AKS cluster prerequisites

This topic provides the list of permissions and actions required for managing Azure clusters. These permissions and actions are essential for managing Azure clusters effectively. Ensuring that the necessary permissions are granted helps to maintain a secure and well-functioning cluster environment. The following section outlines the:

• Portworx Backup prerequisites

• Permissions required to install Portworx Backup on an AKS cluster

• Permissions required to add an AKS cluster as application cluster in Portworx Backup

  note

  Regardless of the security principal (user, group, service principal or managed identity) you have created in Azure Portal, the permissions to create role definition specified in the below sections remain the same.

Portworx Backup prerequisites

1. Before adding your AKS cluster to Portworx Backup, make sure that:

   • Installation prerequisites are met

   • Stork is installed on all application clusters

2. From Azure Cloud Shell create the following:

   • Azure Storage account in Azure

     az storage account list --resource-group <ResourceGroupName> --query "[].{Name:name}" --output table

   • Azure storage account key

     az storage account keys list --resource-group <ResourceGroupName> --account-name <StorageAccountName> --query "[0].value"

     Output:

     az storage account keys list --resource-group "resource_group_name"--account-name "storage_account_name"
     [
       {
         "creationTime": null,
         "keyName": "key1",
         "permissions": "FULL",
         "value": "azure-storage-account-key1"
       },
       {
         "creationTime": null,
         "keyName": "key2",
         "permissions": "FULL",
         "value":"azure-storage-account-key2"
       }
     ]
     note

     You can pick any one of the key values as the storage account key from this output. Alternatively, you can also get the account key details from the Azure cloud portal.

3. Before adding an Azure cloud account in Portworx Backup, fetch the following mandatory (optional as well, if your environment requires) parameters:

   • Mandatory parameters

     • Cloud account name
     • Storage account name
     • Storage account key

   • Optional parameters

     • Subscription ID
     • Client ID
     • Client Secret
     • Tenant ID

   You can add the above optional parameters at a later point in time in the Portworx Backup user interface. Hence, you can fetch them later.

   note

   These optional parameters are mandatory to:

   • Add an Azure immutable container as backup location.
   • To restore/delete cloud-native backups taken prior to Portworx Backup 2.7.0.

Permissions to install Portworx Backup

You need the following permissions/actions to bring up Portworx Backup on any cluster:

Permissions	Purpose
Microsoft.Compute/disks/delete	Allows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Compute/disks/write	Grants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/read	Enables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/virtualMachines/write	Permits creating or updating virtual machines. This is essential for provisioning and configuring VMs.
Microsoft.Compute/virtualMachines/read	Allows reading the properties and metadata of virtual machines. This is necessary for monitoring and managing VMs.
Microsoft.Network/loadBalancers/read	Enables reading the properties and metadata of load balancers. This is important for managing and monitoring network traffic distribution.
Microsoft.Network/loadBalancers/write	Permits creating or updating load balancers. This is essential for configuring and managing network traffic distribution.
Microsoft.Network/loadBalancers/delete	Allows for the deletion of load balancers. This is crucial for cleaning up and managing network resources.
Microsoft.Network/publicIPAddresses/read	Enables reading the properties and metadata of public IP addresses. This is necessary for managing public-facing network resources.
Microsoft.Network/publicIPAddresses/write	Permits creating or updating public IP addresses. This is essential for provisioning public-facing network resources.
Microsoft.Network/publicIPAddresses/delete	Allows for the deletion of public IP addresses. This is important for managing and cleaning up network resources.
Microsoft.Network/publicIPAddresses/join/action	Grants permission to join public IP addresses to resources. This is crucial for associating public IP addresses with network resources.
Microsoft.Network/loadBalancers/loadBalancingRules/read	Allows reading the properties and metadata of load balancing rules. This is necessary for monitoring and managing load balancer rules.
Microsoft.Network/loadBalancers/probes/read	Enables reading the properties and metadata of load balancer probes. This is important for managing and monitoring load balancer health checks.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/ networkInterfaces/read	Grants permission to read the properties and metadata of network interfaces attached to VM scale set instances. This is necessary for monitoring and managing network configurations of scale set VMs.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/ networkInterfaces/ipconfigurations/publicipaddresses/read	Allows reading the properties and metadata of public IP addresses attached to network interfaces of VM scale set instances. This is crucial for managing and monitoring public-facing network configurations.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write	Grants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read	Allows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/read	Enables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.
Microsoft.Network/networkSecurityGroups/read	Enables reading the properties and metadata of network security groups. This is necessary for monitoring and managing network security configurations.
Microsoft.Network/networkSecurityGroups/write	Grants permission to create or update network security groups. This is essential for configuring and managing network security settings.

note

Sometimes creation of an Azure custom role takes at least 20 minutes for the role (with the specified permissions) to reflect in your Azure cluster environment.

