devopsabcs-engineering
diff --git a/‎.github/workflows/cleanup-safety-net.yml‎
Lines changed: 61 additions & 0 deletions b/‎.github/workflows/cleanup-safety-net.yml‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-private-aks.yml‎
Lines changed: 165 additions & 0 deletions b/‎.github/workflows/deploy-private-aks.yml‎
Lines changed: 165 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 142 additions & 2 deletions b/‎README.md‎
Lines changed: 142 additions & 2 deletions
@@ -0,0 +1,61 @@
+name: Cleanup Safety Net
+
+on:
+  schedule:
+    - cron: '0 * * * *'
+  workflow_dispatch:
+
+jobs:
+  cleanup:
+    runs-on: self-hosted
+
+    steps:
+      # ── 1. Azure Login ─────────────────────────────────────────
+      - name: Azure Login (Managed Identity)
+        uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # ── 2. Find and delete stale PoC resource groups ───────────
+      - name: Delete stale PoC resource groups
+        run: |
+          echo "Checking for stale aks-poc resource groups..."
+          STALE_COUNT=0
+
+          az group list --tag purpose=aks-poc --query "[].{name:name, created:tags.created}" -o tsv | while IFS=$'\t' read -r name created; do
+            if [ -z "$name" ]; then
+              continue
+            fi
+
+            if [ -z "$created" ]; then
+              echo "WARNING: Resource group '$name' has no 'created' tag timestamp — skipping"
+              continue
+            fi
+
+            created_epoch=$(date -d "$created" +%s 2>/dev/null || echo 0)
+            if [ "$created_epoch" -eq 0 ]; then
+              echo "WARNING: Could not parse timestamp '$created' for resource group '$name' — skipping"
+              continue
+            fi
+
+            now_epoch=$(date +%s)
+            age_minutes=$(( (now_epoch - created_epoch) / 60 ))
+
+            if [ "$age_minutes" -gt 45 ]; then
+              echo "Deleting stale resource group: $name (age: ${age_minutes} minutes)"
+              az group delete --name "$name" --yes --no-wait || true
+              STALE_COUNT=$((STALE_COUNT + 1))
+            else
+              echo "Keeping resource group: $name (age: ${age_minutes} minutes — under 45 min threshold)"
+            fi
+          done
+
+          echo "Cleanup complete."
+
+      # ── 3. Azure Logout ────────────────────────────────────────
+      - name: Azure Logout
+        if: always()
+        run: az logout
@@ -0,0 +1,165 @@
+name: Private AKS PoC - Deploy, Log, Teardown
+
+on:
+  workflow_dispatch:
+    inputs:
+      location:
+        description: 'Azure region (canadacentral or canadaeast)'
+        default: 'canadacentral'
+        type: string
+      wait_minutes:
+        description: 'Minutes to wait before teardown (cost control)'
+        default: '30'
+        type: string
+
+env:
+  RESOURCE_GROUP: rg-aks-poc-${{ github.run_id }}
+  CLUSTER_NAME: aks-poc-${{ github.run_id }}
+  VNET_NAME: vnet-aks-poc
+  SUBNET_NAME: subnet-aks
+  LOCATION: ${{ github.event.inputs.location || 'canadacentral' }}
+
+jobs:
+  deploy-log-teardown:
+    runs-on: self-hosted
+    timeout-minutes: 60
+
+    steps:
+      # ── 1. Checkout ────────────────────────────────────────────
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # ── 2. Azure Login ─────────────────────────────────────────
+      - name: Azure Login (Managed Identity)
+        uses: azure/login@v2
+        with:
+          auth-type: IDENTITY
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      # ── 3. Record Runner IP ────────────────────────────────────
+      - name: Record runner IP
+        run: |
+          RUNNER_IP=$(curl -s ifconfig.me)
+          echo "RUNNER_IP=$RUNNER_IP" >> $GITHUB_ENV
+          echo "Runner public IP: $RUNNER_IP"
+
+      # ── 4. Create Resource Group ───────────────────────────────
+      - name: Create Resource Group
+        run: |
+          az group create \
+            --name "$RESOURCE_GROUP" \
+            --location "$LOCATION" \
+            --tags purpose=aks-poc created=$(date -u +%Y-%m-%dT%H:%M:%SZ) run=${{ github.run_id }}
+
+      # ── 5. Create VNet + Subnet ────────────────────────────────
+      - name: Create VNet and Subnet
