| Control Plane | Status | Notes |
|---|---|---|
| Separate controllers from etcd | ✅ | controller and etcd running on different VMs |
| TLS between etcd and controllers | ✅ | |
| TLS between nodes and controllers | ✅ | |
| kube-controller-manager | ✅ | |
| kube-scheduler | ✅ | |
| kube-apiserver | ✅ | |
| kube-proxy | ✅ | |
| kubelet with NoSchedule | ✅ | |
| Admission Controllers | ✅ | Initializers, NodeRestriction, NamespaceLifecycle, LimitRanger, ServiceAccount, DefaultStorageClass, DefaultTolerationSeconds, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, ResourceQuota |
| Anonymous Auth disabled | ✅ | |
| Node and RBAC auth mode enabled | ✅ | |
| Node Bootstrap token enabled | ✅ | |
| Distinct TLS certs for apiserver and etcd | TBD | apiserver and etcd currently sharing the same certs |
| etcd3 backend enabled | ✅ |
| Nodes | Status | Notes |
|---|---|---|
| TLS bootstrapping using tokens | ✅ | |
| kubelet certificates | ✅ | |
| kube-proxy | ✅ | |
| "kube exec" and "kube logs" | ✅ |
| Network | Status | Notes |
|---|---|---|
| Pod-to-pod communication | ✅ | |
| CNI enabled (azure-CNI) | ✅ | |
| Pod outbound internet | ✅ | |
| Pod to cluster service net | ✅ | |
| All VMs on private network | ✅ | |
| Bastion host | ✅ |
| Cloud Provider / Azure | Status | Notes |
|---|---|---|
| PVCs working | ✅ | |
| Service of type LoadBalancer working | ✅ | |
| Azure DNS for VM hostnames | ✅ | |
| Azure NSGs for apiserver | TBD | |
| Azure NSGs for etcd | TBD | |
| Azure NSGs for nodes | TBD | |
| Explicit MSI definition | TBD |