Skip to main content
Version: 2.8

AKS cluster prerequisites

This topic provides the list of permissions and actions required for managing Azure clusters. These permissions and actions are essential for managing Azure clusters effectively. Ensuring that the necessary permissions are granted helps to maintain a secure and well-functioning cluster environment. The following section outlines the:

  • Portworx Backup prerequisites

  • Permissions required to install Portworx Backup on an AKS cluster

  • Permissions required to add an AKS cluster as application cluster in Portworx Backup

    note

    Regardless of the security principal (user, group, service principal or managed identity) you have created in Azure Portal, the permissions to create role definition specified in the below sections remain the same.

Portworx Backup prerequisites

  1. Before adding your AKS cluster to Portworx Backup, make sure that:

  2. From Azure Cloud Shell create the following:

    • Azure Storage account in Azure

      az storage account list --resource-group <ResourceGroupName> --query "[].{Name:name}" --output table
    • Azure storage account key

      az storage account keys list --resource-group <ResourceGroupName> --account-name <StorageAccountName> --query "[0].value"

      Output:

      az storage account keys list --resource-group "resource_group_name"--account-name "storage_account_name"
      [
      {
      "creationTime": null,
      "keyName": "key1",
      "permissions": "FULL",
      "value": "azure-storage-account-key1"
      },
      {
      "creationTime": null,
      "keyName": "key2",
      "permissions": "FULL",
      "value":"azure-storage-account-key2"
      }
      ]
      note

      You can pick any one of the key values as the storage account key from this output. Alternatively, you can also get the account key details from the Azure cloud portal.

  3. Before adding an Azure cloud account in Portworx Backup, fetch the following mandatory (optional as well, if your environment requires) parameters:

    • Mandatory parameters

      • Cloud account name
      • Storage account name
      • Storage account key
    • Optional parameters

      • Subscription ID
      • Client ID
      • Client Secret
      • Tenant ID

    You can add the above optional parameters at a later point in time in the Portworx Backup user interface. Hence, you can fetch them later.

    note

    These optional parameters are mandatory to:

    • Add an Azure immutable container as backup location.
    • To restore/delete cloud-native backups taken prior to Portworx Backup 2.7.0.

Permissions to install Portworx Backup

You need the following permissions/actions to bring up Portworx Backup on any cluster:

PermissionsPurpose
Microsoft.Compute/disks/deleteAllows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Compute/disks/writeGrants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/readEnables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/virtualMachines/writePermits creating or updating virtual machines. This is essential for provisioning and configuring VMs.
Microsoft.Compute/virtualMachines/readAllows reading the properties and metadata of virtual machines. This is necessary for monitoring and managing VMs.
Microsoft.Network/loadBalancers/readEnables reading the properties and metadata of load balancers. This is important for managing and monitoring network traffic distribution.
Microsoft.Network/loadBalancers/writePermits creating or updating load balancers. This is essential for configuring and managing network traffic distribution.
Microsoft.Network/loadBalancers/deleteAllows for the deletion of load balancers. This is crucial for cleaning up and managing network resources.
Microsoft.Network/publicIPAddresses/readEnables reading the properties and metadata of public IP addresses. This is necessary for managing public-facing network resources.
Microsoft.Network/publicIPAddresses/writePermits creating or updating public IP addresses. This is essential for provisioning public-facing network resources.
Microsoft.Network/publicIPAddresses/deleteAllows for the deletion of public IP addresses. This is important for managing and cleaning up network resources.
Microsoft.Network/publicIPAddresses/join/actionGrants permission to join public IP addresses to resources. This is crucial for associating public IP addresses with network resources.
Microsoft.Network/loadBalancers/loadBalancingRules/readAllows reading the properties and metadata of load balancing rules. This is necessary for monitoring and managing load balancer rules.
Microsoft.Network/loadBalancers/probes/readEnables reading the properties and metadata of load balancer probes. This is important for managing and monitoring load balancer health checks.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/
networkInterfaces/read
Grants permission to read the properties and metadata of network interfaces attached to VM scale set instances. This is necessary for monitoring and managing network configurations of scale set VMs.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/
networkInterfaces/ipconfigurations/publicipaddresses/read
Allows reading the properties and metadata of public IP addresses attached to network interfaces of VM scale set instances. This is crucial for managing and monitoring public-facing network configurations.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/writeGrants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/readAllows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/readEnables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.
Microsoft.Network/networkSecurityGroups/readEnables reading the properties and metadata of network security groups. This is necessary for monitoring and managing network security configurations.
Microsoft.Network/networkSecurityGroups/writeGrants permission to create or update network security groups. This is essential for configuring and managing network security settings.
note

Sometimes creation of an Azure custom role takes at least 20 minutes for the role (with the specified permissions) to reflect in your Azure cluster environment.

