Create AKS cluster using Terraform

Introduction #

This Terraform module creates an AKS (Azure Kubernetes Service) cluster using the Kosmos Provider that conforms to the Samsung Security Checklist. The module follows Azure Security checklist v3.0.1 requirements and provides a secure, simple production-ready Kubernetes cluster.

Requirements #

Artifacts #

Download the Terraform module from the Terraform Artifacts page:

Getting started #

Prerequisites #

1. Install Kosmos provider: Follow the getting started with terraform provider guide . Ensure you install the required version stated in provider.tf

1. Install Azure CLI: Install the az CLI following the official instructions

2. Azure authentication: Ensure you have valid Azure credentials accessible by Terraform. Run the following command to authenticate:

   az login
   

3. Azure permissions: Ensure your Azure credentials have at least the minimum permissions listed below

4. Resource group: Ensure you have an existing Azure resource group that you can add resources to. You will need this for the resource_group_name variable

5. Kosmos access key: Generate a valid Kosmos access key:

   • Open Kosmos console
   • Click your username in the top-right corner and select “Access Key”
   • Click “Create access key” and generate the access key

6. Kosmos Fleet: Ensure you have a fleet on Kosmos. If you don’t have one, please contact Kosmos Operator

How to run #

1. Download the module: Download this reference script to your working directory

2. Create configuration: Create a terraform.tfvars file in the working directory. You can refer to terraform.tfvars.example for the minimum variables that need to be provided

   Important: If you are using Kosmos dev or stg, you need to specify kosmos_tier variable to dev or stg inside terraform.tfvars

3. Initialize Terraform: Initialize the working directory and download Terraform providers and modules

   terraform init
   

4. Apply the configuration: Apply the script by running this command and read thoroughly on resources to be created, then type yes when prompted

   terraform apply --var-file=terraform.tfvars
   

   Note: terraform apply is also possible as Terraform by default will use terraform.tfvars file’s content as variable inputs

   After the cluster’s state turns to connecting, you can connect the cluster towards Kosmos by following the steps below

5. Destroy resources (Optional): To destroy all the resources, run the following command

   terraform destroy --var-file=terraform.tfvars
   

   Note: terraform destroy is also possible as Terraform by default will use terraform.tfvars file’s content as variable inputs

Usage examples #

Basic usage #

Create a simple AKS cluster with essential parameters:

module "aks" {
  source = "./kosmos/aks-cluster-module"

  # Required variables
  resource_group_name = "my-resource-group"
  kosmos_access_key   = "your-kosmos-access-key"
  kosmos_user         = "kosmosuser"
  fleet_name          = "fleet1"
  jumphost_allowed_cidr_ranges = ["0.0.0.0/0"]
  k8s_api_allowed_cidr_ranges  = ["0.0.0.0/0"]

  # Optional variables
  location     = "Koreacentral"
  name_prefix  = "kosmos"
  name_suffix  = "test"
  environment  = "dev"
  cluster_name = "kosmos-aks-cluster"

  # Node pools configuration
  node_pools = [
    {
      name            = "systemnode"
      count           = 1
      max_pods        = 30
      os_disk_size_gb = 30
      vm_size         = "Standard_DS2_v2"
      mode            = "System"
      os_type         = "Linux"
      os_disk_type    = "Managed"
    }
  ]
}

Advanced usage with custom VPC #

Create an AKS cluster using an existing VPC configuration:

module "aks" {
  source = "./kosmos/aks-cluster-module"

  # Required variables
  resource_group_name = "my-resource-group"
  kosmos_access_key   = "your-kosmos-access-key"
  kosmos_user         = "kosmosuser"
  fleet_name          = "fleet1"
  k8s_api_allowed_cidr_ranges = ["10.0.0.0/8", "172.16.0.0/12"]

  # VPC configuration
  create_vnet = false
  vnet_name   = "existing-vnet"
  aks_subnet_name = "aks-subnet"

  # Advanced configuration
  location     = "Koreacentral"
  name_prefix  = "kosmos"
  name_suffix  = "prod"
  environment  = "production"
  cluster_name = "kosmos-aks-prod"

