Deploy Portworx using Azure managed identity on new AKS cluster
Perform the following steps to enable Azure managed identity on new AKS cluster:
Login to the Azure and set the subscription:
az login az account set –subscription <Your-Azure-Subscription-UUID>
Check locations to create AKS cluster:
az account list-locations
Create an Azure Resource Group:
az group create –name <resource-group-name> –location <location>
Create an AKS cluster with managed identities:
az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity
Identify object and client IDs:
az aks show -g myResourceGroup -n myManagedCluster --query identityProfile
Example:
az aks show -g cass-rg -n msi-test --query identityProfile { "kubeletidentity": { "clientId": "68c2bc67-f3a5-459d-9b57-14597efcbc70", "objectId": "c099f8ac-ba91-4c13-9456-3e5614296a35", "resourceId": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourcegroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-test-agentpool" } }
Assign contributor role to managed identity:
az aks show -g cass-rg -n msi-test --query nodeResourceGroup az role assignment create --assignee-object-id ObjectId --role "Contributor" --resource-group nodeResourceGroup
Example:
az aks show -g myResourceGroup -n myManagedCluster --query nodeResourceGroup "MC_cass-rg_msi-test_eastus" az role assignment create --assignee-object-id "c099f8ac-ba91-4c13-9456-3e5614296a35" --role "Contributor" --resource-group "MC_cass-rg_msi-test_eastus" { "canDelegate": null, "condition": null, "conditionVersion": null, "description": null, "id": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourceGroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.Authorization/roleAssignments/d0060dc6-4e9f-452c-8e43-1a661ecf0111", "name": "d0060dc6-4e9f-452c-8e43-1a661ecf0111", "principalId": "c099f8ac-ba91-4c13-9456-3e5614296a35", "principalType": "ServicePrincipal", "resourceGroup": "MC_cass-rg_msi-test_eastus", "roleDefinitionId": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", "scope": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourceGroups/MC_cass-rg_msi-test_eastus", "type": "Microsoft.Authorization/roleAssignments" }
Create Kubernetes secret based on Client ID shown above:
kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_CLIENT_ID=clientId
Example:
kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_CLIENT_ID="68c2bc67-f3a5-459d-9b57-14597efcbc70”
Follow the steps to generate the Operator and StorageCluster spec in Install Portworx on AKS using the Operator. Save the spec for the next step.
Modify the StorageCluster spec that is automatically generated. In the
env
section, remove theAZURE_CLIENT_SECRET
andAZURE_TENANT_ID
sections. The finished section should match the following:env: name: AZURE_CLIENT_ID valueFrom: secretKeyRef: name: px-azure key: AZURE_CLIENT_ID
Last edited: Tuesday, Jun 7, 2022
Questions? Visit the Portworx forum.