+        run: |
+          az network vnet create \
+            --resource-group "$RESOURCE_GROUP" \
+            --name "$VNET_NAME" \
+            --address-prefixes 10.224.0.0/16 \
+            --subnet-name "$SUBNET_NAME" \
+            --subnet-prefixes 10.224.0.0/24
+
+          SUBNET_ID=$(az network vnet subnet show \
+            --resource-group "$RESOURCE_GROUP" \
+            --vnet-name "$VNET_NAME" \
+            --name "$SUBNET_NAME" \
+            --query id -o tsv)
+          echo "SUBNET_ID=$SUBNET_ID" >> $GITHUB_ENV
+
+      # ── 6. Record Start Time ───────────────────────────────────
+      - name: Record start time
+        run: |
+          echo "DEPLOY_START_TIME=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
+
+      # ── 7. Deploy Private AKS ──────────────────────────────────
+      - name: Deploy Private AKS Cluster
+        run: |
+          az aks create \
+            --resource-group "$RESOURCE_GROUP" \
+            --name "$CLUSTER_NAME" \
+            --node-count 1 \
+            --node-vm-size Standard_B2s \
+            --network-plugin azure \
+            --vnet-subnet-id "$SUBNET_ID" \
+            --enable-private-cluster \
+            --enable-managed-identity \
+            --generate-ssh-keys \
+            --tier free \
+            --no-wait || echo "DEPLOY_FAILED=true" >> $GITHUB_ENV
+
+      # ── 8. Wait for Provisioning ───────────────────────────────
+      - name: Wait for AKS provisioning
+        if: env.DEPLOY_FAILED != 'true'
+        run: |
+          az aks wait \
+            --resource-group "$RESOURCE_GROUP" \
+            --name "$CLUSTER_NAME" \
+            --created \
+            --timeout 1200
+
+      # ── 9. Log IPs (Activity Log) ─────────────────────────────
+      - name: Log IPs (Activity Log)
+        if: always()
+        run: |
+          echo "=== Runner VM Outbound IP ==="
+          echo "Runner IP: $RUNNER_IP"
+          echo ""
+
+          echo "Waiting 60s for Activity Log propagation..."
+          sleep 60
+
+          echo "=== ARM Operation Caller IPs (ContainerService) ==="
+          az monitor activity-log list \
+            --resource-group "$RESOURCE_GROUP" \
+            --start-time "$DEPLOY_START_TIME" \
+            --query "[?contains(operationName.value, 'Microsoft.ContainerService')].{op:operationName.value, caller:caller, clientIp:httpRequest.clientIpAddress, status:status.value, time:eventTimestamp}" \
+            -o table || echo "Activity log query failed for ContainerService"
+
+          echo ""
+          echo "=== ARM Operation Caller IPs (Network) ==="
+          az monitor activity-log list \
+            --resource-group "$RESOURCE_GROUP" \
+            --start-time "$DEPLOY_START_TIME" \
+            --query "[?contains(operationName.value, 'Microsoft.Network')].{op:operationName.value, caller:caller, clientIp:httpRequest.clientIpAddress, status:status.value, time:eventTimestamp}" \
+            -o table || echo "Activity log query failed for Network"
+
+          echo ""
+          echo "=== IP Comparison ==="
+          echo "Runner IP: $RUNNER_IP"
+          echo "Compare the clientIp values above against the runner IP to verify traffic routes."
+
+      # ── 10. Log IPs (Entra Sign-In) ────────────────────────────
+      - name: Log IPs (Entra Sign-In Logs)
+        if: always()
+        continue-on-error: true
+        run: |
+          echo "=== Entra ID Sign-In IPs (requires P1/P2) ==="
+          az rest --method get \
+            --url "https://graph.microsoft.com/v1.0/auditLogs/signIns?\$filter=createdDateTime ge $DEPLOY_START_TIME and appId eq '${{ secrets.AZURE_CLIENT_ID }}'" \
+            --query "value[].{ip:ipAddress, app:appDisplayName, time:createdDateTime, status:status.errorCode}" \
+            -o table || echo "Sign-in log query failed (may require Entra P1/P2)"
+
+      # ── 11. Wait Before Teardown ───────────────────────────────
+      - name: Wait before teardown
+        if: env.DEPLOY_FAILED != 'true'
+        run: |
+          WAIT=${{ github.event.inputs.wait_minutes || '30' }}
+          echo "Waiting ${WAIT} minutes before teardown..."