Permissions to add application cluster

You need the following list of permissions/actions required to add a cluster as an application cluster:

Permissions	Purpose
Microsoft.Compute/disks/beginGetAccess/action	Grants temporary access to a disk, typically used for scenarios where a disk snapshot needs to be accessed or copied.
Microsoft.Compute/snapshots/delete	Allows for the deletion of snapshots, crucial for managing storage and ensuring outdated snapshots are removed.
Microsoft.Compute/snapshots/write	Permits creating or updating snapshots of virtual machine disks, essential for backup and restore operations.
Microsoft.Compute/snapshots/read	Enables reading snapshot properties and metadata, necessary for monitoring and managing snapshots.
Microsoft.Compute/disks/write	Grants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/read	Enables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/disks/delete	Allows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Storage/storageAccounts/read	Enables reading the properties and metadata of storage accounts, necessary for accessing and managing storage resources.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write	Grants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read	Allows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/read	Enables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.

You can now add an Azure cloud account in Portworx Backup with the inputs obtained from the above steps.

Restore prerequisites

If you have to restore a backup of Azure volumes created in an Azure cluster or you have to restore a backup to a cluster in a different resource group, follow the below steps.

note

Following steps are not required if you have backed up some applications and want to restore to a cluster in the same resource group or if both the clusters are created with the same managed identity/service principal, or if you want to restore Portworx volumes then these steps are not required.

1. Create a custom role with the following JSON content and command:

   a. JSON content

   {
   
     "Name": "<custom_role_name>",
     "Description": "",
     "AssignableScopes": [
       "/subscriptions/<subscription_ID>"
     ],
     "Permissions": [
         {
             "Actions": [
             "Microsoft.Compute/disks/beginGetAccess/action"
             ],
             "NotActions": [],
             "DataActions": [],
             "NotDataActions": []
         }
     ]
   }

   b. Command:

   az role definition create --role-definition roles.json

2. Fetch your AKS Infrastructure Resource Group Name with the following command:

   az aks show -n <aks_cluster_name> -g <source_backup_resource_group_name> | jq -r '.nodeResourceGroup'

3. Get the Principal ID associated with your Kubernetes source cluster

   az aks show --resource-group <destination_cluster_resource_group_name> --name <kubernetes_cluster_name> --query identity

4. Add Assignee with the following command:

   az role assignment create --assignee <"Principal_Id"> --role <"Role_name"> --scope "/subscriptions/<Subscription_Id>/resourceGroups/<AKS_Infrastructure_Resource_Name>"

Network prerequisites

Make sure that the following ports are open or enabled in Portworx Backup cluster:

Port	Purpose
10001	For REST API communication
10002	For gRPC server communication

Proxy prerequisites

PXB introduces two new configuration parameters for managing proxy exclusions and inclusions for specific services when configuring Portworx Backup with Azure. These configurations allow administrators to fine-tune which services to use the Azure proxy annotations and no_proxy/NO_PROXY settings, depending on deployment requirements.

Here is the list of PXB micro-services you can exclude/include for Azure proxy with the new parameters:

  px-backup-alertmanager
  px-backup
  pxc-backup-mongodb
  prometheus-operator
  px-backup-dashboard-prometheus
  pre-upgrade-check
  pxcentral-apiserver
  pxcentral-post-install-hook
  pxcentral-keycloak-postgresql
  pxcentral-keycloak
  pxcentral-lh-middleware
  pxcentral-backend
  pxcentral-frontend
  pxcentral-mysql

1. Parameter: proxy.excludeAzureProxyList

   This parameter provides flexibility to allow certain services to bypass the Azure proxy annotations. When azureProxyEnabled is set to true, you can utilize this parameter to exclude the required services from the Azure proxy configuration annotations.

   How to use this parameter:

   a. Using the set command:

   The following set command excludes px-backup micro-services from Azure proxy annotations:

   --set   
   "proxy.excludeAzureProxyList[0]=px-backup",proxy.azureProxyEnabled=true

   The following set command excludes px-backup, pxcentral-mysql, pxcentral-apiserver and pxcentral-backend micro-services from Azure Proxy annotations:

   --set   
   "proxy.excludeAzureProxyList[0]=px-backup","proxy.excludeAzureProxyList[1]=pxcentral-mysql","proxy.excludeAzureProxyList[2]=pxcentral-apiserver”,"proxy.excludeAzureProxyList[3]=pxcentral-backend”,proxy.azureProxyEnabled=true

   b. Using the values.yaml (You can append these values to your existing values.yaml):

   The following yaml snippet excludes px-backup micro-services from Azure proxy annotations:

   proxy:
     azureProxyEnabled: true
     excludeAzureProxyList:
       - px-backup

   To exclude more services, simply append the service names in the same format to the above list.

