Adding samples

README.md

@@ -1,32 +1,28 @@
 ---
 page_type: sample
 languages:
-- csharp
+- bash
 products:
-- dotnet
-description: "Add 150 character max description"
-urlFragment: "update-this-to-unique-url-stub"
+- azure, azure kubernetes service
+description: "Application to demo AKS features"
+urlFragment: "aks-demos"
 ---
 
-# Official Microsoft Sample
+# Set up an Azure Kubernetes Service cluster to test out new features
 
-<!-- 
-Guidelines on README format: https://review.docs.microsoft.com/help/onboard/admin/samples/concepts/readme-template?branch=master
+This content was prepared based on the demos presented at Microsoft Ignite 2019.
 
-Guidance on onboarding samples to docs.microsoft.com/samples: https://review.docs.microsoft.com/help/onboard/admin/samples/process/onboarding?branch=master
-
-Taxonomies for products and languages: https://review.docs.microsoft.com/new-hope/information-architecture/metadata/taxonomies?branch=master
--->
-
-Give a short description for your sample here. What does it do and why is it important?
+This samples shows you how to set up an Azure Kubernetes Cluster and enable features such as Azure Policy, Azure Security Center, Windows Containers for AKS, and Virtual Nodes.
 
 ## Contents
 
-Outline the file contents of the repository. It helps users navigate the codebase, build configuration and any related assets.
-
 | File/folder       | Description                                |
 |-------------------|--------------------------------------------|
-| `src`             | Sample source code.                        |
+| `azure-policy`             | Sample code and instructions to set up a Kubernetes cluster and enable Azure Policy                     |
+| `azure-security-center`             | Sample code and instructions to set up a Kubernetes cluster and enable Azure Security Center                       |
+| `private-clusters`             | Sample code and instructions to set up a Kubernetes cluster and enable private clusters                       |
+| `virtual-node-autoscale`             | Sample code and instructions to set up a Kubernetes cluster and enable virtual node.            |
+| `windows-demo`             | Sample code and instructions to set up a Kubernetes cluster and enable Windows containers for AKS
 | `.gitignore`      | Define what to ignore at commit time.      |
 | `CHANGELOG.md`    | List of changes to the sample.             |
 | `CONTRIBUTING.md` | Guidelines for contributing to the sample. |
@@ -35,19 +31,7 @@ Outline the file contents of the repository. It helps users navigate the codebas
 
 ## Prerequisites
 
-Outline the required components and tools that a user might need to have on their machine in order to run the sample. This can be anything from frameworks, SDKs, OS versions or IDE releases.
-
-## Setup
-
-Explain how to prepare the sample once the user clones or downloads the repository. The section should outline every step necessary to install dependencies and set up any settings (for example, API keys and output folders).
-
-## Running the sample
-
-Outline step-by-step instructions to execute the sample and see its output. Include steps for executing the sample from the IDE, starting specific services in the Azure portal or anything related to the overall launch of the code.
-
-## Key concepts
-
-Provide users with more context on the tools and services used in the sample. Explain some of the code that is being used and how services interact with each other.
+The samples assume that you have an Azure subscription and a terminal to run the bash scripts for setup. Some samples have additional prequisites that are outline in their respective READMEs.
 
 ## Contributing
 

azure-policy/README.md

@@ -0,0 +1,52 @@
+**Azure Policy for Azure Kubernetes Service**
+
+:::image type="content" source="../../aks-demos/azure-policy/Azure Policy for AKS.jpg" alt-text="Azure Policy for AKS Diagram":::
+
+**Setup**
+
+To setup the demo, you can run the setup.sh script in this folder (remember that the CLI commands for Azure Policy are in preview and aren't yet reliable), or you can use the azure-policy context in the provided KUBECONFIG.
+
+If you want to setup your own environment:
+- Join the private preview
+- Create an AKS cluster
+- Create a policy assignment for "Do not allow privileged container in AKS"
+- Enable policy add-on for your cluster
+- Profit
+
+**Walkthrough**
+
+In this demo, we'll be going over enabling policy for an existing AKS cluster, and then trying to deploy a container that disobeys that policy. 
+Moving forward, this demo assumes you have an existing cluster and that you've been whitelisted for private preview.
+
+First, enable the azure-policy add-on for your cluster. You can do this through portal. Navigate to your AKS cluster, and select Policy from the right-hand toolbar. Now, hit 'Enable add-on'. (Note: you need to be anable for the private preview for Azure Policy for AKS and have your subscription whitelisted.)
+
+Now, navigate to Policy in Azure Portal. If you haven't joined preview, you can do so on this page. Click on definitions. Notice that here you can see all of the policy definitions so far in use in your subscription. Here you can see that I just have the basic assignments from my security center subscription. 
+
+Now, we're going to go ahead and create a new policy assignment. We're going to filter by Kubernetes Service and take a look at all of the different built-definitions that we can apply.
+
+Let's go with 'Do not allow privileged containers in AKS. We're going to set the scope to be the resource group our AKS cluster resides in. Make sure that Azure Policy is going to enforce this policy in our cluster. And create! ***If you're running the live demo, just walk through the process. You've already creating the policy assignment through the demo setup***
+
+Now, let's see what's going on in our cluster. 
+
+```
+kubectl get pods -o wide --all-namespaces
+```
+
+You'll notice that we now have a Azure Policy pod running the cluster. This is what's going to enforce our policy definition in our cluster. To demonstrate this, I'm going to try to deploy a privileged container in the cluster. 
+
+First, let's take a look at what's in here.
+
+```
+cat privileged-container.yaml
+# or if you're using cmd
+type privileged-container.yaml
+```
+
+Now, let's try to deploy it.
+```
+kubectl create -f privileged-container.yaml
+```
+
+And you'll see that Azure Policy stops the operation from being carried through. 
+
+