Permissions to add application cluster

You need the following list of permissions/actions required to add a cluster as an application cluster:

PermissionsPurpose
Microsoft.Compute/disks/beginGetAccess/actionGrants temporary access to a disk, typically used for scenarios where a disk snapshot needs to be accessed or copied.
Microsoft.Compute/snapshots/deleteAllows for the deletion of snapshots, crucial for managing storage and ensuring outdated snapshots are removed.
Microsoft.Compute/snapshots/writePermits creating or updating snapshots of virtual machine disks, essential for backup and restore operations.
Microsoft.Compute/snapshots/readEnables reading snapshot properties and metadata, necessary for monitoring and managing snapshots.
Microsoft.Compute/disks/writeGrants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/readEnables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/disks/deleteAllows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Storage/storageAccounts/readEnables reading the properties and metadata of storage accounts, necessary for accessing and managing storage resources.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/writeGrants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/readAllows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/readEnables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.

You can now add an Azure cloud account in Portworx Backup with the inputs obtained from the above steps.

Restore prerequisites

If you have to restore a backup of Azure volumes created in an Azure cluster or you have to restore a backup to a cluster in a different resource group, follow the below steps.

note

Following steps are not required if you have backed up some applications and want to restore to a cluster in the same resource group or if both the clusters are created with the same managed identity/service principal, or if you want to restore Portworx volumes then these steps are not required.

  1. Create a custom role with the following JSON content and command:

    a. JSON content

    {

    "Name": "<custom_role_name>",
    "Description": "",
    "AssignableScopes": [
    "/subscriptions/<subscription_ID>"
    ],
    "Permissions": [
    {
    "Actions": [
    "Microsoft.Compute/disks/beginGetAccess/action"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": []
    }
    ]
    }

    b. Command:

    az role definition create --role-definition roles.json
  2. Fetch your AKS Infrastructure Resource Group Name with the following command:

    az aks show -n <aks_cluster_name> -g <source_backup_resource_group_name> | jq -r '.nodeResourceGroup'
  3. Get the Principal ID associated with your Kubernetes source cluster

    az aks show --resource-group <destination_cluster_resource_group_name> --name <kubernetes_cluster_name> --query identity
  4. Add Assignee with the following command:

    az role assignment create --assignee <"Principal_Id"> --role <"Role_name"> --scope "/subscriptions/<Subscription_Id>/resourceGroups/<AKS_Infrastructure_Resource_Name>"

Network prerequisites

Make sure that the following ports are open or enabled in Portworx Backup cluster:

PortPurpose
10001For REST API communication
10002For gRPC server communication

Proxy prerequisites

PXB introduces two new configuration parameters for managing proxy exclusions and inclusions for specific services when configuring Portworx Backup with Azure. These configurations allow administrators to fine-tune which services to use the Azure proxy annotations and no_proxy/NO_PROXY settings, depending on deployment requirements.

Here is the list of PXB micro-services you can exclude/include for Azure proxy with the new parameters:

  px-backup-alertmanager
px-backup
pxc-backup-mongodb
prometheus-operator
px-backup-dashboard-prometheus
pre-upgrade-check
pxcentral-apiserver
pxcentral-post-install-hook
pxcentral-keycloak-postgresql
pxcentral-keycloak
pxcentral-lh-middleware
pxcentral-backend
pxcentral-frontend
pxcentral-mysql
  1. Parameter: proxy.excludeAzureProxyList

    This parameter provides flexibility to allow certain services to bypass the Azure proxy annotations. When azureProxyEnabled is set to true, you can utilize this parameter to exclude the required services from the Azure proxy configuration annotations.

    How to use this parameter:

    a. Using the set command:

    The following set command excludes px-backup micro-services from Azure proxy annotations:

    --set   
    "proxy.excludeAzureProxyList[0]=px-backup",proxy.azureProxyEnabled=true

    The following set command excludes px-backup, pxcentral-mysql, pxcentral-apiserver and pxcentral-backend micro-services from Azure Proxy annotations:

    --set   
    "proxy.excludeAzureProxyList[0]=px-backup","proxy.excludeAzureProxyList[1]=pxcentral-mysql","proxy.excludeAzureProxyList[2]=pxcentral-apiserver”,"proxy.excludeAzureProxyList[3]=pxcentral-backend”,proxy.azureProxyEnabled=true

    b. Using the values.yaml (You can append these values to your existing values.yaml):

    The following yaml snippet excludes px-backup micro-services from Azure proxy annotations:

    proxy:
    azureProxyEnabled: true
    excludeAzureProxyList:
    - px-backup

    To exclude more services, simply append the service names in the same format to the above list.

