Azure / PSRule.Rules.Azure

Rules to validate Azure resources and infrastructure as code (IaC) using PSRule.
https://azure.github.io/PSRule.Rules.Azure/
MIT License
394 stars 85 forks source link

AKS clusters using Azure CNI should use large subnets #273

Closed BernieWhite closed 3 years ago

BernieWhite commented 4 years ago

Rule request

Suggested rule change

Production AKS clusters should be deployed to a subnet of a minimum size to reduce IP exhaustion issues. Subnet should be at least /23.

Applies to the following

The rule applies to the following:

ArmaanMcleod commented 3 years ago

@BernieWhite I'd be happy to take this one on. Should be similar to the work I did before 😄.

BernieWhite commented 3 years ago

@ArmaanMcleod Great Armaan. Reach out if you have any questions.

ArmaanMcleod commented 3 years ago

Thanks @BernieWhite. I guess I'll need to figure out how to get the subnet range, given only vnetSubnetID is exposed in the template. Will probably need to query this information in a separate function using Azure PowerShell or REST API.

Do you know where I could create such a function, which will be exposed to the rule as well? I see a lot of functions in the PSRule.Rules.Azure.psml module that use Azure PowerShell, would this be the best place for it?

Or would it be more sensible just to create this function in the rule file? This seems easier since I don't have to worry about exporting the function.

For testing, I could probably mock this function to return a set subnet range.

Let me know what you think or if there is a more straightforward way I'm not seeing 🙂 .

BernieWhite commented 3 years ago

@ArmaanMcleod Yes currently there wouldn't be a reliable way to get the size of the subnet from within a template. Querying a REST API isn't going to work if the VNET/ subnet is not yet deployed. I would suggest that this rule wouldn't be applicable to templates.

The subnet associated to a node pool is already added as a nested resource here.

Would apply when you run Export-AzRuleData to dump a runtime configuration from Azure.

Previously, if used the -If { IsExport } as a rule pre-condition. See an examle of Azure.ACR.Usage.

ArmaanMcleod commented 3 years ago

@BernieWhite Ah that makes sense. Yeah limiting this rule to Export-AzRule sounds like a much better idea. I also considered the case where a subnet doesn't exist, but limiting it to just exports should solve this.

I'll let you know how I go, cheers for help mate 🙂.