  # Custom node pools
  node_pools = [
    {
      name            = "systemnode"
      count           = 3
      max_pods        = 50
      os_disk_size_gb = 50
      vm_size         = "Standard_DS3_v2"
      mode            = "System"
      os_type         = "Linux"
      os_disk_type    = "Managed"
    },
    {
      name            = "usernode"
      count           = 5
      max_pods        = 100
      os_disk_size_gb = 100
      vm_size         = "Standard_DS4_v2"
      mode            = "User"
      os_type         = "Linux"
      os_disk_type    = "Managed"
    }
  ]

  # Extra node rules
  additional_nsg_rules = {
    "all-inbound" = {
      name                       = "Allow-Every-Port-between-Services-Inbound"
      priority                   = 1000
      direction                  = "Inbound"
      access                     = "Allow"
      protocol                   = "*"
      source_port_range          = "*"
      destination_port_range     = "*"
      source_address_prefixes    = ["10.0.2.0/24"]
      destination_address_prefix = "*"
      description                = "Allow All Inbound between services"
    },
    "all-outbound" = {
      name                         = "Allow-Every-Port-between-Services-Outbound"
      priority                     = 1000
      direction                    = "Outbound"
      access                       = "Allow"
      protocol                     = "*"
      source_port_range            = "*"
      destination_port_range       = "*"
      source_address_prefix        = "*"
      destination_address_prefixes = ["10.0.2.0/24"]
      description                  = "Allow All Outbound between services"
    }
  }

  # Network configuration
  address_space = ["10.0.0.0/16"]
  service_cidr  = "10.0.10.0/24"
  dns_service_ip = "10.0.10.10"
}

Connecting the cluster to Kosmos #

Prerequisites #

1. Install Kosmos CLI: Follow the installation instructions

2. Install Helm CLI: Follow the installation instructions . This is required by kosmos CLI to connect the cluster to Kosmos.

How to connect cluster to Kosmos #

1. Verify network access: Ensure you have network access towards the cluster’s control plane

   • The k8s_api_allowed_cidrs variable should at least contain your outbound IP address

2. Authenticate with Azure CLI:

   az login
   

3. Authenticate with Kosmos CLI:

   kosmos login --access-key $KOSMOS_ACCESS_KEY $KOSMOS_URL
   

   Note:

   • $KOSMOS_ACCESS_KEY should be the same Kosmos access key generated in the Prerequisites
   • $KOSMOS_URL should be the console target where you want to connect the cluster (e.g., https://console.kosmos.spcplatform.com)

4. Generate Kubeconfig: Generate kubeconfig access towards the created AKS cluster:

   az aks get-credentials --resource-group $CLUSTER_RESOURCE_GROUP --name $CLUSTER_NAME
   

   Note:

   • $CLUSTER_NAME should be the name of the created AKS cluster in cluster_name variable
   • $CLUSTER_RESOURCE_GROUP should be the name of the resource group where the cluster is created in resource_group_name variable

   If you created a private cluster (with private_cluster: true), you have to setup proxy through the jumphost before being able to connect Kosmos. Here’s a way you may do it.

   i. Get Jumphost public IP: If you decided to create new public IP for jumphost by leaving jumphost_public_ip_name to null, you may get it by using this command.

   terraform output -raw jumphost_public_ip
   

   ii. Ensure that connection to jumphost is open: Ensure that connection to jumphost at port ssh_port is open. To check it, you can use netcat. You may have to install it first, though.

   nc -zv $JUMPHOST_PUBLIC_IP $SSH_PORT
   

   iii. Get Jumphost Private Key: To get private key to SSH to the jumphost, you can take it and put it in an appropriate file by using this command

   terraform output -raw jumphost_private_key > $PRIVATE_KEY_FILEPATH
   chmod 600 $PRIVATE_KEY_FILEPATH
   

   iv. Create Proxy to Jumphost: Now, you’re ready to ssh to jumphost and setup proxy. To do that, you can use this command.

   ssh -i $PRIVATE_KEY_FILEPATH adminuser@$JUMPHOST_PUBLIC_IP -p $SSH_PORT -q -D $PROXY_PORT -N -o StrictHostKeyChecking=accept-new &
   

   v. Add the proxy link to kubeconfig:

   kubectl config set clusters.$CLUSTER_NAME.proxy-url socks5://localhost:$PROXY_PORT
   

   Note:

   • $JUMPHOST_PUBLIC_IP should be the public IP of the jumphost that you got from the first step or provided in jumphost_public_ip_name variable
   • $SSH_PORT should be the SSH port of the jumphost in ssh_port variable
   • $PRIVATE_KEY_FILEPATH should be the path to the private key file that you created in the third step
   • $PROXY_PORT should be the port number that you want to use for the proxy (e.g., 8080)
   • $CLUSTER_NAME should be the name of the created AKS cluster in cluster_name variable

   Congratulations, now you should be able to proceed to the next step.