+          sleep $((WAIT * 60))
+
+      # ── 12. Teardown ───────────────────────────────────────────
+      - name: Teardown all resources
+        if: always()
+        run: |
+          echo "Deleting resource group $RESOURCE_GROUP..."
+          az group delete --name "$RESOURCE_GROUP" --yes --no-wait
+          echo "Resource group deletion initiated."
+
+      # ── 13. Azure Logout ───────────────────────────────────────
+      - name: Azure Logout
+        if: always()
+        run: az logout
@@ -1,3 +1,143 @@
-# aks-private-deployment
+---
+title: Private AKS Deployment PoC with Managed Identity
+description: Proof-of-concept demonstrating that managed identity bypasses Entra ID conditional access policies during private AKS cluster creation
+author: devopsabcs-engineering
+ms.date: 2026-04-01
+ms.topic: concept
+keywords:
+  - azure kubernetes service
+  - private clusters
+  - managed identity
+  - conditional access
+  - proof of concept
+---
 
-https://learn.microsoft.com/en-us/azure/aks/private-clusters
+## Overview
+
+This proof of concept validates that Azure Managed Identity bypasses Entra ID conditional access (CA) policies when deploying private AKS clusters. Organizations with strict CA location policies can use managed identity to avoid authentication failures that occur with service principals.
+
+## Problem Statement
+
+When AKS Resource Provider authenticates using a service principal's credentials during `az aks create`, the sign-in originates from Azure datacenter IPs, not from the customer's network. If the organization enforces conditional access policies that restrict authentication to known perimeter IPs, these policies block the service principal sign-in because the Azure datacenter IP falls outside the allowed range.
+
+This is the confirmed root cause of deployment failures in environments with location-based conditional access for workload identities.
+
+## Solution
+
+Managed identity bypasses conditional access entirely. MI tokens are acquired internally via IMDS (`169.254.169.254`), not through `login.microsoftonline.com`. The CA engine does not evaluate managed identity token requests at all. Per Microsoft documentation: "Managed identities aren't covered by policy."
+
+By running `az aks create --enable-managed-identity` from a self-hosted runner VM that itself authenticates via `az login --identity`, all authentication stays within the Azure fabric. No external sign-in occurs, so no CA policy evaluation is triggered.
+
+## Architecture
+
+```mermaid
+graph TD
+    A[GitHub workflow_dispatch] --> B[Self-Hosted Runner VM]
+    B --> C[az login --identity]
+    C --> D[Create Resource Group + VNet]
+    D --> E[az aks create --enable-private-cluster --enable-managed-identity]
+    E --> F{Deploy OK?}
+    F -->|Yes| G[Log IPs from Activity Log + Sign-in Logs]
+    G --> H[Wait 30 minutes]
+    H --> I[az group delete — teardown]
+    F -->|No| J[Log IPs + Error Info]
+    J --> I
+
+    subgraph "Identity Flow — No CA"
+        C -.->|IMDS 169.254.169.254| K[Azure Fabric Token]
+        E -.->|Cluster MI via IMDS| K
+    end
+```
+
+## Authentication Flow Comparison
+
+```text
+SERVICE PRINCIPAL FLOW (PROBLEMATIC):
+Runner VM → az login --service-principal → login.microsoftonline.com (from Runner IP ✓)
+Runner VM → az aks create → ARM → AKS RP → login.microsoftonline.com (from Azure datacenter IP ✗)
+                                                                      ↑ BLOCKED by CA
+
+MANAGED IDENTITY FLOW (RECOMMENDED):
+Runner VM → az login --identity → IMDS 169.254.169.254 (internal, no CA ✓)
+Runner VM → az aks create → ARM → AKS RP → Azure fabric token (internal, no CA ✓)
+                                                                ↑ NOT evaluated by CA
+```
+
+The distinction is architectural: managed identities do not trigger conditional access because their credentials are managed by Azure and token issuance happens within the Azure fabric. There is no "source IP" for CA to evaluate.