2. Parameters: proxy.includeNoProxyList and proxy.httpProxy.noProxy

   a. proxy.includeNoProxyList: This parameter is used to specify the micro-services that should be included in the no_proxy or NO_PROXY environment configuration, with the values defined in the httpProxy.noProxy parameter. It can take either a single or set of micro-services.

   • If proxy.includeNoProxyList is populated: Only the micro-services listed in includeNoProxyList will apply the no_proxy settings from httpProxy.noProxy. This allows selective control, so only the specified services will bypass the proxy.

   • If proxy.includeNoProxyList is empty: The no_proxy settings specified in httpProxy.noProxy will apply to all micro-services, essentially bypassing the proxy for any services that match the criteria set in httpProxy.noProxy.

     This setup is beneficial for managing proxy configurations in environments with a variety of micro-services, especially if only specific services should bypass the proxy while others continue to route through it.

   b. proxy.httpProxy.noProxy: This parameter is used to specify which hosts should bypass the HTTP proxy. It defines a list of addresses, domains, or IP ranges that do not need to go through a proxy server, allowing direct access instead.

   Prerequisites

   To bypass the HTTP proxy, perform the following steps:

   Below is the list of services to be provided in proxy.httpProxy.noProxy (helm parameter) during helm install or upgrade for bypassing the PXB-related services:

   pxcentral-keycloak-http,.px-backup,.svc,.cluster.local,pxcentral-keycloak-http,px-backup,px-backup-ui,px-central-ui,pxc-backup-mongodb-headless,pxcentral-apiserver,pxcentral-backend,pxcentral-frontend,pxcentral-keycloak-headless,pxcentral-keycloak-postgresql,pxcentral-keycloak-postgresql-headless,pxcentral-lh-middleware,pxcentral-mysql,.portworx,stork-service,portworx-api,portworx-kvdb-service,portworx-operator-metrics,portworx-service,prometheus-operated,px-csi-service,px-prometheus
   note

   Make sure to use backslash () as escape character before comma (,) while using set command for proxy.httpProxy.noProxy parameter.

   Along with the above, provide the default IPs/Hosts that are auto-generated by Azure. To get the default no_proxy list from Azure, execute the following command:

   az aks show --resource-group <resource_group_name> --name <cluster_name> --query "join(',', httpProxyConfig.noProxy)" --output tsv

   Sample output:

   <service-cidr-ip>,portworx-api,portworx-kvdb-service,px-prometheus,localhost,.central,.cluster.local,portworx-service,prometheus-operated,px-csi-service,konnectivity,<host-name>,.svc,.portworx,<localhost-IP>,stork-service,portworx-operator-metrics

   OR

   You can use the below command to get content in comma separated values with escaped comma(,)

   az aks show --resource-group pxb-proxy --name pxb-proxy-cluster1 --query "join(',', httpProxyConfig.noProxy)" --output tsv | sed 's/,/\\,/g'

   Sample output:

   <service-cidr-ip>\,portworx-api\,portworx-kvdb-service\,px-prometheus\,localhost\,.central\,.cluster.local\,portworx-service\,prometheus-operated\,px-csi-service\,konnectivity\,<host-name>\,.svc\,.portworx\,<localhost-IP>\,stork-service\,portworx-operator-metrics

   Append the output obtained from step 1 and step 2 and then append.azmk8s.io to the proxy.httpProxy.noProxy parameter.

   note

   .azmk8s.io will match all the Azure managed cluster FQDN. We need this parameter to be appended to bypass Azure managed application cluster’s FQDN.