5. Connect to Kosmos: Connect the cluster towards Kosmos:

   kosmos join cluster --fleet $FLEET_NAME $CLUSTER_NAME
   

   Note:

   • $FLEET_NAME should be the name of the fleet where the cluster is registered in fleet_name variable
   • $CLUSTER_NAME should be the name of the created AKS cluster in cluster_name variable

6. Verify connection: After a while, the state of the cluster in Kosmos will turn into ready

Variables #

Sample VPC configuration for existing VPC #

If you want to use an existing VPC for the AKS cluster:

create_vnet = false
vnet_name = "kosmos-vnet-test"
aks_subnet_name = "kosmos-vnet-subnet-1"

Important: Ensure that your subnet has NSG that follows Azure requirements

Node pool example #

node_pools = [
  {
    name            = "systemnode"
    count           = 1
    max_pods        = 30
    os_disk_size_gb = 30
    vm_size         = "Standard_DS2_v2"
    mode            = "System"
    os_type         = "Linux"
    os_disk_type    = "Managed"
  }
]

NSG rules example #

additional_nsg_rules = {
  "all-inbound" = {
    name                       = "Allow-Every-Port-between-Services-Inbound"
    priority                   = 1000
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "*"
    source_port_range          = "*"
    destination_port_range     = "*"
    source_address_prefixes    = ["10.0.4.0/24", "10.0.10.0/24"]
    destination_address_prefix = "*"
    description                = "Allow All Inbound between services"
  },
  "all-outbound" = {
    name                         = "Allow-Every-Port-between-Services-Outbound"
    priority                     = 1000
    direction                    = "Outbound"
    access                       = "Allow"
    protocol                     = "*"
    source_port_range            = "*"
    destination_port_range       = "*"
    source_address_prefix        = "*"
    destination_address_prefixes = ["10.0.4.0/24", "10.0.10.0/24"]
    description                  = "Allow All Outbound between services"
  }
}

Created resources #

The module creates the following resources:

• Storage account
• Jump host
• Virtual network
• Subnets: AKS, Jumphost
• Network security group: AKS, Jumphost
• Virtual network flow logs
• Kosmos cluster
• Azure Kubernetes service cluster associated with Kosmos cluster
• Kubernetes cluster flow logs

Security checklist #

Non-compliant security checklist #

This script has not implemented the following security checklist:

• 3.1.1.2 - Managed Identity should not be granted Privileged administrator roles

  Managed Identity is used for AKS cluster, which automatically is granted Contributor role to Cluster Node’s resource group.

• 15.1.1.1 - Register All Deny Rule in In/Outbound Rule of Network Security Group

  You can’t setup all-deny-inbound or all-deny-outbound rule in auto-generated NSG for AKS nodes.

Compliant security checklist #

3. Managed identities

• 3.1.1.1 - Ensure that managed identity is used for usage purposes. Managed identities with federation credential information should not be granted resource RBAC permissions

  No RBAC permissions is needed for Kosmos Managed Identity

• 3.1.1.3 - Managed Identity should not be granted Subscription type roles

  Managed Identity does not have any Subscription type roles

• 3.1.1.4 -_ Managed Identity created in another subscription is prohibited from being assigned to internal resources_

  Managed Identity is created in the same subscription as the resources.

• 3.1.1.5 - External managed identities should have mandatory tags set up

  Kosmos Federated Credential have been set up to have tag "${local.federation_name}" = "Kosmos_${var.fleet_name}"

5. Containers

• 5.2.1.1 - Configure access to the ‘Kubernet service API’ as private

  Public access is required for Kosmos Operator

• 5.2.1.2 - If public network access to the ‘Kubernet service API’ is required, set the access list to a minimum

  Added authorized_ip_ranges variable to control which IP can access the cluster

• 5.2.1.3 - Configure CIS Driver of using Key vault in Kubernet service

  CIS Driver is enabled through azapi provider

• 5.2.1.4 - Store logs generated form Kubernet service

  Setup azurerm_monitor_diagnostic_setting to store logs in storage account

• 12.1.1.1 - Configure access to the ‘Disk’ as private

  Currently azapi provider is enough to configure disk access to private

14. Storage accounts

• 14.1.1.1 - Ensure that users with ‘Storage key admin’ role and storage related users should have least privilege

  only request bare minimum permissions needed to perform a task

• 14.1.1.2 - Storage Account that does not require external disclosure is set to Private

