AKS cluster prerequisite
- Before adding your Azure AKS cluster to Portworx Backup, make sure that:
-
Installation prerequisites are met
-
Stork is installed on all application clusters
- Create the following:
-
Storage account in Azure
-
Azure cloud account in Portworx Backup
-
Azure backup location in Portworx Backup
-
Ensure that the permissions listed in the JSON content of Step 1 in Client ID, Client secret and Tenant ID are enabled
-
Before adding an Azure cloud account in Portworx Backup, fetch the following parameters:
- Cloud account name
- Storage account name
- Storage account key
- Subscription ID
- Client ID
- Client Secret
- Tenant ID
- Refer to the steps below for guidance on obtaining these parameters:
Cloud account name
- Choose a cloud account name of your preference.
Storage account name
- Check the Azure portal
Storage account key
-
Run the following command:
az storage account list |grep <storage_account_name>
az storage account keys list --resource-group <resource_group_name> --account-name <storage_account_name>Output:
az storage account keys list --resource-group "resource_group_name"--account-name "storage_account_name"
[
{
"creationTime": null,
"keyName": "key1",
"permissions": "FULL",
"value": "azure-storage-account-key1"
},
{
"creationTime": null,
"keyName": "key2",
"permissions": "FULL",
"value":"azure-storage-account-key2"
}
]
You can pick any one of the key values as the storage account key from this output. Alternatively, you can also get the account key details from the Azure cloud portal.
Subscription ID
-
To obtain your subscription ID, run the following command:
az account subscription list
Client ID, Client secret and Tenant ID
To fetch these three values, you must first create a custom role, fetch AKS infrastructure resource group name, and then create a service principal.
- To create a custom role for Portworx Backup, copy the following content to a JSON file and save it to your root directory. Specify your own name for
<custom_role_name>
and enter your subscription ID.
{
"Name": "<custom_role_name>",
"Description": "",
"AssignableScopes": [
"/subscriptions/<subscription_ID>"
],
"Permissions": [
{
"Actions": [
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/beginGetAccess/action",
"Microsoft.Compute/snapshots/endGetAccess/action",
"Microsoft.Compute/diskAccesses/read",
"Microsoft.Compute/diskAccesses/write",
"Microsoft.Compute/diskAccesses/delete",
"Microsoft.Compute/diskAccesses/privateEndpointConnectionsApproval/action",
"Microsoft.Compute/locations/diskOperations/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/beginGetAccess/action",
"Microsoft.Compute/disks/endGetAccess/action",
"Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/read",
"Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/beginGetAccess/action",
"Microsoft.Compute/restorePointCollections/restorePoints/diskRestorePoints/endGetAccess/action",
"Microsoft.StoragePool/locations/diskPoolZones/read",
"Microsoft.StoragePool/diskPools/read",
"Microsoft.StoragePool/diskPools/write",
"Microsoft.StoragePool/diskPools/delete",
"Microsoft.StoragePool/diskPools/start/action",
"Microsoft.StoragePool/diskPools/deallocate/action",
"Microsoft.StoragePool/diskPools/upgrade/action",
"Microsoft.StoragePool/diskPools/iscsiTargets/read",
"Microsoft.StoragePool/diskPools/iscsiTargets/write",
"Microsoft.StoragePool/diskPools/iscsiTargets/delete",
"Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/read",
"Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/write",
"Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/delete",
"Microsoft.Compute/diskAccesses/privateEndpointConnectionProxies/validate/action",
"Microsoft.Compute/diskAccesses/privateEndpointConnections/delete",
"Microsoft.Compute/diskAccesses/privateEndpointConnections/read",
"Microsoft.Compute/diskAccesses/privateEndpointConnections/write",
"Microsoft.Compute/virtualMachineScaleSets/reimageAll/action",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/reimageAll/action",
"Microsoft.Compute/virtualMachines/capture/action",
"Microsoft.Compute/virtualMachines/convertToManagedDisks/action",
"Microsoft.Compute/virtualMachines/reimage/action",
"Microsoft.Storage/storageAccounts/updateInternalProperties/action",
"Microsoft.Storage/storageAccounts/hnsonmigration/action",
"Microsoft.Storage/storageAccounts/restoreBlobRanges/action",
"Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",
"Microsoft.Storage/storageAccounts/failover/action",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/regeneratekey/action",
"Microsoft.Storage/storageAccounts/rotateKey/action",
"Microsoft.Storage/storageAccounts/revokeUserDelegationKeys/action",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/listAccountSas/action",
"Microsoft.Storage/storageAccounts/listServiceSas/action",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/storageAccounts/accountMigrations/read",
"Microsoft.Storage/storageAccounts/accountMigrations/write",
"Microsoft.Storage/storageAccounts/inventoryPolicies/delete",
"Microsoft.Storage/storageAccounts/inventoryPolicies/read",
"Microsoft.Storage/storageAccounts/inventoryPolicies/write",
"Microsoft.Storage/storageAccounts/restorePoints/delete",
"Microsoft.Storage/storageAccounts/restorePoints/read",
"Microsoft.Storage/storageAccounts/fileServices/shares/action",
"Microsoft.Storage/storageAccounts/fileServices/read",
"Microsoft.Storage/storageAccounts/fileServices/write",
"Microsoft.Storage/storageAccounts/fileServices/shares/delete",
"Microsoft.Storage/storageAccounts/fileServices/shares/read",
"Microsoft.Storage/storageAccounts/fileServices/shares/lease/action",
"Microsoft.Storage/storageAccounts/fileServices/shares/write",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/read",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/write",
"Microsoft.Storage/storageAccounts/objectReplicationPolicies/restorePointMarkers/write",
"Microsoft.Storage/storageAccounts/managementPolicies/delete",
"Microsoft.Storage/storageAccounts/managementPolicies/read",
"Microsoft.Storage/storageAccounts/managementPolicies/write"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": []
}
]
}
- Create the role by invoking the JSON file:
az role definition create --role-definition px-backup-roles.json
Output:
{
"assignableScopes": [
"/subscriptions/<subscription-id>"
],
"description": "",
"id": "/subscriptions/<subscription-id>/providers/Microsoft.Authorization/roleDefinitions/<role_definition>",
"name": "<role_definition>",
"permissions": [
{
"actions": [],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "<custom_role_name>",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
- Fetch your AKS Infrastructure Resource Group name:
az aks show -n <aks_cluster_name> -g <resource_group_name> | jq -r '.nodeResourceGroup'
- Create a service principal for your Portworx Backup custom role:
az ad sp create-for-rbac --role=<custom_role_name> --scopes="/subscriptions/<subscription_ID>/resourceGroups/<aks_infrastructure_resource_group_name>"
Output:
{
"appId": "client_ID",
"displayName": "px-backup-rbac",
"password": "client_secret",
"tenant": "tenant_ID"
}
App ID is the Client ID, password is the Client Secret and tenant is the Tenant ID values.
Alternatively you can use the below command to generate Tenant ID alone:
az account tenant list
Subscription ID can be obtained from the 4th row of this table.
You can now add an Azure cloud account in Portworx Backup with the inputs obtained from the above steps.
Related topic: