Portworx

Deploy Portworx using Azure managed identity on new AKS cluster

Perform the following steps to enable Azure managed identity on new AKS cluster:

  1. Login to the Azure and set the subscription:

    az login
az account set –subscription <Your-Azure-Subscription-UUID>

  2. Check locations to create AKS cluster:

    az account list-locations

  3. Create an Azure Resource Group:

    az group create –name <resource-group-name> –location <location>

  4. Create an AKS cluster with managed identities:

    az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity

  5. Identify object and client IDs:

    az aks show -g myResourceGroup -n myManagedCluster --query identityProfile

    Example:

    az aks show -g cass-rg -n msi-test --query identityProfile
{
  "kubeletidentity": {
    "clientId": "68c2bc67-f3a5-459d-9b57-14597efcbc70",
    "objectId": "c099f8ac-ba91-4c13-9456-3e5614296a35",
    "resourceId": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourcegroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-test-agentpool"
  }
}

  6. Assign contributor role to managed identity:

     az aks show -g cass-rg -n msi-test --query nodeResourceGroup
 az role assignment create --assignee-object-id ObjectId --role "Contributor" --resource-group nodeResourceGroup

    Example:

    az aks show -g myResourceGroup -n myManagedCluster --query nodeResourceGroup
"MC_cass-rg_msi-test_eastus"
az role assignment create --assignee-object-id "c099f8ac-ba91-4c13-9456-3e5614296a35" --role "Contributor" --resource-group "MC_cass-rg_msi-test_eastus"
{
  "canDelegate": null,
  "condition": null,
  "conditionVersion": null,
  "description": null,
  "id": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourceGroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.Authorization/roleAssignments/d0060dc6-4e9f-452c-8e43-1a661ecf0111",
  "name": "d0060dc6-4e9f-452c-8e43-1a661ecf0111",
  "principalId": "c099f8ac-ba91-4c13-9456-3e5614296a35",
  "principalType": "ServicePrincipal",
  "resourceGroup": "MC_cass-rg_msi-test_eastus",
  "roleDefinitionId": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
  "scope": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourceGroups/MC_cass-rg_msi-test_eastus",
  "type": "Microsoft.Authorization/roleAssignments"
}

  7. Create Kubernetes secret based on Client ID shown above:

    kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_CLIENT_ID=clientId

    Example:

    kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_CLIENT_ID="68c2bc67-f3a5-459d-9b57-14597efcbc70”

  8. Follow the steps to generate the Operator and StorageCluster spec in Install Portworx on AKS using the Operator. Save the spec for the next step.

  9. Modify the StorageCluster spec that is automatically generated. In the env section, remove the AZURE_CLIENT_SECRET and AZURE_TENANT_ID sections. The finished section should match the following:

    env:
name: AZURE_CLIENT_ID
  valueFrom:
    secretKeyRef:
      name: px-azure
      key: AZURE_CLIENT_ID
Last edited: Tuesday, Jun 7, 2022
Questions? Visit the Portworx forum.