Skip to content
This repository has been archived by the owner on Oct 24, 2023. It is now read-only.

Support post-provisioning configuration hooks #1966

Closed
craiglpeters opened this issue Sep 17, 2019 · 6 comments
Closed

Support post-provisioning configuration hooks #1966

craiglpeters opened this issue Sep 17, 2019 · 6 comments
Labels
backlog enhancement New feature or request

Comments

@craiglpeters
Copy link
Contributor

Describe the request
Provide a way to do post provisioning configuration on a node via a separate service prior to a node being marked ready.

Explain why AKS Engine needs it
Customers using aks-engine need a way to apply configurations on nodes via tools like Terraform, Ansible or DSC to do work like join the node to an asset management system, apply additional security settings, or configure virus scanners, prior to the node being available to the Kubernetes scheduler.

Describe the solution you'd like
A webhook mechanism that allows the external system to notify aks-engine that it is done doing its work.

Describe alternatives you've considered

Additional context
@craiglpeters craiglpeters added the enhancement New feature or request label Sep 17, 2019
@PatrickLang
Copy link
Contributor

One alternative we have today is:
aks-engine extensions

They are run within the CSE, so some operations like multiple reboots may cause a CSE failure, causing a deployment failure. They're also not re-entrant - you can't update a config setting in an extension and run it again on the same machine.

@PatrickLang
Copy link
Contributor

I would also say an ideal solution should pull its configuration from a trusted location on Azure, instead of an unauthenticated source as aks-engine extensions do

@idanlevin
Copy link

idanlevin commented Sep 30, 2019
edited
Loading

As a customer that its entire infrastructure is built around K8s, you don't necessarily want to deal with another platform (e.g. chef, puppet, ansible) to provision your cluster. It'll be great to have the ability to run a bash script on the host, before it's ready.

This bash script can be used to:

  1. Install security monitoring tools (Antivirus, Vulnerability scanners, EDR, configure RSyslog, etc.)
  2. Change OS configuration (e.g. num of allowed TCP connections, automatic updates, etc.)

Worth mentioning that this bash script should run on new nodes as well, for example if cluster-autoscaler is enabled.

@stale
Copy link

stale bot commented Nov 29, 2019

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Nov 29, 2019
@stale stale bot closed this as completed Dec 6, 2019
@craiglpeters craiglpeters reopened this Feb 12, 2020
@stale stale bot removed the stale label Feb 12, 2020
@stale
Copy link

stale bot commented Apr 12, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Apr 12, 2020
@stale stale bot closed this as completed Apr 19, 2020
@craiglpeters craiglpeters reopened this Apr 29, 2020
@stale stale bot removed the stale label Apr 29, 2020
@jackfrancis
Copy link
Member

I think this net new functionality is out of scope for AKS Engine. The current boundary of AKS Engine permits other additional tooling (e.g., terraform, ansible) to perform configuration options.

Building custom images is probably the best practical current solution to customizing the OS layer in particular.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
backlog enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jackfrancis @idanlevin @craiglpeters @PatrickLang