  2. Parameters: proxy.includeNoProxyList and proxy.httpProxy.noProxy

    a. proxy.includeNoProxyList: This parameter is used to specify the micro-services that should be included in the no_proxy or NO_PROXY environment configuration, with the values defined in the httpProxy.noProxy parameter. It can take either a single or set of micro-services.

    • If proxy.includeNoProxyList is populated: Only the micro-services listed in includeNoProxyList will apply the no_proxy settings from httpProxy.noProxy. This allows selective control, so only the specified services will bypass the proxy.

    • If proxy.includeNoProxyList is empty: The no_proxy settings specified in httpProxy.noProxy will apply to all micro-services, essentially bypassing the proxy for any services that match the criteria set in httpProxy.noProxy.

      This setup is beneficial for managing proxy configurations in environments with a variety of micro-services, especially if only specific services should bypass the proxy while others continue to route through it.

    b. proxy.httpProxy.noProxy: This parameter is used to specify which hosts should bypass the HTTP proxy. It defines a list of addresses, domains, or IP ranges that do not need to go through a proxy server, allowing direct access instead.

    Prerequisites

    To bypass the HTTP proxy, perform the following steps:

    Below is the list of services to be provided in proxy.httpProxy.noProxy (helm parameter) during helm install or upgrade for bypassing the PXB-related services:

    pxcentral-keycloak-http,.px-backup,.svc,.cluster.local,pxcentral-keycloak-http,px-backup,px-backup-ui,px-central-ui,pxc-backup-mongodb-headless,pxcentral-apiserver,pxcentral-backend,pxcentral-frontend,pxcentral-keycloak-headless,pxcentral-keycloak-postgresql,pxcentral-keycloak-postgresql-headless,pxcentral-lh-middleware,pxcentral-mysql,.portworx,stork-service,portworx-api,portworx-kvdb-service,portworx-operator-metrics,portworx-service,prometheus-operated,px-csi-service,px-prometheus
    note

    Make sure to use backslash () as escape character before comma (,) while using set command for proxy.httpProxy.noProxy parameter.

    Along with the above, provide the default IPs/Hosts that are auto-generated by Azure. To get the default no_proxy list from Azure, execute the following command:

    az aks show --resource-group <resource_group_name> --name <cluster_name> --query "join(',', httpProxyConfig.noProxy)" --output tsv

    Sample output:

    <service-cidr-ip>,portworx-api,portworx-kvdb-service,px-prometheus,localhost,.central,.cluster.local,portworx-service,prometheus-operated,px-csi-service,konnectivity,<host-name>,.svc,.portworx,<localhost-IP>,stork-service,portworx-operator-metrics

    OR

    You can use the below command to get content in comma separated values with escaped comma(,)

    az aks show --resource-group pxb-proxy --name pxb-proxy-cluster1 --query "join(',', httpProxyConfig.noProxy)" --output tsv | sed 's/,/\\,/g'

    Sample output:

    <service-cidr-ip>\,portworx-api\,portworx-kvdb-service\,px-prometheus\,localhost\,.central\,.cluster.local\,portworx-service\,prometheus-operated\,px-csi-service\,konnectivity\,<host-name>\,.svc\,.portworx\,<localhost-IP>\,stork-service\,portworx-operator-metrics

    Append the output obtained from step 1 and step 2 and then append.azmk8s.io to the proxy.httpProxy.noProxy parameter.

    note

    .azmk8s.io will match all the Azure managed cluster FQDN. We need this parameter to be appended to bypass Azure managed application cluster’s FQDN.