  Set public_network_access_enabled to false, setup private endpoint connection with the virtual network

• 14.1.1.3 - Configure the copy operations allowable range of storage account to Private setting

  set allowed_copy_scope = "PrivateLink"

• 14.1.1.4 - Ensure that the secure encryption policy and options are selected

  Do nothing. Minimun TLS version has been set to 1.2 by default

• 14.1.1.5 - Ensure that encrypted communication (HTTPS) is applied to access a storage account.

  Do nothing. Enabled by default

• 14.1.1.6 - Do not use access key when accessing private storage account

  set shared_access_key_enabled to false

• 14.1.1.7 - Ensure that storage account keys are managed properly for storage accounts that require external access and use access keys

  Do nothing. The storage account should not require external access

• 14.1.1.8 - Ensure that diagnostic settings on storage account is enabled.Ensure that logging on Blobs, tables and queues are “enabled”

  setup azurerm_monitor_diagnostic_setting

• 14.1.1.9 - Ensure that logging range of the storage account is configured properly.

  Set up azurerm_monitor_diagnostic_setting and enable log for each “blob”, “queue”,“table”, “file”.

• 14.1.1.10 - Ensure that the storage accounts' log retention period is configured properly.

  create a log retention policy using azurerm_storage_management_policy and set delete_after_days_since_modification_greater_than to exactly 365

• 14.1.1.11 - Ensure that there are approval process for Storage Account Firewall Policy and the approval documents are retained properly.

  Outside the scope of this script

• 14.1.2.1 - Ensure that the mandatory tags are set for all storage accounts

  Setup tags with SEC_ASSETS_PII and SEC_ASSETS_PUBLIC

• 14.1.3.1 - Ensure that Container access policy within Blob service is configured properly when it need to be accessed from public network.

  Do nothing. No public access. Public access level is set to Private

• 14.1.3.2 - Ensure that private containers of Blob service limit public access when it is not essential.

  Set allow_nested_items_to_be_public = false

15. Network security group

• 15.1.1.2 - Ensure that inbound / outbound rules are properly managed.

  azapi provider is set up to enable Network Isolated Cluster for Kosmos AKS that makes managing NSG properly possible.

• 15.1.2.1 - Ensure that the NSG Flow log is enabled and maintained properly.

  NSG flow log will soon be discontinued by Azure. Instead, setup azurerm_network_watcher_flow_log using vnet id as its target_resource_id

• 15.1.2.2 - Store generated form NSG Flow logs

  When setting up azurerm_network_watcher_flow_log, set storage_account_id and retention_policy . Set up retention policy value at exactly 365

18. Virtual network

• 18.1.1.1 - Ensure that a virtual network is separated into subnets properly

  Create two NSG: aks, jumphost. Any subnets created will be assigned one of these NSG.

• 18.1.1.2 - Ensure that a public IP or EIP is not attached to resources in a private subnet.

  This implementation must be done in individual resource.

• 18.1.1.3 - Private subnets do not use service endpoints

  Do not create service endpoint in subnets

• 18.1.1.4 - Ensure that Virtual networks Peering ranges are minimized on both side of the Virtual networks

  Our reference script does not utilize peering.

• 18.1.2.1 - Ensure that resources don’t have multiple NIC(Network Interface Card) to connected to 2 or more subnets.

  This implementation must be done in individual resource.

• 18.1.3.1 - Private Endpoint can be created only on resources to which a subnet management policy has been applied.

  Each subnets are created with corresponding NSG.

• 18.1.3.2 - Private endpoints can only be used within the same subscription

  This setup already done by default.

• 18.1.3.3 - Private Endpoint sets up Application Security Groups (ASG)

  Our reference script does not utilize ASG

• 18.1.3.4 - Configuring NSG for Private Endpoint Access Control

  Our reference script does not utilize peering.

• 18.1.4.1 - Ensure that process when external access is allowed using Private link service

  Currently, our reference script does not utilize private link.

