To create and manage AKS clusters, the following data will be required to configure credentials for Azure:
- Subscription ID (The subscription ID for the Azure account)
- Tenant ID (The application's Directory ID)
- Client ID (The application's ID)
- Client Secret (The secret value for the newly registered application)
- Login to the Azure Portal
- Click on Subscriptions under the Azure Services
- Note the value of the Subscription ID
Application and Tenant ID¶
- Login to the Azure Portal
- Navigate to Azure Active Directory -> Add registrations under the "Azure Services"
- Click New registration to create a new Application (client) ID
- Provide a name for the application (Rafay) and click Register
Application (client) ID and Directory (tenant) ID is available now.
Generate Secret Value¶
Once the registration is successful, perform the below steps to generate the client secret value
- Click Add a certificate or secret link
- Click + New client secret
- Provide a Description (AKS Lifecycle Management)
- Set Expires to 6 months or more (24 months) and click Add
Copy the generated Secret Value.
Note: In case of not copying the client secret value at this moment, user can delete it and create a new secret value. The "Secret ID" is not required.
Add a Contributor Role to the Subscription¶
Assign the Contributor Role to the newly created application ID in the subscription selected above. To do so, follow the below steps:
- Click Subscriptions under the "Azure Services" and get into the subscription
- Click Access control (IAM) in the navigation menu
- Click Add -> Add role assignment
- Select Contributor from the Role drop-down. Contributor role is a basic role allowed to manage all resources but not authorized to assign roles in Azure RBAC
- Select User, group, or service Principal from the "Assign access to" drop-down
- Select the newly created Application Name (example: demo-docs) under the "Select" drop-down
- Click Save
Note: Along with the contributor role, users can create a custom roles using Role assignment and assign this role to applications in the Azure Portal. This helps to perform operations on Azure service/modules Vnet, ACR (Azure Container Registry) etc.
Users can create their own Azure custom roles if the Azure built-in roles is not upto the specific needs of the organization. Similar to built-in roles, assign custom roles to users, groups, and service principals at subscription and resource group scopes. Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API
The cluster identity used by the AKS cluster must have Network Contributor permissions on the subnet within the virtual network. To define a custom role instead of using the built-in Network Contributor role, the following permissions are required:
The subnet assigned to the AKS node pool cannot be a delegated subnet. If the user providing their own subnet, user have to manage the Network Security Groups (NSG) associated with that subnet. AKS will not modify any of the NSGs associated with that subnet. Also, ensure the security rules in the NSGs allow traffic between the node and pod CIDR ranges
For more information on Create/Update Custom roles using the Azure portal, visit Azure Custom Roles
If an Azure Container Networking Interface (Azure CNI) is used, then an additional role must be created with the
Write: Create role assignment permission enabled.
Create a Resource Group¶
Ensure a Resource Group is available for provisioning AKS clusters into. Either use an existing resource group or create a new resource group.
- Click Resource Groups under the "Azure Services"
- Click Create and provide a resource group name
- Select a region and click Review + create to create the Resource Group
Users can now provision and manage AKS clusters
Disk & Snapshot Management
Once the Resource Group is created, set the permissions on Resource Group where the disk/snapshots will be located
- Select your Resource Group and click Access Control (IAM)
- Click Add under Create a custom role
- Select Permissions tab to add the permission(s)
- Enter or search for the required permission(s), select the checkbox, and click Add. You can view the added permission(s) under Permissions
Create Storage Account¶
An Azure storage account contains all of your Azure Storage data objects, including blobs, file shares, queues, tables, and disks.
To create a Storage Account in the Resource Group, perform the below steps:
- Click Storage Account under the Azure Services and click Create
- Select the mandatory details and provide a Storage account name
- Click Review + create
- Once the validation is a success, click Create
Once the deployment is complete, you will see a completion message as shown below
On successful Storage Account creation, users can create Containers
- Select the required Storage Account and click Container. Containers page appears
- Click + Container and the New Container appears in the right pane
- Provide a Container Name, select the other required details and click Create
- On successful creation, the containers are listed in the table as shown below
You can use all the above credentials when creating an AKS cluster in the controller, wherever applicable