v1.30.0.0

Implementation updates

• Updated Kubernetes (1.29 -> 1.30) - #417
• Updated Traefik (2.11 -> 3.0) - #417
• Update API versions in Bicep files - #411 and #418
• Enable zone redundancy on Azure Container Registry - #412

Walkthrough updates

• Moved docs to new folder - #413
• Added note about Docker Hub rate limiting when using the az acr import command, with a suggested workaround - #414
• Other minor wording updates - #414

v1.29.0.0

Implementation updates

• Fixes "Warning simplify-json-null: Simplify json('null') to null" war… by @pcgeek86 in #381
• Fix pattern link by @ckittel in #384
• OSS updates by @v-fearam in #387
• container-insights-agent-config by @v-fearam in #388
• AAD -> Microsoft Entra ID by @ckittel in #389
• Extensions refreshed by @ferantivero in #402
• Aligned resources to resource group location by @ckittel in #404
• Implemented Node OS security patches, Deprecated Kured by @ferantivero in #403
• Added secure decorator to x509 private keys by @ferantivero in #407
• Updated AKS to v1.29 by @skabou in #409
• Updated Traefik to v2.11 by @skabou in #409
• Moved from Ubuntu to AzureLinux by @skabou in #409
• Small content adjustments by @skabou in #410

New Contributors

• @pcgeek86 made their first contribution in #381
• @daveRendon made their first contribution in #399
• @skabou made their first contribution in #409

Full Changelog: v1.26.0.0...v1.29.0.0

v1.26.0.0

Implementation updates

• Updated to container insights Log Schema v2 - #365
• Updated AKS (1.25.5 -> 1.26.0) - #374
• Moved WAF bot policy from 0.1 to 1.0 - #374
• Added an alert in case cluster log sink hits a daily data cap - #374
• Migrated two alerts to actually alert off of the pushed metric alert as configured by the azmon agent. - #374

Walkthrough updates

• Typo fix - #366 (HT: @oliverlabs)
• Added a very detailed architecture diagram contributed by @ulkeba - #370 & #371
• Added a mention of private link DNS zone placement and non-stamp resources - #374

v1.25.2.1

Implementation updates

• Updated kured (1.11.0 -> 1.12.0) - #362
• Updated traefik (2.8.1 -> 2.9.6) - #362
• Updated Azure Monitor's configuration with latest upstream - #362
• Enabled the "Notifications controller" on the Flux extension deployment to reduce the logging noise around its absence. - #362

Walkthrough updates

• Fixed a broken link - #361
• Fixed a bug with the source for one of the images (was pulling from dockerhub but should have been ghcr) - #362

v1.25.2.0

Implementation Updates

• Updated to AKS 1.25.2 - #357
• Friends don't let friends blindly use defaults (add more defaults/intents to the AKS bicep template) - #357
• Update Kured to 1.11.0 - #357 (including updates to address no longer coming from GitHub and separation from weaveworks)
• Enabled ImageCleaner (Eraser) - #357
• Changed tenantId -> tenantID in SecretProviderClass to address the deprecation of that field - #357
• Disable Azure storage drivers, no workloads in this deployment use them (don't bring extra baggage into the cluster) - #357
• Fixed an issue with Flux configuration that was presenting a challenge for the Azure Portal view - #355

Walkthrough updates

• Some typo fixes - #356 (HT: @sdahlbac)

v1.24.6.0

Implementation Updates

• Updated to AKS 1.24.6 - #326
• Migrated from Azure AD Pod Identity to Azure AD Workload Identity, with managed identity support - #326
• Fixed a couple of bicep linter warnings - #326
• Updated the AzureBastionSubnet size to the recommended size of /26 instead of /27 (which was the old recommendation) - #353

Walkthrough updates

• Updated the Azure Policy for Kubernetes output to match recent naming changes by the platform. - #326
• Removed now unnecessary preview feature registration steps. (Event Grid, OIDC, Cluster Extensions) - #326
• Add a link to the product documentation for the AKS Azure Defender preview feature - #352

v1.24.0.1

Implementation Updates

• Introduced a custom Azure Policy for Kubernetes policy as an example. This example enforces an Ingress choice for domain. - #345 (HT: @ulkeba)
• Removed the GitHub Actions starter workflow in favor of the collaboration with the https://github.com/Azure/aks-baseline-automation repo. - #348

Walkthrough updates

• Updated docs.microsoft.com URLs to learn.microsoft.com to follow the rebranding. - #347

v1.24.0.0

Implementation Updates

• OSS Updates
  • Kured - #337
  • Traefik -#338
  • AAD Pod Identity - #340
• Updated OMS agent config file with new configuration values from upstream. - #339
• Added new OMS alertable metric for job completion threshold - #339
• Enabled Azure Subnet IP usage metric collection in OMS - #339
• Move to AKS 1.24.0 (from 1.23.5) - #337

Walkthrough updates

• Fixed az ad commands to work with AZ CLI 2.37+ (objectId -> id) - #328 (HT: @ulkeba)
• Made mention of kubelogin requirement for kubectl 1.24+ - #329
• Removed preview feature registration that is no longer needed. - #339

v1.23.5.1

Implementation Updates

• Better support for long region names, such as germanywestcentral - #315 (HT: @ulkeba)
• Migrate to WAF Policy to hold WAF configuration - #316 (HT: @ulkeba)
• Updated workload PDB to be an absolute value to better reflect the intent. - #318 (HT: @ulkeba)
• Add Bot Mitigation policy to WAF - #320
• Use latest API version in the SecretProviderClass for the in-cluster cert - #323
• Migrated away from the legacy Log Analytics Workspace-owned queries to a dedicated query pack - #324
• A slew of Azure Policy and Azure Policy for Kubernetes updates - #317
  • Populated description on all of the policy assignments
  • Azure Policy for Kubernetes
    • Tightened up K8sAzureContainerAllowedImages (removed no longer needed entry, added better RegEx escaping)
    • Tightened up K8sAzureContainerLimits (removed cluster-baseline-settings exclusion and adjusted limits)
    • Tightened up K8sAzureReadOnlyRootFilesystem by moving it to a Deny policy
    • Added K8sAzureHostFilesystem and K8sAzureExternalIPs and as a Deny policy
    • Added K8sAzureBlockEndpointEditDefaultRole and K8sAzureBlockDefault as an Audit policy
  • Newly assigned the following Azure Policies
    • Authorized IP ranges should be defined on Kubernetes Services
    • Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version
    • Role-Based Access Control (RBAC) should be used on Kubernetes Services
    • Azure Kubernetes Service Clusters should use managed identities
    • Container registries should have anonymous authentication disabled
    • Container registries should have local admin account disabled
• Fixed all bicep warnings - #317 (HT: @akulich)

Walkthrough updates

• Updated (Preview) notes section - #322
• Typo fixes

Misc updates

• Added Gatekeeper Constraint Names to the bicep file for easy cross referencing - #317

v1.23.5.0

Implementation Updates

• Updated OSS components - #313
• Moved to AKS 1.23 - #313
• Added OIDC issuer profile URL to outputs to support easier workload identity adoption - #313
• Made the namespace reader auth configuration more clearly optional. - #311 (HT: @ulkeba)

Walkthrough updates

• Added some additional echo statements to help anchor folks on what values are being stored in variables - #311
• Added clearer instructions for those users that already have existing Azure AD objects they plan on using for cluster RBAC - #311
• Adjustments to the "try it out" parts of the walkthrough based on Azure portal updates. - #311