rules/Azure.AKS.Rule.ps1
# Copyright (c) Microsoft Corporation. # Licensed under the MIT License. # # Validation rules for Azure Kubernetes Service (AKS) # # Synopsis: AKS control plane and nodes pools should use a current stable release. Rule 'Azure.AKS.Version' -Ref 'AZR-000015' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.ASB.v3/control' = 'PV-7' } { $minVersion = $Configuration.GetValueOrDefault('Azure_AKSMinimumVersion', $Configuration.AZURE_AKS_CLUSTER_MINIMUM_VERSION); if ($PSRule.TargetType -eq 'Microsoft.ContainerService/managedClusters') { $Assert.Version($TargetObject, 'Properties.kubernetesVersion', ">=$minVersion"); } elseif ($PSRule.TargetType -eq 'Microsoft.ContainerService/managedClusters/agentPools') { if (!$Assert.HasField($TargetObject, 'Properties.orchestratorVersion').Result) { $Assert.Pass(); } else { $Assert.Version($TargetObject, 'Properties.orchestratorVersion', ">=$minVersion"); } } } # Synopsis: AKS agent pools should run the same Kubernetes version as the cluster Rule 'Azure.AKS.PoolVersion' -Ref 'AZR-000016' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { $clusterVersion = $TargetObject.Properties.kubernetesVersion; $agentPools = @(GetAgentPoolProfiles); if ($agentPools.Length -eq 0) { return $Assert.Pass(); } foreach ($agentPool in $agentPools) { $Assert.HasDefaultValue($agentPool, 'orchestratorVersion', $clusterVersion). Reason($LocalizedData.AKSNodePoolVersion, $agentPool.name, $agentPool.orchestratorVersion); } } # Synopsis: AKS node pools should use scale sets Rule 'Azure.AKS.PoolScaleSet' -Ref 'AZR-000017' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { $agentPools = @(GetAgentPoolProfiles); if ($agentPools.Length -eq 0) { return $Assert.Pass(); } foreach ($agentPool in $agentPools) { $Assert.HasFieldValue($agentPool, 'type', 'VirtualMachineScaleSets'). Reason($LocalizedData.AKSNodePoolType, $agentPool.name); } } # Synopsis: AKS nodes should use a minimum number of pods Rule 'Azure.AKS.NodeMinPods' -Ref 'AZR-000018' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2020_06' } { $agentPools = @(GetAgentPoolProfiles); if ($agentPools.Length -eq 0) { return $Assert.Pass(); } foreach ($agentPool in $agentPools) { $Assert.GreaterOrEqual($agentPool, 'maxPods', $Configuration.Azure_AKSNodeMinimumMaxPods); } } -Configure @{ Azure_AKSNodeMinimumMaxPods = 50 } # Synopsis: Use Autoscaling to ensure AKS cluster is running efficiently with the right number of nodes for the workloads present. Rule 'Azure.AKS.AutoScaling' -Ref 'AZR-000019' -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } { $agentPools = @(GetAgentPoolProfiles); if ($agentPools.Length -eq 0) { return $Assert.Pass(); } foreach ($agentPool in $agentPools) { # Autoscaling only available on virtual machine scale sets if ($Assert.HasFieldValue($agentPool, 'type', 'VirtualMachineScaleSets').Result) { $Assert.HasFieldValue($agentPool, 'enableAutoScaling', $True).Reason($LocalizedData.AKSAutoScaling, $agentPool.name); } else { $Assert.Pass() } } } # Synopsis: AKS clusters using Azure CNI should use large subnets to reduce IP exhaustion issues. Rule 'Azure.AKS.CNISubnetSize' -Ref 'AZR-000020' -If { IsExport } -With 'Azure.AKS.AzureCNI' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } { $clusterSubnets = @(GetSubResources -ResourceType 'Microsoft.Network/virtualNetworks/subnets'); if ($clusterSubnets.Length -eq 0) { return $Assert.Pass(); } $configurationMinimumSubnetSize = $Configuration.AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE; foreach ($subnet in $clusterSubnets) { $subnetAddressPrefixSize = [int]$subnet.Properties.addressPrefix.Split('/')[-1]; $Assert.LessOrEqual($subnetAddressPrefixSize, '.', $configurationMinimumSubnetSize). Reason( $LocalizedData.AKSAzureCNI, $subnet.Name, $configurationMinimumSubnetSize ); } } -Configure @{ AZURE_AKS_CNI_MINIMUM_CLUSTER_SUBNET_SIZE = 23 } # Synopsis: AKS clusters deployed with virtual machine scale sets should use availability zones in supported regions for high availability. Rule 'Azure.AKS.AvailabilityZone' -Ref 'AZR-000021' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; } { $agentPools = @(GetAgentPoolProfiles); if ($agentPools.Length -eq 0) { return $Assert.Pass(); } $virtualMachineScaleSetProvider = [PSRule.Rules.Azure.Runtime.Helper]::GetResourceType('Microsoft.Compute', 'virtualMachineScaleSets'); $configurationZoneMappings = $Configuration.AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST; $providerZoneMappings = $virtualMachineScaleSetProvider.ZoneMappings; $mergedAvailabilityZones = PrependConfigurationZoneWithProviderZone -ConfigurationZone $configurationZoneMappings -ProviderZone $providerZoneMappings; $availabilityZones = GetAvailabilityZone -Location $TargetObject.Location -Zone $mergedAvailabilityZones; if (-not $availabilityZones) { return $Assert.Pass(); } $joinedZoneString = $availabilityZones -join ', '; foreach ($agentPool in $agentPools) { # Availability zones only available on virtual machine scale sets if ($Assert.HasFieldValue($agentPool, 'type', 'VirtualMachineScaleSets').Result) { $Assert.HasFieldValue($agentPool, 'availabilityZones'). Reason($LocalizedData.AKSAvailabilityZone, $agentPool.name, $TargetObject.Location, $joinedZoneString); } else { $Assert.Pass(); } } } -Configure @{ AZURE_AKS_ADDITIONAL_REGION_AVAILABILITY_ZONE_LIST = @() } # Synopsis: AKS clusters should collect security-based audit logs to assess and monitor the compliance status of workloads. Rule 'Azure.AKS.AuditLogs' -Ref 'AZR-000022' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.ASB.v3/control' = 'LT-4' } { $diagnosticLogs = @(GetSubResources -ResourceType 'Microsoft.Insights/diagnosticSettings', 'Microsoft.ContainerService/managedClusters/providers/diagnosticSettings'); $Assert.Greater($diagnosticLogs, '.', 0).Reason($LocalizedData.DiagnosticSettingsNotConfigured, $TargetObject.name); foreach ($setting in $diagnosticLogs) { $kubeAuditEnabledLog = @($setting.Properties.logs | Where-Object { $_.category -in 'kube-audit', 'kube-audit-admin' -and $_.enabled }); $guardEnabledLog = @($setting.Properties.logs | Where-Object { $_.category -eq 'guard' -and $_.enabled }); $auditLogsEnabled = $Assert.Greater($kubeAuditEnabledLog, '.', 0).Result -and $Assert.Greater($guardEnabledLog, '.', 