azure-policy/privileged-container.yaml

@@ -0,0 +1,13 @@
+# Privileged container
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged-container
+  labels:
+    name: kube-system-container
+spec:
+  containers:
+  - name: privileged-container
+    image: nginx
+    securityContext:
+         privileged: true

azure-policy/setup.sh

@@ -0,0 +1,22 @@
+# To set-up this demo, do the following:
+
+# Join preview for Azure Policy with AKS
+# Create an AKS cluster
+# Add a 'Do not allow privileged containers' policy on the cluster
+# Wait for the policy to create (15 minutes)
+# Enable Policy Add-on for the cluster
+
+# Creating resource group
+az group create -g azure-policy-rg -l westus
+
+# Creating cluster
+az aks create -n azure-policy -g azure-policy-rg --node-count 1 
+
+# Enable Azure Policy on this cluster
+az aks enable-addons --addons azure-policy --name azure-policy --resource-group azure-policy-rg
+
+# Creating policy
+subscription_id=$(az account show -o json --query id)
+scope=/subscriptions/$subscription_id/resourceGroups/azure-policy-rg
+az policy assignment create --name 'no-privileged-containers' --display-name '[Limited Preview]: Do not allow privileged containers in AKS' --scope scope --policy '/providers/Microsoft.Authorization/policyDefinitions/7ce7ac02-a5c6-45d6-8d1b-844feb1c1531"'
+az aks enable-addons --addons azure-policy --name azure-policy --resource-group azure-policy-rg

azure-security-center/ASC-Trigger-AKS-Alerts.yaml

@@ -0,0 +1,91 @@
+# This YAML triggers alerts for AKS detection in Azure Security Center
+
+# kube-system container
+apiVersion: v1
+kind: Pod
+metadata:
+  name: kube-system-container
+  namespace: kube-system
+  labels:
+    name: kube-system-container
+spec:
+  containers:
+  - name: kube-system-container
+    image: nginx
+
+---
+
+# Privileged container
+apiVersion: v1
+kind: Pod
+metadata:
+  name: privileged-container
+  labels:
+    name: kube-system-container
+spec:
+  containers:
+  - name: privileged-container
+    image: nginx
+    securityContext:
+         privileged: true
+
+---
+
+# Sensitive mounts
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sensitive-mount-container
+  labels:
+    name: sensitive-mount-container
+spec:
+  containers:
+  - name: sensitive-mount-container
+    image: nginx
+    volumeMounts:
+        - name: sensitivemount
+          mountPath: /sensitive
+  volumes:
+  - name: sensitivemount
+    hostPath:
+      path: /etc
+
+---
+
+# High privileges role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: high-privileges-role
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+
+---
+
+# Create a new service account
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+    name: for-binding-test
+    namespace: kube-system
+
+---
+
+# cluster-admin binding
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+    name: cluster-admin-binding
+subjects:
+- kind: ServiceAccount
+  name: for-binding-test
+  namespace: kube-system
+roleRef:
+   apiGroup: rbac.authorization.k8s.io
+   kind: ClusterRole
+   name: cluster-admin

