Azure Insights: Arc-enabled Kubernetes; AD Connect v2 security

October 1 2021

Azure pros discuss how to set custom policies for Arc-enabled Kubernetes and security for AD Connect v2.

Setting up custom policies for Arc-enabled Kubernetes

Daniel Neumann, writing on Daniel's Tech Blog, took a look at setting up custom policies for Azure Arc-enabled Kubernetes. This is a new feature supported by Azure Policy for AKS since September 1. Neumann was already using the public preview version and found it worked about as well for Arc-enabled Kubernetes with some small adjustments.

Initially, users need to deploy Azure Policy for Kubernetes on an Arc-enabled Kubernetes cluster. This may involve confirming the most recent version for a Helm chart. Neumann shared code for the setup, and added the resource type. The new custom policy will appear in Azure portal. He then demoed audit results.

Even Microsoft currently says that the public preview is only for Azure Policy for AKS it also works for Azure Arc enabled Kubernetes. Only two adjustments are needed to get the custom policy working on Azure Arc enabled Kubernetes. First, using the same version for the Azure Policy add-on as AKS. Second, adding the resource type to the policyRule field in the generated JSON document.

Azure AD Connect v2 security challenges

Microsoft MVP Sander Berkouwer, writing on The Things That Are Better Left Unspoken, cautioned that Microsoft isn't providing automatic upgrades for customers who have upgraded to Azure AD Connect v2. The new v2 of AD Connect, Microsoft's Hybrid Identity bridge offering, launched on July 20 with new features like SQL Server Express Edition and large-scale group membership synchronization.

Because Microsoft is not doing automatic upgrades, admins will need to be prepared to do upgrades manually. If not, their Azure AD installs may become dangerously out of date and subject to vulnerabilities.

One of the common weaknesses found with admins and IT departments is the lack of processes. Without an update process for Azure AD Connect and proper staffing of admin roles, organizations are at risk of running out of date and insecure Azure AD Connect installations.I sure hope Microsoft releases an Azure AD Connect v2 build soon that supports the Automatic Upgrades feature for all previous Azure AD Connect v2 builds.

About MSCN Reporter

More about MSCN Reporter