0).Result; $Assert.Create($auditLogsEnabled, $LocalizedData.AKSAuditLogs, $setting.name); } } # Synopsis: AKS clusters should collect platform diagnostic logs to monitor the state of workloads. Rule 'Azure.AKS.PlatformLogs' -Ref 'AZR-000023' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2021_09'; 'Azure.WAF/pillar' = 'Security'; } -Labels @{ 'Azure.ASB.v3/control' = 'LT-4' } { $configurationLogCategoriesList = $Configuration.GetStringValues('AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST'); if ($configurationLogCategoriesList.Length -eq 0) { return $Assert.Pass(); } $diagnosticLogs = @(GetSubResources -ResourceType 'Microsoft.Insights/diagnosticSettings', 'Microsoft.ContainerService/managedClusters/providers/diagnosticSettings'); $Assert.Greater($diagnosticLogs, '.', 0).Reason($LocalizedData.DiagnosticSettingsNotConfigured, $TargetObject.name); $availableLogCategories = @{ Logs = @( 'cluster-autoscaler', 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler' ) Metrics = @( 'AllMetrics' ) } $configurationLogCategories = @($configurationLogCategoriesList | Where-Object { $_ -in $availableLogCategories.Logs }); $configurationMetricCategories = @($configurationLogCategoriesList | Where-Object { $_ -in $availableLogCategories.Metrics }); $logCategoriesNeeded = [System.Math]::Min( $configurationLogCategories.Length, $availableLogCategories.Logs.Length ); $metricCategoriesNeeded = [System.Math]::Min( $configurationMetricCategories.Length, $availableLogCategories.Metrics.Length ); $logCategoriesJoinedString = $configurationLogCategoriesList -join ', '; foreach ($setting in $diagnosticLogs) { $platformLogs = @($setting.Properties.logs | Where-Object { $_.enabled -and $_.category -in $configurationLogCategories -and $_.category -in $availableLogCategories.Logs }); $metricLogs = @($setting.Properties.metrics | Where-Object { $_.enabled -and $_.category -in $configurationMetricCategories -and $_.category -in $availableLogCategories.Metrics }); $platformLogsEnabled = $Assert.HasFieldValue($platformLogs, 'Length', $logCategoriesNeeded).Result -and $Assert.HasFieldValue($metricLogs, 'Length', $metricCategoriesNeeded).Result $Assert.Create( $platformLogsEnabled, $LocalizedData.AKSPlatformLogs, $setting.name, $logCategoriesJoinedString ); } } -Configure @{ AZURE_AKS_ENABLED_PLATFORM_LOG_CATEGORIES_LIST = @( 'cluster-autoscaler', 'kube-apiserver', 'kube-controller-manager', 'kube-scheduler', 'AllMetrics' ) } # Synopsis: AKS clusters should have Uptime SLA enabled to ensure availability of control plane components for production workloads. Rule 'Azure.AKS.UptimeSLA' -Ref 'AZR-000285' -Type 'Microsoft.ContainerService/managedClusters' -Tag @{ release = 'GA'; ruleSet = '2022_09'; } { $Assert.Contains($TargetObject, 'sku.tier', 'Paid'); } # Synopsis: AKS clusters should use ephemeral OS disks which can provide lower read/write latency, along with faster node scaling and cluster upgrades. Rule 'Azure.AKS.EphemeralOSDisk' -Ref 'AZR-000287' -Level Warning -Type 'Microsoft.ContainerService/managedClusters', 'Microsoft.ContainerService/managedClusters/agentPools' -Tag @{ release = 'GA'; ruleSet = '2022_09' } { $agentPools = @(GetAgentPoolProfiles); if ($agentPools.Length -eq 0) { return $Assert.Pass(); } foreach ($agentPool in $agentPools) { $Assert.HasDefaultValue($agentPool, 'osDiskType', 'Ephemeral'). ReasonIf($agentPool.osDiskType, $LocalizedData.AKSEphemeralOSDiskNotConfigured); } } #region Helper functions function global:GetAgentPoolProfiles { [CmdletBinding()] [OutputType([PSObject])] param () process { if ($PSRule.TargetType -eq 'Microsoft.ContainerService/managedClusters') { $TargetObject.Properties.agentPoolProfiles; @(GetSubResources -ResourceType 'Microsoft.ContainerService/managedClusters/agentPools' | ForEach-Object { [PSCustomObject]@{ name = $_.name type = $_.properties.type maxPods = $_.properties.maxPods orchestratorVersion = $_.properties.orchestratorVersion enableAutoScaling = $_.properties.enableAutoScaling availabilityZones = $_.properties.availabilityZones osDiskType = $_.properties.osDiskType } }); } elseif ($PSRule.TargetType -eq 'Microsoft.ContainerService/managedClusters/agentPools') { [PSCustomObject]@{ name = $TargetObject.name type = $TargetObject.properties.type maxPods = $TargetObject.properties.maxPods orchestratorVersion = $TargetObject.properties.orchestratorVersion enableAutoScaling = $TargetObject.properties.enableAutoScaling availabilityZones = $TargetObject.properties.availabilityZones osDiskType = $TargetObject.properties.osDiskType } } } } #endregion Helper functions # SIG # Begin signature block # MIInogYJKoZIhvcNAQcCoIInkzCCJ48CAQExDzANBglghkgBZQMEAgEFADB5Bgor # BgEEAYI3AgEEoGswaTA0BgorBgEEAYI3AgEeMCYCAwEAAAQQH8w7YFlLCE63JNLG # KX7zUQIBAAIBAAIBAAIBAAIBADAxMA0GCWCGSAFlAwQCAQUABCB4Wij4gzQ+CNu+ # lqUGMZyFRNtntjY7TKDys69d+ZaEtqCCDYUwggYDMIID66ADAgECAhMzAAACzfNk # v/jUTF1RAAAAAALNMA0GCSqGSIb3DQEBCwUAMH4xCzAJBgNVBAYTAlVTMRMwEQYD # VQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01pY3Jvc29mdCBDb2RlIFNpZ25p # bmcgUENBIDIwMTEwHhcNMjIwNTEyMjA0NjAyWhcNMjMwNTExMjA0NjAyWjB0MQsw # CQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9u # ZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMR4wHAYDVQQDExVNaWNy # b3NvZnQgQ29ycG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB # AQDrIzsY62MmKrzergm7Ucnu+DuSHdgzRZVCIGi9CalFrhwtiK+3FIDzlOYbs/zz # HwuLC3hir55wVgHoaC4liQwQ60wVyR17EZPa4BQ28C5ARlxqftdp3H8RrXWbVyvQ # aUnBQVZM73XDyGV1oUPZGHGWtgdqtBUd60VjnFPICSf8pnFiit6hvSxH5IVWI0iO # nfqdXYoPWUtVUMmVqW1yBX0NtbQlSHIU6hlPvo9/uqKvkjFUFA2LbC9AWQbJmH+1 # uM0l4nDSKfCqccvdI5l3zjEk9yUSUmh1IQhDFn+5SL2JmnCF0jZEZ4f5HE7ykDP+ # oiA3Q+fhKCseg+0aEHi+DRPZAgMBAAGjggGCMIIBfjAfBgNVHSUEGDAWBgorBgEE # AYI3TAgBBggrBgEFBQcDAzAdBgNVHQ4EFgQU0WymH4CP7s1+yQktEwbcLQuR9Zww # VAYDVR0RBE0wS6RJMEcxLTArBgNVBAsTJE1pY3Jvc29mdCBJcmVsYW5kIE9wZXJh # dGlvbnMgTGltaXRlZDEWMBQGA1UEBRMNMjMwMDEyKzQ3MDUzMDAfBgNVHSMEGDAW # gBRIbmTlUAXTgqoXNzcitW2oynUClTBUBgNVHR8ETTBLMEmgR6BFhkNodHRwOi8v # d3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNDb2RTaWdQQ0EyMDExXzIw # MTEtMDctMDguY3JsMGEGCCsGAQUFBwEBBFUwUzBRBggrBgEFBQcwAoZFaHR0cDov # L3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9jZXJ0cy9NaWNDb2RTaWdQQ0EyMDEx # XzIwMTEtMDctMDguY3J0MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIB # AE7LSuuNObCBWYuttxJAgilXJ92GpyV/fTiyXHZ/9LbzXs/MfKnPwRydlmA2ak0r # GWLDFh89zAWHFI8t9JLwpd/VRoVE3+WyzTIskdbBnHbf1yjo/+0tpHlnroFJdcDS # MIsH+T7z3ClY+6WnjSTetpg1Y/pLOLXZpZjYeXQiFwo9G5lzUcSd8YVQNPQAGICl # 2JRSaCNlzAdIFCF5PNKoXbJtEqDcPZ8oDrM9KdO7TqUE5VqeBe6DggY1sZYnQD+/ # LWlz5D0wCriNgGQ/TWWexMwwnEqlIwfkIcNFxo0QND/6Ya9DTAUykk2SKGSPt0kL # tHxNEn2GJvcNtfohVY/b0tuyF05eXE3cdtYZbeGoU1xQixPZAlTdtLmeFNly82uB # VbybAZ4Ut18F//UrugVQ9UUdK1uYmc+2SdRQQCccKwXGOuYgZ1ULW2u5PyfWxzo4 # BR++53OB/tZXQpz4OkgBZeqs9YaYLFfKRlQHVtmQghFHzB5v/WFonxDVlvPxy2go # a0u9Z+ZlIpvooZRvm6OtXxdAjMBcWBAsnBRr/Oj5s356EDdf2l/sLwLFYE61t+ME # iNYdy0pXL6gN3DxTVf2qjJxXFkFfjjTisndudHsguEMk8mEtnvwo9fOSKT6oRHhM # 9sZ4HTg/TTMjUljmN3mBYWAWI5ExdC1inuog0xrKmOWVMIIHejCCBWKgAwIBAgIK # YQ6Q0gAAAAAAAzANBgkqhkiG9w0BAQsFADCBiDELMAkGA1UEBhMCVVMxEzARBgNV # BAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jv # c29mdCBDb3Jwb3JhdGlvbjEyMDAGA1UEAxMpTWljcm9zb2Z0IFJvb3QgQ2VydGlm # aWNhdGUgQXV0aG9yaXR5IDIwMTEwHhcNMTEwNzA4MjA1OTA5WhcNMjYwNzA4MjEw # OTA5WjB+MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UE # BxMHUmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSgwJgYD # VQQDEx9NaWNyb3NvZnQgQ29kZSBTaWduaW5nIFBDQSAyMDExMIICIjANBgkqhkiG # 9w0BAQEFAAOCAg8AMIICCgKCAgEAq/D6chAcLq3YbqqCEE00uvK2WCGfQhsqa+la # UKq4BjgaBEm6f8MMHt03a8YS2AvwOMKZBrDIOdUBFDFC04kNeWSHfpRgJGyvnkmc # 6Whe0t+bU7IKLMOv2akrrnoJr9eWWcpgGgXpZnboMlImEi/nqwhQz7NEt13YxC4D # dato88tt8zpcoRb0RrrgOGSsbmQ1eKagYw8t00CT+OPeBw3VXHmlSSnnDb6gE3e+ # lD3v++MrWhAfTVYoonpy4BI6t0le2O3tQ5GD2Xuye4Yb2T6xjF3oiU+EGvKhL1nk # kDstrjNYxbc+/jLTswM9sbKvkjh+0p2ALPVOVpEhNSXDOW5kf1O6nA+tGSOEy/S6 # A4aN91/w0FK/jJSHvMAhdCVfGCi2zCcoOCWYOUo2z3yxkq4cI6epZuxhH2rhKEmd # X4jiJV3TIUs+UsS1Vz8kA/DRelsv1SPjcF0PUUZ3s/gA4bysAoJf28AVs70b1FVL # 5zmhD+kjSbwYuER8ReTBw3J64HLnJN+/RpnF78IcV9uDjexNSTCnq47f7Fufr/zd # sGbiwZeBe+3W7UvnSSmnEyimp31ngOaKYnhfsi+E11ecXL93KCjx7W3DKI8sj0A3 # T8HhhUSJxAlMxdSlQy90lfdu+HggWCwTXWCVmj5PM4TasIgX3p5O9JawvEagbJjS # 4NaIjAsCAwEAAaOCAe0wggHpMBAGCSsGAQQBgjcVAQQDAgEAMB0GA1UdDgQWBBRI # bmTlUAXTgqoXNzcitW2oynUClTAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTAL # BgNVHQ8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBRyLToCMZBD # uRQFTuHqp8cx0SOJNDBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLm1pY3Jv # c29mdC5jb20vcGtpL2NybC9wcm9kdWN0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3JsMF4GCCsGAQUFBwEBBFIwUDBOBggrBgEFBQcwAoZCaHR0cDovL3d3 # dy5taWNyb3NvZnQuY29tL3BraS9jZXJ0cy9NaWNSb29DZXJBdXQyMDExXzIwMTFf # MDNfMjIuY3J0MIGfBgNVHSAEgZcwgZQwgZEGCSsGAQQBgjcuAzCBgzA/BggrBgEF # BQcCARYzaHR0cDovL3d3dy5taWNyb3NvZnQuY29tL3BraW9wcy9kb2NzL3ByaW1h # cnljcHMuaHRtMEAGCCsGAQUFBwICMDQeMiAdAEwAZQBnAGEAbABfAHAAbwBsAGkA # YwB5AF8AcwB0AGEAdABlAG0AZQBuAHQALiAdMA0GCSqGSIb3DQEBCwUAA4ICAQBn # 8oalmOBUeRou09h0ZyKbC5YR4WOSmUKWfdJ5DJDBZV8uLD74w3LRbYP+vj/oCso7 # v0epo/Np22O/IjWll11lhJB9i0ZQVdgMknzSGksc8zxCi1LQsP1r4z4HLimb5j0b # pdS1HXeUOeLpZMlEPXh6I/MTfaaQdION9MsmAkYqwooQu6SpBQyb7Wj6aC6VoCo/ # KmtYSWMfCWluWpiW5IP0wI/zRive/DvQvTXvbiWu5a8n7dDd8w6vmSiXmE0OPQvy # CInWH8MyGOLwxS3OW560STkKxgrCxq2u5bLZ2xWIUUVYODJxJxp/sfQn+N4sOiBp # mLJZiWhub6e3dMNABQamASooPoI/E01mC8CzTfXhj38cbxV9Rad25UAqZaPDXVJi # hsMdYzaXht/a8/jyFqGaJ+HNpZfQ7l1jQeNbB5yHPgZ3BtEGsXUfFL5hYbXw3MYb # BL7fQccOKO7eZS/sl/ahXJbYANahRr1Z85elCUtIEJmAH9AAKcWxm6U/RXceNcbS # oqKfenoi+kiVH6v7RyOA9Z74v2u3S5fi63V4GuzqN5l5GEv/1rMjaHXmr/r8i+sL # gOppO6/8MO0ETI7f33VtY5E90Z1WTk+/gFcioXgRMiF670EKsT/7qMykXcGhiJtX # cVZOSEXAQsmbdlsKgEhr/Xmfwb1tbWrJUnMTDXpQzTGCGXMwghlvAgEBMIGVMH4x # CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRt # b25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xKDAmBgNVBAMTH01p # Y3Jvc29mdCBDb2RlIFNpZ25pbmcgUENBIDIwMTECEzMAAALN82S/+NRMXVEAAAAA # As0wDQYJYIZIAWUDBAIBBQCgga4wGQYJKoZIhvcNAQkDMQwGCisGAQQBgjcCAQQw # HAYKKwYBBAGCNwIBCzEOMAwGCisGAQQBgjcCARUwLwYJKoZIhvcNAQkEMSIEICY7 # bu8lXMLn6WzCXn95DUcdhKkQ+wsKcC1+5YbNDW2cMEIGCisGAQQBgjcCAQwxNDAy # oBSAEgBNAGkAYwByAG8AcwBvAGYAdKEagBhodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20wDQYJKoZIhvcNAQEBBQAEggEAoQBdDko0qdxrc/9+KSjydfEYRFPjihwas+/4 # 6Bd+reuF38pu8NmMrf7Ix4GK0zGi4Gjgogs7ysyMRkRAtVRMC9Lw+qUZ7WNVLgkr # FGXJEDSRNZEmhIM57ojHT78DgAvgJphDtI1HvBJ0PLW2iNe/xtha/zfhiQW0dDHT # F2jCw2iEZEFoMWOBEaiKUNyTBv1YAQtpu/xueF5P08UJiXu1uzzXQumgBZfamEaR # l9GsKiJqqmdxkL3rutxqs7DPUzimdFNQQfYdgVBW9IYlscSZ28HnhlrjGBBh4RHB # PTJYjbupVsw3pnlIA0g2Fe+1g+4twTgw67t1ApUtRXbvWCHlvaGCFv0wghb5Bgor # BgEEAYI3AwMBMYIW6TCCFuUGCSqGSIb3DQEHAqCCFtYwghbSAgEDMQ8wDQYJYIZI # AWUDBAIBBQAwggFRBgsqhkiG9w0BCRABBKCCAUAEggE8MIIBOAIBAQYKKwYBBAGE # WQoDATAxMA0GCWCGSAFlAwQCAQUABCCNZZChCxknHh6adYolq6ChlN+VyqWDZQYS # QvDUpZo0zAIGY0hAHo0AGBMyMDIyMTAzMTE2MTgxMi43ODNaMASAAgH0oIHQpIHN # MIHKMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMH # UmVkbW9uZDEeMBwGA1UEChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMSUwIwYDVQQL # ExxNaWNyb3NvZnQgQW1lcmljYSBPcGVyYXRpb25zMSYwJAYDVQQLEx1UaGFsZXMg # VFNTIEVTTjpBRTJDLUUzMkItMUFGQzElMCMGA1UEAxMcTWljcm9zb2Z0IFRpbWUt # U3RhbXAgU2VydmljZaCCEVQwggcMMIIE9KADAgECAhMzAAABlklbYuEv3fdPAAEA # AAGWMA0GCSqGSIb3DQEBCwUAMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo # aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y # cG9yYXRpb24xJjAkBgNVBAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEw # MB4XDTIxMTIwMjE5MDUxM1oXDTIzMDIyODE5MDUxM1owgcoxCzAJBgNVBAYTAlVT # MRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQK # ExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJTAjBgNVBAsTHE1pY3Jvc29mdCBBbWVy # aWNhIE9wZXJhdGlvbnMxJjAkBgNVBAsTHVRoYWxlcyBUU1MgRVNOOkFFMkMtRTMy # Qi0xQUZDMSUwIwYDVQQDExxNaWNyb3NvZnQgVGltZS1TdGFtcCBTZXJ2aWNlMIIC # IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0h9sEAtvrf48wOoy+i2TIQzS # RtJ79XFKnvh+DBishIEWVMKdWLB5dSExsovCva5D0SiigItJU/ING9RiIqZFnPKg # rRN8Im8aDUeJgsq74BLF7rZ28SNaG8fHDH2tl4HIRv1wRmXBbRndFEL15MVGL6JH # xtU8gTKpyGb0Ni7XJho/OpWj0TbkaHZBDO1VVDtqDEhyW2kzY9W9pAAvLKpcrR9c # 5n60KUwN62TshJssE+Nw0X7DZV5pDSjIluwWnzZx2SxhxmnKYphOHaAzLq98oh/6 # ggsdjzuKSKpAOlixkjfMoWGr3EGURVbbJf8fyIri9H8TxqUJkXPOJuNcmrp3L3jY # f+f9eDKrGe7oGNYsfH5DmICQZS7LPJsj4WjAOqnBAf0VlqnAn4cgETYwnJgTRjV3 # jICsmf/nt2wjpV5lng7VSQy5jrcxAwS5pINv3rad0/YTl/i6HWMHQZGNp6AgxMz1 # lWvN+AJpCb0espxHgRo+qLlon6V8WqGwXWrG9Pq//XmK/k9NMqyxZ9eq601C51c5 # Fu5S8l1hKLrL82J7pdxzwkKKEEuC2NRwSk8k0n7Rl+emYDs+0ZPnrL23K/jYy7wQ # cu13qJoJLsNRf1K7u5WfQEfhEG6YNqbwh0mqzEEB239Rlz4ZQ0x8JHrJEYs+Yz40 # 69Vs/3/vQmceaL7UxdECAwEAAaOCATYwggEyMB0GA1UdDgQWBBTS3wjZLC5lrSBh # LImLhCqa0c10sjAfBgNVHSMEGDAWgBSfpxVdAF5iXYP05dJlpxtTNRnpcjBfBgNV # HR8EWDBWMFSgUqBQhk5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2Ny # bC9NaWNyb3NvZnQlMjBUaW1lLVN0YW1wJTIwUENBJTIwMjAxMCgxKS5jcmwwbAYI # KwYBBQUHAQEEYDBeMFwGCCsGAQUFBzAChlBodHRwOi8vd3d3Lm1pY3Jvc29mdC5j # b20vcGtpb3BzL2NlcnRzL01pY3Jvc29mdCUyMFRpbWUtU3RhbXAlMjBQQ0ElMjAy # MDEwKDEpLmNydDAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMIMA0G # CSqGSIb3DQEBCwUAA4ICAQCvYAsQuCFW2ClUARz+c7SXP5H4Erm3C+YU0XlRNbsE # lSqfdkn3fyCLxYBkHMFZQGXPA7mzoU7IZUdn0hXyuvrFM6DDrn/SLShe5t+PPkqW # eOeYiEw8k4BI6l4U5k07wX8hBwOoMRxs1aOe/JNkLHO6krl5j6/GZHrkTRzTsRUU # Jp1FpnUzixiZWyavc0x/imG5yWdrSuccE9ndoq7Qbu1Pxa7swsUm5zNNMunaWGXD # FAnS7s8RxJ1/P3qTtZ0Ja6VE6SeoHpdj7/hPuKJLXV/M89GNFn8HUDmVW5+YK/8D # y7yKHHiiSd+ugAN+pW3PA6OYek0ryW1QKzbrW4P9SXAk+U5faXjBJoitW98+ZERW # X387VHvaTWJ4Yo5BmkJ0U27Aal2ggi5j1PYuDxB3DsofM+7ebc4zgJ0GF4u6DQW0 # V4rc/F2zytl2rDQfUGlPtNUymUZVbWJbFqw64je8QsAnMeG1J8ohxjYlea3iLAzG # wime4dbMSyEHoObVvzIN0d9BJ84xVeXKvET176GhY/PS6RTJZiW5PPihZh88F3Je # cEvhlct/FbpQPt+mhDOBQAyqjI1tdBQlBFVX85xWd1JRnUkuxqshXqFwcxKr8GiF # sb9AV7y7TT30fmMTs3gmnojFQt3MdD5Q3M/gBf1TdlhyiPNXTgJhP6iyZHfxKZi2 # czCCB3EwggVZoAMCAQICEzMAAAAVxedrngKbSZkAAAAAABUwDQYJKoZIhvcNAQEL # BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xMjAwBgNV # BAMTKU1pY3Jvc29mdCBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDEwMB4X # DTIxMDkzMDE4MjIyNVoXDTMwMDkzMDE4MzIyNVowfDELMAkGA1UEBhMCVVMxEzAR # BgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1p # Y3Jvc29mdCBDb3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3Rh # bXAgUENBIDIwMTAwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDk4aZM # 57RyIQt5osvXJHm9DtWC0/3unAcH0qlsTnXIyjVX9gF/bErg4r25PhdgM/9cT8dm # 95VTcVrifkpa/rg2Z4VGIwy1jRPPdzLAEBjoYH1qUoNEt6aORmsHFPPFdvWGUNzB # RMhxXFExN6AKOG6N7dcP2CZTfDlhAnrEqv1yaa8dq6z2Nr41JmTamDu6GnszrYBb # fowQHJ1S/rboYiXcag/PXfT+jlPP1uyFVk3v3byNpOORj7I5LFGc6XBpDco2LXCO # Mcg1KL3jtIckw+DJj361VI/c+gVVmG1oO5pGve2krnopN6zL64NF50ZuyjLVwIYw # XE8s4mKyzbnijYjklqwBSru+cakXW2dg3viSkR4dPf0gz3N9QZpGdc3EXzTdEonW # /aUgfX782Z5F37ZyL9t9X4C626p+Nuw2TPYrbqgSUei/BQOj0XOmTTd0lBw0gg/w # EPK3Rxjtp+iZfD9M269ewvPV2HM9Q07BMzlMjgK8QmguEOqEUUbi0b1qGFphAXPK # Z6Je1yh2AuIzGHLXpyDwwvoSCtdjbwzJNmSLW6CmgyFdXzB0kZSU2LlQ+QuJYfM2 # BjUYhEfb3BvR/bLUHMVr9lxSUV0S2yW6r1AFemzFER1y7435UsSFF5PAPBXbGjfH # CBUYP3irRbb1Hode2o+eFnJpxq57t7c+auIurQIDAQABo4IB3TCCAdkwEgYJKwYB # BAGCNxUBBAUCAwEAATAjBgkrBgEEAYI3FQIEFgQUKqdS/mTEmr6CkTxGNSnPEP8v # BO4wHQYDVR0OBBYEFJ+nFV0AXmJdg/Tl0mWnG1M1GelyMFwGA1UdIARVMFMwUQYM # KwYBBAGCN0yDfQEBMEEwPwYIKwYBBQUHAgEWM2h0dHA6Ly93d3cubWljcm9zb2Z0 # LmNvbS9wa2lvcHMvRG9jcy9SZXBvc2l0b3J5Lmh0bTATBgNVHSUEDDAKBggrBgEF # BQcDCDAZBgkrBgEEAYI3FAIEDB4KAFMAdQBiAEMAQTALBgNVHQ8EBAMCAYYwDwYD # VR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBTV9lbLj+iiXGJo0T2UkFvXzpoYxDBW # BgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL2Ny # bC9wcm9kdWN0cy9NaWNSb29DZXJBdXRfMjAxMC0wNi0yMy5jcmwwWgYIKwYBBQUH # AQEETjBMMEoGCCsGAQUFBzAChj5odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtp # L2NlcnRzL01pY1Jvb0NlckF1dF8yMDEwLTA2LTIzLmNydDANBgkqhkiG9w0BAQsF # AAOCAgEAnVV9/Cqt4SwfZwExJFvhnnJL/Klv6lwUtj5OR2R4sQaTlz0xM7U518Jx # Nj/aZGx80HU5bbsPMeTCj/ts0aGUGCLu6WZnOlNN3Zi6th542DYunKmCVgADsAW+ # iehp4LoJ7nvfam++Kctu2D9IdQHZGN5tggz1bSNU5HhTdSRXud2f8449xvNo32X2 # pFaq95W2KFUn0CS9QKC/GbYSEhFdPSfgQJY4rPf5KYnDvBewVIVCs/wMnosZiefw # C2qBwoEZQhlSdYo2wh3DYXMuLGt7bj8sCXgU6ZGyqVvfSaN0DLzskYDSPeZKPmY7 # T7uG+jIa2Zb0j/aRAfbOxnT99kxybxCrdTDFNLB62FD+CljdQDzHVG2dY3RILLFO # Ry3BFARxv2T5JL5zbcqOCb2zAVdJVGTZc9d/HltEAY5aGZFrDZ+kKNxnGSgkujhL # mm77IVRrakURR6nxt67I6IleT53S0Ex2tVdUCbFpAUR+fKFhbHP+CrvsQWY9af3L # wUFJfn6Tvsv4O+S3Fb+0zj6lMVGEvL8CwYKiexcdFYmNcP7ntdAoGokLjzbaukz5 # m/8K6TT4JDVnK+ANuOaMmdbhIurwJ0I9JZTmdHRbatGePu1+oDEzfbzL6Xu/OHBE # 0ZDxyKs6ijoIYn/ZcGNTTY3ugm2lBRDBcQZqELQdVTNYs6FwZvKhggLLMIICNAIB # ATCB+KGB0KSBzTCByjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24x # EDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlv # bjElMCMGA1UECxMcTWljcm9zb2Z0IEFtZXJpY2EgT3BlcmF0aW9uczEmMCQGA1UE # CxMdVGhhbGVzIFRTUyBFU046QUUyQy1FMzJCLTFBRkMxJTAjBgNVBAMTHE1pY3Jv # c29mdCBUaW1lLVN0YW1wIFNlcnZpY2WiIwoBATAHBgUrDgMCGgMVAND6JppVWWnb # irQx4Ic7QWQ35lb+oIGDMIGApH4wfDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh # c2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBD # b3Jwb3JhdGlvbjEmMCQGA1UEAxMdTWljcm9zb2Z0IFRpbWUtU3RhbXAgUENBIDIw # MTAwDQYJKoZIhvcNAQEFBQACBQDnCdCmMCIYDzIwMjIxMDMxMTI0MjE0WhgPMjAy # MjExMDExMjQyMTRaMHQwOgYKKwYBBAGEWQoEATEsMCowCgIFAOcJ0KYCAQAwBwIB # AAICFIswBwIBAAICEV4wCgIFAOcLIiYCAQAwNgYKKwYBBAGEWQoEAjEoMCYwDAYK # KwYBBAGEWQoDAqAKMAgCAQACAwehIKEKMAgCAQACAwGGoDANBgkqhkiG9w0BAQUF # AAOBgQB0oXDzPo/tAnTTxGfkkKAvTI2XJSMhm69MrtPH8bcHlDH5ovLj0D7dPmYk # uzAqdWnaGvyWnoAICyIRW0t6REPf98e7UeXdJNH5GbkbN5WuZ+GX2xVzxPHrtFBi # jjqJSug3+gD7/xzMqFKeTXII1IUa4j0+QESj6ohI1SZyXriuqjGCBA0wggQJAgEB # MIGTMHwxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH # EwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29ycG9yYXRpb24xJjAkBgNV # BAMTHU1pY3Jvc29mdCBUaW1lLVN0YW1wIFBDQSAyMDEwAhMzAAABlklbYuEv3fdP # AAEAAAGWMA0GCWCGSAFlAwQCAQUAoIIBSjAaBgkqhkiG9w0BCQMxDQYLKoZIhvcN # AQkQAQQwLwYJKoZIhvcNAQkEMSIEIDQ50fcsWsj2P19jS0v9b/qyAKfHt8vrOYf+ # /6PcjVb7MIH6BgsqhkiG9w0BCRACLzGB6jCB5zCB5DCBvQQgdgTWAvgdNdOSdkcu # gn52dCQPCX5WUEOrC6RyNy2yvZAwgZgwgYCkfjB8MQswCQYDVQQGEwJVUzETMBEG # A1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UEChMVTWlj # cm9zb2Z0IENvcnBvcmF0aW9uMSYwJAYDVQQDEx1NaWNyb3NvZnQgVGltZS1TdGFt # cCBQQ0EgMjAxMAITMwAAAZZJW2LhL933TwABAAABljAiBCBwkQ4mY8zG5iu+1hF9 # kcwM6FzSTyAmou9XIn7qMc9HfjANBgkqhkiG9w0BAQsFAASCAgACRka0eijBWCC6 # zjgwUEZS6KV6CoBnvLQ0GonKT6hezcpBqXAEilSO9KtFbnYP8cYsZ5P7BGKJP3bh # y9ONq5gPU1Woz58og6E4h5d0noB8nPUx4yxpbUPG/LZZ4l26OkJpv05pvEIXFWDD # AsJfH1LBsD7fjOeFHezY1q/GbQz82W3hsNjdkOEcMAsMTuDNhuOX+YdLlWp0qgfh # +ZvMDtvRrOQdVZULFYMj89qN1AeFhynKHz7qIiS3vIuT0LANGEE+VZbC0Lf0ZjVl # C/UxreWd/h/424080Bu81JpCXuaLP5vYZrtb3vuptOZKZEcUjTu4XIggrRKdG/g5 # bFQcDcJ3MMp7UdF3TWom5AofjTB/EIv9mqtFuJDGG7YdTNCrSO31noN0FnKF8fee # 204kEbb5noBxmyyC5HnL/3J6bhsXgw7Cuw4JKUW2Puup3SpBQfaaRbCQe7JXGRei # QNv+xbklvS3OW4l4uF/l2eq6UZ8ZboniR2t82YkS9iLoY4gECrN0Bp12Yga3XBSU # faL/zhV+SG/dQTZPfDmz6LhCJuRvQlUTuy5clNuQzlCN8HYNw2Zal1CkljVrnvec # szOe4nu1ay3GEeLXfToE5xB/w0aH6l4fR8PaLUlaQJ9GufQbGEWdK57alI1V8q3g # XHojboptlctss5yhVA8et7aL4zufjQ== # SIG # End signature block |