During the investigation into securing the AAW environment, additional non-security related recommendations have been identified. These are not included as official recommendations as they are out of scope, but they are included below for informational purposes:
Today, the AAW environment performs a series of configuration upon the creation of new user profiles. In continuing with these efforts, and with the addition of tooling provided by this proposal, that the AAW team:
Recommendation APNDXA-PROF-01: Split the custom StatCan profile-configurator into multiple, small controllers. Each controller would be responsible for one configuration item.
Recommendation APNDXA-PROF-02: The custom controllers additionally apply configuration that:
Create a local docker repository in Artifactory
Generate image pull credentials for Artifactory, applicable only to the namespace
Configure the GitLab instance by pre-creating a GitLab group.
(additional): If desired to manage the GitLab group membership, the controller will update on a regular basis as contributors are added and removed from the namespace.
APNDXA-AKS-01: Longer term, as more heavy analytical-based workloads are run in the AAW environment, it is recommended that the DAaaS team investigate the use of spot node pools.
If determined to be a viable option, then the following node pools would be added to the AAW AKS cluster:
Pool VM Type Subnet Purpose spot-unclassifiedStandard_D16s_v3user-unclassifiedUnclassified user spot workloads spot-protected-bStandard_D16s_v3user-protected-bProtected B user spot workloads