azure-security-center/README.md

@@ -0,0 +1,66 @@
+**Setup**
+
+To begin this demo, you'll need a subscription that had been whitelisted by the Azure Security Center team, an AKS cluster in that subscription, and a standard Security Center subscription.
+
+For the container registry scanning, you'll need a container registry, which will be created for you in acr_setup.sh
+
+From the security recommendations and alerts, you'll need to create a cluster you can access in the portal. You can do that by running alerts_setup.sh
+
+**Azure Container Registry Scanning**
+
+First, we're going to demo Azure Container's Registry new container scanning. The registry scans images as they are pushed to check for vulnerability. 
+
+We're going to login in to our container registry using
+
+```
+az acr login -n <ACR_NAME>
+````
+
+Now, we're going to pull a vulnerable image and push it to our registry.
+
+```
+docker pull docker.io/vulnerables/web-dvw
+docker tag <image> <registry name>.azurecr.io /<RepositoryName>:<tag
+docker push <registry name>.azurecr.io/<RepositoryName>:<tag
+```
+
+After a few minutes, Azure Security Center should have scanned our image. So, let's open up Azure Security Center > Compute & Apps > Containers
+Our registry should be listed here. Go ahead and click on the registry to view details. You should see a recommendation called "Vulnerabilities in Azure Container Registry images should be remediated (Preview)" 
+Click on the recommendation to review the ‘Description’, ‘General Information’, ‘Threats’ and ‘Remediation Steps’ 
+
+
+**Azure Security Center Integration with AKS**
+
+Now we're going to look at how Azure Security Center (ASC) is integrated with Azure Kubernetes Service (AKS).
+
+First, we need ASC to discover our new cluster (this can take a few hours). 
+
+Once that's done, navigate to Azure Security Center > Compute & Apps > Containers, where we'll see our cluster listed.
+
+Click on the cluster, and let's review the security recommendations.
+
+Reccommendations are listed in both the 'Reccommendations' and 'Passed Assessments' tabs at the bottom of the window.
+
+Click on a Recommendation, and review the ‘Description’, ‘General Info’, ‘Threats’ and ‘Remediation Steps’.
+Click on ‘Take Action’, and you will be directed to the AKS resource page to complete remediation.
+
+We can also see these recommendations in a different view. Click on the 'Recommendations' tab on the right-hand side of Azure Security Center. Filter the recommendations by typing in 'Kubernetes' into the search bar. Now you can view recommendations across all of the clusters in your subscription.
+
+**Security Alerts with AKS**
+
+ To demonstrate security alerts with AKS, we're going to deploy some containers that will simulate malicious activity. Make sure your context to set to the right cluster. We don't want to expose any other clusters to these security risks.
+
+ ```
+ az aks get-credentials -n <CLUSTER_NAME> -g <CLUSTER_RG>
+ kubectl config current-context
+ ```
+
+Now, let's deploy the containers.
+```
+kubectl create -f ASC-Trigger-AKS-Alerts.yaml
+```
+
+After waiting about an hour, security alerts should start to pop up in ASC. Head to Azure Security Center > Security Alerts. Here, you can filter by alerts in the last 24 hours, to see the alerts from the containers we deployed.
+
+
+Thanks to Maya Herskovic and the ASC Team for providing some of the documentation for this demo. 

azure-security-center/acr_setup.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+read -p "Enter a unique name for your Azure Container Registry: " acr_name
+az group create --name ASC-demo --location eastus
+az acr create -n $acr_name -g ASC-demo --sku Basic
+az acr login --name $acr_name

azure-security-center/alerts_setup.sh

@@ -0,0 +1,4 @@
+# SETUP before demo
+az group create -g ASC-demo -l eastus
+az aks create -n ASC-demo -g ASC-demo --kubernetes-version 1.10.12 --disable-rbac --node-count 1
+az aks get-credentials -n ASC-demo -g ASC-demo

private-clusters/setup.sh

@@ -0,0 +1,49 @@
+#!/bin/bash
+<< COMMENT
+
+All this has to happen before the demo.
+COMMENT 
+az group create --name privateCluster --location westus
+az extension add --name aks-preview
+az feature register --name AllowPrivateEndpoints --namespace Microsoft.ContainerService
+az feature register --name AKSPrivateLinkPreview --namespace Microsoft.ContainerService 
+az feature register --name AKSAzureStandardLoadBalancer --namespace Microsoft.ContainerService
+az provider register --namespace Microsoft.ContainerService 
+az aks create -n privateCluster -g privateCluster --load-balancer-sku standard --enable-private-cluster
+
+vnet=$(az network vnet list -g MC_privateCluster_privateCluster_westus -o json)
+vnetName=$(echo $vnet | jq -r .[].name)
+username=user
+password=user@PASS123
+subnet=aks-subnet
+
+az vm create --resource-group privateCluster \
+--name myVM --location westus \
+--image UbuntuLTS \
+--vnet-name $vnetName \
+--subnet $subnet \
+--admin-username $username  --admin-password $password \
+--size standard_DS1_v2 
+<< COMMENT
+create the cluster
+create a VM in the same VNET as the cluster 
+Create permissions so that the port 22 is exposed to the internet
+install the azure cli on the VM
+All of this needs to happen on the VM before we can connect to the cluster:
+
+ssh to vm 
+curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+az login
+az account set 
+sudo az aks install-cli
+az aks get-credentials -g privateCluster -n privateCluster
+
+Start by showing the creating process of a private cluster (--enable-private-cluster flag)
+Show that this is indeed private by trying to access the cluster through the CLI (should get a 404 error)
+Show that we have a VM created that is connected to the vnet of the cluster and has a public IP
+Then we ssh into this VM, using the public IP and access the cluster
+
+To reset, just clear both of the terminals used.
+To clean up, delete the resource group.
+az group delete -g privateCluster
+COMMENT

private-clusters/vm_setup.sh

@@ -0,0 +1,5 @@
+curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
+az login
+az account set 
+sudo az aks install-cli
+az aks get-credentials -g privateCluster -n privateCluster