• 18.1.5.1 - Ensure that the Virtual network flow logs are enabled for storage

  setup azurerm_monitor_diagnostic_setting

Required permissions #

The following Azure permissions are required to create and manage the AKS cluster:

• Microsoft.Resources/subscriptions/resourcegroups/*
• Microsoft.Storage/storageAccounts/*
• Microsoft.Network/virtualNetworks/*
• Microsoft.Network/networkSecurityGroups/*
• Microsoft.Network/privateEndpoints/*
• Microsoft.Network/privateDnsZones/*
• Microsoft.Network/publicIPAddresses/*
• Microsoft.Network/loadBalancers/*
• Microsoft.Network/natGateways/*
• Microsoft.Network/networkInterfaces/*
• Microsoft.Network/routeTables/*
• Microsoft.Network/networkWatchers/*
• Microsoft.Compute/virtualMachines/*
• Microsoft.Compute/disks/*
• Microsoft.ContainerService/managedClusters/*
• Microsoft.ContainerRegistry/registries/*
• Microsoft.Insights/diagnosticSettings/*
• Microsoft.OperationalInsights/workspaces/*
• Microsoft.ManagedIdentity/userAssignedIdentities/*
• Microsoft.Authorization/roleDefinitions/*
• Microsoft.Authorization/roleAssignments/*

Schema #

Required #

• spec (Attributes) AKSClusterSpec defines the specification of AKSCluster (see below for nested schema )

Optional #

• name (String) name of the AKSCluster
• namespace (String) object name and auth scope, such as for teams and projects

Nested schema for spec #

Required:

• aks_config (Attributes) Required. Configuration for aks operator. (see below for nested schema )
• authorization (Attributes) Optional. Configuration related to the cluster RBAC settings. (see below for nested schema )
• name (String) Cluster name

Optional:

• binary_authorization (Attributes) Optional. Binary Authorization configuration for this cluster. (see below for nested schema )
• description (String) Optional. A human readable description of this cluster. Cannot be longer than 255 UTF-8 encoded bytes.
• display_name (String) If specified this name is displayed in the UI instead of the metadata name
• logging_config (Attributes) Optional. Logging configuration for this cluster. (see below for nested schema )
• monitoring_config (Attributes) Optional. Monitoring configuration for this cluster. (see below for nested schema )
• oidc_config (Attributes) Required. OpenID Connect (OIDC) configuration for the cluster. (see below for nested schema )
• owner (String)

Nested schema for spec.aks_config #

Required:

• client_id (String)
• cluster_name (String) AKS ClusterName allows you to specify the name of the AKS cluster in Azure.
• resource_group (String) ResourceGroup is the name of the Azure resource group for this AKS Cluster. Immutable.
• resource_location (String) Location specifies the region to create the private endpoint.
• subscription_id (String)
• tenant_id (String)

Optional:

• auth_base_url (String) AuthBaseURL is the Azure Active Directory endpoint.
• authorized_ip_ranges (List of String) AuthorizedIPRanges - Authorized IP Ranges to kubernetes API server.
• base_url (String) BaseURL is the Azure Resource Manager endpoint.
• delete_on_detachment (Boolean)
• dns_prefix (String) DNSPrefix is the DNS prefix to use with hosted Kubernetes API server FQDN.
• dns_service_ip (String) NeworkDNSServiceIP is an IP address assigned to the Kubernetes DNS service. It must be within the Kubernetes service address range specified in serviceCidr. Immutable.
• http_application_routing (Boolean) HTTPApplicationRouting is enabling add-on for the cluster. Immutable.
• imported (Boolean) Importer indicates that the cluster was imported.
• kubernetes_version (String) Version defines the desired Kubernetes version.
• linux_admin_username (String) LinuxAdminUsername is a string literal containing a linux admin username.
• load_balancer_sku (String) LoadBalancerSKU is the SKU of the loadBalancer to be provisioned. Immutable.
• log_analytics_workspace_group (String) LogAnalyticsWorkspaceResourceGroup is the name of the resource group for the Log Analytics Workspace.
• log_analytics_workspace_name (String) LogAnalyticsWorkspaceName is the name of the Log Analytics Workspace.
• managed_identity (Boolean) ManagedIdentity - Should a managed identity be enabled or not?
• monitoring (Boolean) Monitoring is enabling add-on for the AKS cluster.
• network_plugin (String) NetworkPlugin used for building Kubernetes network. Allowed values are “azure”, “kubenet”. Immutable.
• network_policy (String) NetworkPolicy used for building Kubernetes network. Allowed values are “azure”, “calico”. Immutable.
• node_pools (Attributes List) NodePools is a list of node pools associated with the AKS cluster. (see below for nested schema )
• node_resource_group (String) NodeResourceGroupName is the name of the resource group containing cluster IaaS resources.
• outbound_type (String) Outbound configuration used by Nodes. Immutable.
• pod_cidr (String) NetworkPodCIDR is the network pod cidr.
• private_cluster (Boolean) PrivateCluster - Whether to create the cluster as a private cluster or not.
• private_dns_zone (String) PrivateDNSZone - Private dns zone mode for private cluster.
• service_cidr (String) NetworkService CIDR is the network service cidr.
• ssh_public_key (String) LinuxSSHPublicKey is a string literal containing a ssh public key.
• subnet (String) Subnet describes a subnet for an AKS cluster.
• tags (Map of String) Tags is an optional set of tags to add to Azure resources managed by the Azure provider, in addition to the ones added by default.
• user_assigned_identity (String) UserAssignedIdentity - User assigned identity to be used for the cluster.
• virtual_network (String) VirtualNetwork describes the vnet for the AKS cluster. Will be created if it does not exist.
• virtual_network_resource_group (String) VirualNetworkResourceGroup is the name of the Azure resource group for the VNet and Subnet.