+
+## Prerequisites
+
+* Azure subscription with permissions to create AKS clusters and managed identities
+* Azure CLI v2.28.0 or later
+* GitHub repository with Actions enabled
+* Self-hosted runner VM in Azure with a user-assigned managed identity (`Contributor` + `User Access Administrator` on the subscription)
+
+## Quick Start
+
+1. Run `scripts/setup-runner-vm.sh` to provision the runner VM and managed identity in `rg-aks-poc-runner`.
+
+2. SSH into the VM and configure the GitHub Actions self-hosted runner. Follow
+   [Adding self-hosted runners](https://docs.github.com/en/actions/hosting-your-own-runners/managing-self-hosted-runners/adding-self-hosted-runners).
+
+3. Add these GitHub Actions secrets to the repository:
+   * `AZURE_CLIENT_ID`: The client ID of the managed identity `mi-aks-poc-deployer`
+   * `AZURE_TENANT_ID`: Your Entra ID tenant ID
+   * `AZURE_SUBSCRIPTION_ID`: Target Azure subscription ID
+
+4. Trigger the **deploy-private-aks** workflow from the GitHub Actions UI (workflow_dispatch).
+
+5. Alternatively, run `scripts/deploy-private-aks.sh` directly on any VM that has a managed identity with the required permissions.
+
+## File Structure
+
+```text
+.
+├── .github/
+│   └── workflows/
+│       ├── deploy-private-aks.yml      # Main deploy + log + teardown workflow
+│       └── cleanup-safety-net.yml      # Hourly safety net for orphaned resources
+├── scripts/
+│   ├── setup-runner-vm.sh              # One-time: provision runner VM + MI
+│   ├── teardown-runner-vm.sh           # One-time: delete runner VM
+│   ├── deploy-private-aks.sh           # Standalone AKS deployment (reusable)
+│   └── log-ips.sh                      # IP logging utility
+└── README.md
+```
+
+## GitHub Actions Workflows
+
+### deploy-private-aks.yml
+
+A 13-step workflow triggered by `workflow_dispatch`. It authenticates via managed identity, creates a resource group (`rg-aks-poc-<run_id>`), deploys a private AKS cluster, logs IP addresses from Azure Activity Log and Entra ID sign-in logs, waits 30 minutes for log propagation, and tears down all resources. A Dead Man's Switch pattern ensures cleanup runs even if intermediate steps fail.
+
+### cleanup-safety-net.yml
+
+An hourly cron-triggered workflow that scans for resource groups matching the `rg-aks-poc-*` pattern older than 45 minutes. This acts as a safety net to delete orphaned resources left behind by failed or interrupted deployment runs.
+
+## IP Logging
+
+The PoC captures IP addresses from multiple sources to confirm that managed identity authentication does not route through external endpoints:
+
+* **Runner outbound IP**: Captured via `curl -s ifconfig.me`. This establishes the baseline public IP of the runner VM.
+* **Azure Activity Log**: Queried via `az monitor activity-log list`. The `httpRequest.clientIpAddress` field shows which IP initiated each ARM operation. If these IPs match the runner IP, traffic is routing as expected.
+* **Entra ID sign-in logs** (optional, requires P1/P2): Queried via Microsoft Graph API. Shows managed identity sign-in events and their source IPs under the "Managed identity sign-ins" category.
+
+To verify correct behavior, compare the Activity Log IPs against the runner outbound IP. Matching IPs confirm that ARM calls originate from the runner VM rather than from unexpected Azure datacenter addresses.
+
+## Cost Estimate
+
+Each 30-minute PoC run costs approximately $0.05 to $0.08 with a single Standard_B2s node on the Free tier AKS control plane. The runner VM is the primary ongoing cost at approximately $0.042/hr when running.
+
+## Cleanup
+
+1. Run `scripts/teardown-runner-vm.sh` to delete the runner VM, managed identity, and the `rg-aks-poc-runner` resource group.
+2. Deregister the self-hosted runner from your GitHub repository under **Settings > Actions > Runners**.
+
+> [!IMPORTANT]
+> The cleanup-safety-net workflow handles PoC resource groups automatically, but the runner VM infrastructure requires manual teardown.
+
+## Key References
+
+* [Azure Private AKS Clusters](https://learn.microsoft.com/en-us/azure/aks/private-clusters)
+* [Use Managed Identity with AKS](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity)
+* [Conditional Access for Workload Identities](https://learn.microsoft.com/en-us/entra/identity/conditional-access/workload-identity)