Varatchi

Journey on self-mastery & tech transformation

Deploying a secure application with Azure Kubernetes Service and Azure Container Registry

In this blog, I have demonstrated how to containerize an application using Docker, push the container to Azure Container Registry, run the application using Azure Container Instance and container orchestration using Azure Kubernetes Service.

Docker installation guide(for Ubuntu):

https://docs.docker.com/engine/install/ubuntu

Docker repository:

https://hub.docker.com

Steps

  1. Create a Linux based VM and install docker tool-set
  2. Create an Azure Container Registry service from Azure marketplace
  3. Containerize an application into a docker image using the docker tool-set 
  4. Publish the application into Azure Container Registry service
  5. Run the application via Azure Container Instance service
  6. Explore the built-in roles defined for Azure Container Registry

Create a Linux VM and install docker tool-set

Ubuntu based Linux machine

Connect the VM using SSH

Install docker tool-set and verify it

Official Docker installation guide 

To verify the docker tool-set installation, run hello-wold container. if the container is not already installed, it will download from docker-hub and will run.

Commands for reference

# Set up Docker's apt repository
# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
# Install docker package
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# verify the installation
sudo docker run hello-world

Create an Azure Container Registry service from Azure marketplace

Create an Azure Container Registry from marketplace and set a unique name for the registry

Created Container Registry resource

Build docker image

Upload the application folder into Linux machine using File-Zilla application

As we enabled SSH access to VM while creation, select SFTP protocol in file-zilla

Inside our user linuxadmin directory, created a new directory ‘application’

And transferred the application files from local machine to the Linux machine

Executed the below commands to containerize the application

# Navigate to the application folder
sudo docker build -t phpapp .
sudo docker images
# phpapp will be listed

Navigate to application folder in Linux machine to build the docker package

Execute : sudo docker build -t phpapp .

Verify the container images

Publish the application into Azure Container Registry service

Navigate to Container Registry → Settings → Access keys

Enabling Admin user will generate a Managed Identity to access the container registry with username and password keys.

Execute the below commands to publish the container to Azure Container Registry

# login to azure container registry
sudo docker login appregistry101010.azurecr.io -u appregistry1010101 -p 010101010099

# tag the local docker app that have the php application
sudo docker tag phpapp appregistry101010.azurecr.io/phpapp

# push the image to the container registry
sudo docker push appregistry101010.azurecr.io/phpapp

Note: since the power-shell color for Linux is blue, shifted to CMD prompt for clear screen prints

Login to the registry using the server-name and the password generated while enabling ‘admin’ user.

Tag the application built with a name and push the container into the registry.

Once its pushed, it is added to the Repositories under Services.

Now, anyone with the registry access can pull and run the container.

Run the application via Azure Container Instance service

Azure Container Instance is a managed service which allows us to run the containers without relying on any server configurations.

Create Azure Container Instance service from marketplace

Container Instance resource got created as below.

The instance status is running and we can see the application using its public IP address.

Built-in roles defined for Azure Container Registry(IAM)

Below roles can be assigned for managing the images. 

  1. ArcPush (push and pull image)
  2. ArcPull (pull image)
  3. ArcDelete (delete image)
  4. Arc Image Signer (Sign Images)

Other important features in Azure for containers

Content Trust

Content Trust allows users to sign their image using cryptographic keys and upload to the registry which will help in integrity validation and users will be tempted to download and run only the signed container images.

Navigate to app-registry → policies → Content trust to enable or disable ‘content trust’.

Azure Kubernetes Service

Create Azure Kubernetes Service from Marketplace and create an application cluster

Kubernetes is a container orchestration service which automates software development, scaling and many others.

In this demonstration, I have deployed our container into a Kubernetes cluster using Azure Kubernetes Service and ran the container.

Updated the agent pool to reduce the node size and scaling options.

Reduced the node size to D2S from D4S and reduced the node count to 1 which is enough for this demonstration.

Selected the Azure Container Registry for easy deployment.

Created Kubernetes Cluster

Deploy application in the cluster from the Container Registry using Yaml configuration which contains a containerized docker application

  1. Workload setup to deploy the latest version of our container in the registry

Security Tip: Use Port 443 (https) for added security. In this demonstration, I have used Port 80(http) for workload and service ingress configuration.

2. Enable the service to deploy the application to get up and running

Security Tip: Use Port 443 (https) for added security. In this demonstration, I have used Port 80(http)

Now the phpapp-sevice is enabled and in running status.

Verify the application instance using its public IP address.

Microsoft Defender for Cloud

By default, Microsoft Defender for Cloud evaluates the security posture in Container registries and Kubernetes Clusters and provides recommendations.

Security on Container Registry and Azure Kubernetes Service

  1. Implement string IAM solution using Role Based Access Control with specific privilege roles such as ArcPull, ArcPush, ArcDelete ArcImageSigner and apply least privilege principles at every stage
  2. Enable Content Trust for signing the images
  3. Scan images using Microsoft Defender for Cloud solution to find vulnerabilities to ensure secure deployments
  4. Use Azure KeyVault to securely store all secrets and keys
  5. Enable Microsoft Defender for Azure Kubernetes Service threat detection and to find vulnerabilities
  6. Set up Service endpoints to restrict access to specif Virtual network for Container Registry. Service endpoints ensures that the traffic flows through Microsoft’s backbone network.
  7. If more security is needed than what Service Endpoint provides, then Private Endpoints is the better solution 

Please leave your comments for any suggestions.

Thanks for reading!

Leave a Reply

Your email address will not be published. Required fields are marked *