Nested schema for spec.aks_config.node_pools #

Optional:

• availability_zones (List of String) AvailabilityZones is the list of availability zones. Immutable.
• count (Number) NodeCount is the number of nodes in the node pool.
• enable_auto_scaling (Boolean) EnableAutoScaling is whether to enable auto scaling or not.
• max_count (Number) MaxCount is the maximum number of nodes in the node pool.
• max_pods (Number) MaxPods is the maximum number of pods that can run on each node. Immutable.
• max_surge (String) MaxSurge is the maximum number of nodes that can be added to the node pool during an upgrade.
• min_count (Number) MinCount is the minimum number of nodes in the node pool.
• mode (String) Mode is the mode of the node pool. Immutable.
• name (String) Name is the name of the node pool. Immutable.
• node_labels (Map of String) NodeLabels is the list of node labels.
• node_taints (List of String) NodeTaints is the list of node taints.
• orchestrator_version (String) OrchestratorVersion is the version of the Kubernetes.
• os_disk_size_gb (Number) OsDiskSizeGB is the disk size of the OS disk in GB. Immutable.
• os_disk_type (String) Immutable. OSDiskType is the type of the OS disk.
• os_type (String) OsType is the type of the OS.
• vm_size (String) VMSize is the size of the Virtual Machine. Immutable.
• vnet_subnet_id (String) VnetSubnetID is the ID of the subnet.

Nested schema for spec.authorization #

Optional:

• admin_teams (List of String) Optional. Groups of users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the cluster-admin ClusterRole to the groups. Up to ten admin groups can be provided. For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
• admin_users (List of String) Optional. Users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the cluster-admin ClusterRole to the users. Up to ten admin users can be provided. For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

Nested schema for spec.binary_authorization #

Optional:

• evaluation_mode (String) Define binary authorization properties here

Nested schema for spec.logging_config #

Optional:

• component_config (Attributes) Parameters that describe the Logging configuration in a cluster. (see below for nested schema )

Nested schema for spec.logging_config.component_config #

Optional:

• enable_components (List of String)

Nested schema for spec.monitoring_config #

Optional:

• managed_prometheus_config (Attributes) Enable SPC Kosmos Managed Service for Prometheus in the cluster. (see below for nested schema )
• managed_thanos_config (Attributes) Enable SPC Kosmos Managed Service for Thanos in the cluster. (see below for nested schema )

Nested schema for spec.monitoring_config.managed_prometheus_config #

Optional:

• enabled (Boolean)

Nested schema for spec.monitoring_config.managed_thanos_config #

Optional:

• enabled (Boolean)

Nested schema for spec.oidc_config #

Optional:

• issuer_uri (String) A JSON Web Token (JWT) issuer URI. issuer must start with https://.
• jwks (String) Optional. OIDC verification keys in JWKS format (RFC 7517). It contains a list of OIDC verification keys that can be used to verify OIDC JWTs. This field is required for cluster that doesn’t have a publicly available discovery endpoint. When provided, it will be directly used to verify the OIDC JWT asserted by the IDP. A base64-encoded string.

Edit this page on GitHub