Remove security rules from NSG.

[marrobi]

What this PR does / why we need it:
Please look at #3693 first, as this is a priority, although this PR could replace #3693 .

As per #3693 the allow_kube_tls rule may not be required. In addition there is no need to allow SSH or RDP through the NSG if there are no masters - they are annotated "Allow SSH traffic to master"/"Allow RDP traffic to master".

The case with masters is dealt with in k8s/kubernetesmasterresources.t as per:

 {{if not IsHostedMaster}}
      ,{{template "k8s/kubernetesmasterresources.t" .}}
    {{else}}

If a user needs to RDP or SSH onto nodes, then they should be aware they are opening the ports, and removing a layer of security.

In addition the SSH rule is flagged as a risk by Azure Security Centre.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:
Again I do not believe any adverse affect, although users may be relying on these rules to administer agent pool nodes.

If applicable:

• documentation
• unit tests
• tested backward compatibility (ie. deploy with previous version, upgrade with this branch)

[acs-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: marrobi
To fully approve this pull request, please assign additional approvers.
We suggest the following additional approver: mboersma

If they are not already assigned, you can assign the PR to them by writing /assign @mboersma in a comment when ready.

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jackfrancis]

@marrobi Would changing the priority of these built-in rules allow additional rules that collide with 443/22 to work?

[marrobi]

I don't believe so as all the rules in question (existing and additional) are allow rules. Priority will only work if need to overide a deny or vice vera? I guess they could possibly be restricted to the node IP, rather than Any (hence wouldn't affect the load balancer). Actually, as the nodes don't have public IPs (is there an instance where they do, unless added manually? ) these rules are redundant anyway...? In my opinion all traffic inbound into the VNet from outside should be denied by default anyway if not needed for normal operation.

[CecileRobertMichon]

Closing since this was covered by #4164