How to use these parameters

  1. Using the set command

Sample input chunk for the set command:

--set "proxy.includeNoProxyList[0]=px-backup", proxy.httpProxy.noProxy="pxcentral-keycloak-http\,.px-backup\,.svc\,.cluster.local\,pxcentral-keycloak-http\,px-backup\,px-backup-ui\,px-central-ui\,pxc-backup-mongodb-headless\,pxcentral-apiserver\,pxcentral-backend\,pxcentral-frontend\,pxcentral-keycloak-headless\,pxcentral-keycloak-postgresql\,pxcentral-keycloak-postgresql-headless\,pxcentral-lh-middleware\,pxcentral-mysql\,.portworx\,stork-service\,portworx-api\,portworx-kvdb-service\,portworx-operator-metrics\,portworx-service\,prometheus-operated\,px-csi-service\,px-prometheus\,<service-cidr-ip>\,portworx-api\,portworx-kvdb-service\,px-prometheus\,localhost\,.central\,.cluster.local\,portworx-service\,prometheus-operated\,px-csi-service\,konnectivity\,<host-name>\,.svc\,.portworx\,<localhost-IP>\,stork-service\,portworx-operator-metrics\,.azmk8s.io"

This command includes the px-backup micro-service to have httpProxy.noProxy settings (value of proxy.httpProxy.noProxy) under no_proxy/NO_PROXY env.

note

Make sure to use backslash () as escape character before comma (,) while using set command for proxy.httpProxy.noProxy parameter.

If you want to add another IP for example, <new-IP> for httpProxy.noProxy, follow the below syntax:

--set "proxy.includeNoProxyList[0]=px-backup", proxy.httpProxy.noProxy="pxcentral-keycloak-http\,.px-backup\,.svc\,.cluster.local\,pxcentral-keycloak-http\,px-backup\,px-backup-ui\,px-central-ui\,pxc-backup-mongodb-headless\,pxcentral-apiserver\,pxcentral-backend\,pxcentral-frontend\,pxcentral-keycloak-headless\,pxcentral-keycloak-postgresql\,pxcentral-keycloak-postgresql-headless\,pxcentral-lh-middleware\,pxcentral-mysql\,.portworx\,stork-service\,portworx-api\,portworx-kvdb-service\,portworx-operator-metrics\,portworx-service\,prometheus-operated\,px-csi-service\,px-prometheus\,<service-cidr-ip>\,portworx-api\,portworx-kvdb-service\,px-prometheus\,localhost\,.central\,.cluster.local\,portworx-service\,prometheus-operated\,px-csi-service\,konnectivity\,<host-name>\,.svc\,.portworx\,<localhost-IP>\,stork-service\,portworx-operator-metrics\,.azmk8s.io\,<new-IP>"
  1. Using the values.yaml (You can append these values to your existing values.yaml).

The following example includes the px-backup micro-service to have httpProxy.noProxy settings (value of proxy.httpProxy.noProxy) under no_proxy/NO_PROXY env:

Example 1:

proxy:
httpProxy:
noProxy: "pxcentral-keycloak-http,.px-backup,.svc,.cluster.local,pxcentral-keycloak-http,px-backup,px-backup-ui,px-central-ui,pxc-backup-mongodb-headless,pxcentral-apiserver,pxcentral-backend,pxcentral-frontend,pxcentral-keycloak-headless,pxcentral-keycloak-postgresql,pxcentral-keycloak-postgresql-headless,pxcentral-lh-middleware,pxcentral-mysql,.portworx,stork-service,portworx-api,portworx-kvdb-service,portworx-operator-metrics,portworx-service,prometheus-operated,px-csi-service,px-prometheus,<service-cidr-ip>,portworx-api,portworx-kvdb-service,px-prometheus,localhost,.central,.cluster.local,portworx-service,prometheus-operated,px-csi-service,konnectivity,<host-name>,.svc,.portworx,<localhost-IP>,stork-service,portworx-operator-metrics,.azmk8s.io"
includeNoProxyList:
- px-backup

Example 2:

In case you want to add another IP <new-IP> to proxy.httpProxy.noProxy

proxy:
httpProxy:
noProxy: "pxcentral-keycloak-http,.px-backup,.svc,.cluster.local,pxcentral-keycloak-http,px-backup,px-backup-ui,px-central-ui,pxc-backup-mongodb-headless,pxcentral-apiserver,pxcentral-backend,pxcentral-frontend,pxcentral-keycloak-headless,pxcentral-keycloak-postgresql,pxcentral-keycloak-postgresql-headless,pxcentral-lh-middleware,pxcentral-mysql,.portworx,stork-service,portworx-api,portworx-kvdb-service,portworx-operator-metrics,portworx-service,prometheus-operated,px-csi-service,px-prometheus,<service-cidr-ip>,portworx-api,portworx-kvdb-service,px-prometheus,localhost,.central,.cluster.local,portworx-service,prometheus-operated,px-csi-service,konnectivity,<host-name>,.svc,.portworx,<localhost-IP>,stork-service,portworx-operator-metrics,.azmk8s.io,<new-IP>"
includeNoProxyList:
- px-backup

Related topics:

Was this page helpful?