How to use these parameters

1. Using the set command

Sample input chunk for the set command:

--set "proxy.includeNoProxyList[0]=px-backup", proxy.httpProxy.noProxy="pxcentral-keycloak-http\,.px-backup\,.svc\,.cluster.local\,pxcentral-keycloak-http\,px-backup\,px-backup-ui\,px-central-ui\,pxc-backup-mongodb-headless\,pxcentral-apiserver\,pxcentral-backend\,pxcentral-frontend\,pxcentral-keycloak-headless\,pxcentral-keycloak-postgresql\,pxcentral-keycloak-postgresql-headless\,pxcentral-lh-middleware\,pxcentral-mysql\,.portworx\,stork-service\,portworx-api\,portworx-kvdb-service\,portworx-operator-metrics\,portworx-service\,prometheus-operated\,px-csi-service\,px-prometheus\,<service-cidr-ip>\,portworx-api\,portworx-kvdb-service\,px-prometheus\,localhost\,.central\,.cluster.local\,portworx-service\,prometheus-operated\,px-csi-service\,konnectivity\,<host-name>\,.svc\,.portworx\,<localhost-IP>\,stork-service\,portworx-operator-metrics\,.azmk8s.io"

This command includes the px-backup micro-service to have httpProxy.noProxy settings (value of proxy.httpProxy.noProxy) under no_proxy/NO_PROXY env.

note

Make sure to use backslash () as escape character before comma (,) while using set command for proxy.httpProxy.noProxy parameter.

If you want to add another IP for example, <new-IP> for httpProxy.noProxy, follow the below syntax:

--set "proxy.includeNoProxyList[0]=px-backup", proxy.httpProxy.noProxy="pxcentral-keycloak-http\,.px-backup\,.svc\,.cluster.local\,pxcentral-keycloak-http\,px-backup\,px-backup-ui\,px-central-ui\,pxc-backup-mongodb-headless\,pxcentral-apiserver\,pxcentral-backend\,pxcentral-frontend\,pxcentral-keycloak-headless\,pxcentral-keycloak-postgresql\,pxcentral-keycloak-postgresql-headless\,pxcentral-lh-middleware\,pxcentral-mysql\,.portworx\,stork-service\,portworx-api\,portworx-kvdb-service\,portworx-operator-metrics\,portworx-service\,prometheus-operated\,px-csi-service\,px-prometheus\,<service-cidr-ip>\,portworx-api\,portworx-kvdb-service\,px-prometheus\,localhost\,.central\,.cluster.local\,portworx-service\,prometheus-operated\,px-csi-service\,konnectivity\,<host-name>\,.svc\,.portworx\,<localhost-IP>\,stork-service\,portworx-operator-metrics\,.azmk8s.io\,<new-IP>"

2. Using the values.yaml (You can append these values to your existing values.yaml).

The following example includes the px-backup micro-service to have httpProxy.noProxy settings (value of proxy.httpProxy.noProxy) under no_proxy/NO_PROXY env:

Example 1:

proxy:
  httpProxy:
    noProxy: "pxcentral-keycloak-http,.px-backup,.svc,.cluster.local,pxcentral-keycloak-http,px-backup,px-backup-ui,px-central-ui,pxc-backup-mongodb-headless,pxcentral-apiserver,pxcentral-backend,pxcentral-frontend,pxcentral-keycloak-headless,pxcentral-keycloak-postgresql,pxcentral-keycloak-postgresql-headless,pxcentral-lh-middleware,pxcentral-mysql,.portworx,stork-service,portworx-api,portworx-kvdb-service,portworx-operator-metrics,portworx-service,prometheus-operated,px-csi-service,px-prometheus,<service-cidr-ip>,portworx-api,portworx-kvdb-service,px-prometheus,localhost,.central,.cluster.local,portworx-service,prometheus-operated,px-csi-service,konnectivity,<host-name>,.svc,.portworx,<localhost-IP>,stork-service,portworx-operator-metrics,.azmk8s.io"
  includeNoProxyList: 
  - px-backup

Example 2:

In case you want to add another IP <new-IP> to proxy.httpProxy.noProxy

proxy:
  httpProxy:
    noProxy: "pxcentral-keycloak-http,.px-backup,.svc,.cluster.local,pxcentral-keycloak-http,px-backup,px-backup-ui,px-central-ui,pxc-backup-mongodb-headless,pxcentral-apiserver,pxcentral-backend,pxcentral-frontend,pxcentral-keycloak-headless,pxcentral-keycloak-postgresql,pxcentral-keycloak-postgresql-headless,pxcentral-lh-middleware,pxcentral-mysql,.portworx,stork-service,portworx-api,portworx-kvdb-service,portworx-operator-metrics,portworx-service,prometheus-operated,px-csi-service,px-prometheus,<service-cidr-ip>,portworx-api,portworx-kvdb-service,px-prometheus,localhost,.central,.cluster.local,portworx-service,prometheus-operated,px-csi-service,konnectivity,<host-name>,.svc,.portworx,<localhost-IP>,stork-service,portworx-operator-metrics,.azmk8s.io,<new-IP>"
  includeNoProxyList: 
  - px-backup

Related topics:

• Add Azure cloud account
• Add Azure backup location
• Add Azure AKS cluster