To create and manage AKS clusters, the following data will be required to configure credentials for Azure:
- Subscription ID (The subscription ID for the Azure account)
- Tenant ID (The application's Directory ID)
- Client ID (The application's ID)
- Client Secret (The secret value for the newly registered application)
- Login to the Azure Portal
- Click on Subscriptions under the "Azure Services"
- Note the value of the Subscription ID
Application and Tenant ID¶
- Login to the Azure Portal
- Navigate to Azure Active Directory -> Add registrations under the "Azure Services"
- Click New registration to create a new Application (client) ID
- Provide a name for the application (Rafay) and click Register
Application (client) ID and Directory (tenant) ID is available now.
Generate Secret Value¶
Once the registration is successful, perform the below steps to generate the client secret value
- Click Add a certificate or secret link
- Click + New client secret
- Provide a Description (AKS Lifecycle Management)
- Set Expires to 6 months or more (24 months) and click Add
Copy the generated Secret Value.
Note: In case of not copying the client secret value at this moment, user can delete it and create a new secret value. The "Secret ID" is not required.
Add a Contributor Role¶
Add the Contributor role to the newly created application ID. To do so, follow the steps below:
- Click Subscriptions under the "Azure Services" and get into the subscription
- Click Access control (IAM) in the navigation menu
- Click Add -> Add role assignment
- Select Contributor from the Role drop-down. Contributor role is a basic role allowed to manage all resources but not authorized to assign roles in Azure RBAC
- Select User, group, or service principle from the "Assign access to" drop-down
- Select the newly created Application Name (example: demo-docs) under the "Select" drop-down
- Click Save
Note: Along with the contributor role, users can create a custom roles using Role assignment and assign this role to applications in the Azure Portal. This helps to perform operations on Azure service/modules Vnet, ACR (Azure Container Registry) etc.
Users can create their own Azure custom roles if the Azure built-in roles is not upto the specific needs of the organization. Similar to built-in roles, assign custom roles to users, groups, and service principals at subscription and resource group scopes. Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. Custom roles can be created using the Azure portal, Azure PowerShell, Azure CLI, or the REST API
The cluster identity used by the AKS cluster must have Network Contributor permissions on the subnet within the virtual network. To define a custom role instead of using the built-in Network Contributor role, the following permissions are required: - Microsoft.Network/virtualNetworks/subnets/join/action - Microsoft.Network/virtualNetworks/subnets/read
The subnet assigned to the AKS node pool cannot be a delegated subnet. If the user providing their own subnet, user have to manage the Network Security Groups (NSG) associated with that subnet. AKS will not modify any of the NSGs associated with that subnet. Also, ensure the security rules in the NSGs allow traffic between the node and pod CIDR ranges
For more information on Create/Update Custom roles using the Azure portal, visit Azure Custom Roles
Create a Resource Group¶
Ensure a Resource Group is available for provisioning AKS clusters into. Either use an existing resource group or create a new resource group.
- Click Resource Groups under the "Azure Services"
- Click Create and provide a resource group name
- Select a region and click Review + create to create the Resource Group
User can now provision and manage AKS clusters.