. 0:20:09.160000 --> 0:20:15.140000 Now, if I were to take this and pop over here. 0:20:15.140000 --> 0:20:19.760000 There we go. It comes up. 0:20:19.760000 --> 0:20:22.440000 I've now pinged the service. 0:20:22.440000 --> 0:20:26.200000 And if I come up here to the other one, it's exactly the same thing that 0:20:26.200000 --> 0:20:27.960000 I loaded into that. 0:20:27.960000 --> 0:20:31.000000 And I'll show you, oops, that is not what I meant to do. 0:20:31.000000 --> 0:20:37.660000 I will show you the YAML file, a version of the YAML file that I used. 0:20:37.660000 --> 0:20:44.340000 Now that I haven't run yet. 0:20:44.340000 --> 0:20:47.900000 So that's going to take a minute. 0:20:47.900000 --> 0:20:52.300000 But in any case, there we go. 0:20:52.300000 --> 0:20:55.420000 It should be coming up there shortly. 0:20:55.420000 --> 0:20:58.580000 The last thing, I might have skipped a step. 0:20:58.580000 --> 0:20:59.760000 That shouldn't be taken too long. 0:20:59.760000 --> 0:21:12.080000 Let me check my pods. 0:21:12.080000 --> 0:21:14.360000 They're not running yet. 0:21:14.360000 --> 0:21:21.660000 That's why I don't have room to run those yet because I only have one 0:21:21.660000 --> 0:21:28.240000 instance. So in order to fix that, I'd have to create another instance 0:21:28.240000 --> 0:21:31.360000 or give it more oomph. 0:21:31.360000 --> 0:21:36.420000 But I could kill the other one, but hopefully you see what we've got there 0:21:36.420000 --> 0:21:39.620000 is pretty straightforward. 0:21:39.620000 --> 0:21:44.520000 Promise you, if I had more instances running, more nodes running, excuse 0:21:44.520000 --> 0:21:49.560000 me, then you would see that web app brought up twice. 0:21:49.560000 --> 0:21:53.160000 Okay, I keep clicking the wrong thing there. 0:21:53.160000 --> 0:22:04.020000 Last thing I want to show you is how to, let's get this one blank. 0:22:04.020000 --> 0:22:05.580000 There we go. Okay. 0:22:05.580000 --> 0:22:20.780000 The actual YAML that was used behind that example is, pretty simple. 0:22:20.780000 --> 0:22:23.860000 In both cases, I've got two different applications that are really the 0:22:23.860000 --> 0:22:27.180000 same. And they're defined by YAML. 0:22:27.180000 --> 0:22:32.180000 The only difference is that I used a different app title for them. 0:22:32.180000 --> 0:22:34.600000 But I've got a service that's running. 0:22:34.600000 --> 0:22:36.580000 I've got a UI that's running. 0:22:36.580000 --> 0:22:40.700000 And I actually have a service. 0:22:40.700000 --> 0:22:45.400000 When I said service, I've got a pod that's running as a service. 0:22:45.400000 --> 0:22:57.980000 And then the actual Kubernetes service is how I go about publishing that 0:22:57.980000 --> 0:23:00.420000 port. And it's just looking at port 80. 0:23:00.420000 --> 0:23:07.500000 So that is how you set up Kubernetes security and networking. 0:23:07.500000 --> 0:23:09.200000 All right. So we looked at a number of things. 0:23:09.200000 --> 0:23:17.300000 We looked at the secrets and the certificates for Kubernetes, right? 0:23:17.300000 --> 0:23:19.320000 Azure Kubernetes service, what it can do. 0:23:19.320000 --> 0:23:24.720000 We looked at security and how we can use security center to really keep 0:23:24.720000 --> 0:23:27.460000 track of what's going on with our AKS. 0:23:27.460000 --> 0:23:33.840000 We took a look at restricting IP access, which I think is very important. 0:23:33.840000 --> 0:23:39.180000 And then we also looked at how Kubernetes will actually manage, or I should 0:23:39.180000 --> 0:23:44.320000 say, the Azure Kubernetes service will actually manage a network scenario 0:23:44.320000 --> 0:23:51.500000 for you, right? Where if I add new services that have an endpoint, then 0:23:51.500000 --> 0:23:55.500000 it's going to manage the public endpoint, the load balancing, and the 0:23:55.500000 --> 0:23:57.040000 NSG's for me. All right. 0:23:57.040000 --> 0:24:00.080000 I can always go in and restrict things further if I want. 0:24:00.080000 --> 0:24:02.560000 But again, you want to be cautious with that. 0:24:02.560000 --> 0:24:05.640000 You do have access to the infrastructure components, but you don't want 0:24:05.640000 --> 0:24:07.660000 to use them unless you actually have to.