AKS cluster prerequisites

This topic provides the list of permissions and actions required for managing Azure clusters. These permissions and actions are essential for managing Azure clusters effectively. Ensuring that the necessary permissions are granted helps to maintain a secure and well-functioning cluster environment. The following section outlines the:

• Portworx Backup prerequisites

• Permissions required to install Portworx Backup on an AKS cluster

• Permissions required to add an AKS cluster as application cluster in Portworx Backup

  note

  Regardless of the security principal (user, group, service principal or managed identity) you have created in Azure Portal, the permissions to create role definition specified in the below sections remain the same.

Portworx Backup prerequisites

1. Before adding your AKS cluster to Portworx Backup, make sure that:

   • Installation prerequisites are met

   • Stork is installed on all application clusters

2. From Azure Cloud Shell create the following:

   • Azure Storage account in Azure

     az storage account list --resource-group <ResourceGroupName> --query "[].{Name:name}" --output table

   • Azure storage account key

     az storage account keys list --resource-group <ResourceGroupName> --account-name <StorageAccountName> --query "[0].value"

     Output:

     az storage account keys list --resource-group "resource_group_name"--account-name "storage_account_name"
     [
       {
         "creationTime": null,
         "keyName": "key1",
         "permissions": "FULL",
         "value": "azure-storage-account-key1"
       },
       {
         "creationTime": null,
         "keyName": "key2",
         "permissions": "FULL",
         "value":"azure-storage-account-key2"
       }
     ]
     note

     You can pick any one of the key values as the storage account key from this output. Alternatively, you can also get the account key details from the Azure cloud portal.

3. Before adding an Azure cloud account in Portworx Backup, fetch the following mandatory (optional as well, if your environment requires) parameters:

   • Mandatory parameters

     • Cloud account name
     • Storage account name
     • Storage account key

   • Optional parameters

     • Subscription ID
     • Client ID
     • Client Secret
     • Tenant ID

   You can add the above optional parameters at a later point in time in the Portworx Backup user interface. Hence, you can fetch them later.

   note

   These optional parameters are mandatory to:

   • Add an Azure immutable container as backup location.
   • To restore/delete cloud-native backups taken prior to Portworx Backup 2.7.0.

Permissions to install Portworx Backup

You need the following permissions/actions to bring up Portworx Backup on any cluster:

Permissions	Purpose
Microsoft.Compute/disks/delete	Allows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Compute/disks/write	Grants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/read	Enables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/virtualMachines/write	Permits creating or updating virtual machines. This is essential for provisioning and configuring VMs.
Microsoft.Compute/virtualMachines/read	Allows reading the properties and metadata of virtual machines. This is necessary for monitoring and managing VMs.
Microsoft.Network/loadBalancers/read	Enables reading the properties and metadata of load balancers. This is important for managing and monitoring network traffic distribution.
Microsoft.Network/loadBalancers/write	Permits creating or updating load balancers. This is essential for configuring and managing network traffic distribution.
Microsoft.Network/loadBalancers/delete	Allows for the deletion of load balancers. This is crucial for cleaning up and managing network resources.
Microsoft.Network/publicIPAddresses/read	Enables reading the properties and metadata of public IP addresses. This is necessary for managing public-facing network resources.
Microsoft.Network/publicIPAddresses/write	Permits creating or updating public IP addresses. This is essential for provisioning public-facing network resources.
Microsoft.Network/publicIPAddresses/delete	Allows for the deletion of public IP addresses. This is important for managing and cleaning up network resources.
Microsoft.Network/publicIPAddresses/join/action	Grants permission to join public IP addresses to resources. This is crucial for associating public IP addresses with network resources.
Microsoft.Network/loadBalancers/loadBalancingRules/read	Allows reading the properties and metadata of load balancing rules. This is necessary for monitoring and managing load balancer rules.
Microsoft.Network/loadBalancers/probes/read	Enables reading the properties and metadata of load balancer probes. This is important for managing and monitoring load balancer health checks.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/ networkInterfaces/read	Grants permission to read the properties and metadata of network interfaces attached to VM scale set instances. This is necessary for monitoring and managing network configurations of scale set VMs.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/ networkInterfaces/ipconfigurations/publicipaddresses/read	Allows reading the properties and metadata of public IP addresses attached to network interfaces of VM scale set instances. This is crucial for managing and monitoring public-facing network configurations.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write	Grants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read	Allows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/read	Enables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.
Microsoft.Network/networkSecurityGroups/read	Enables reading the properties and metadata of network security groups. This is necessary for monitoring and managing network security configurations.
Microsoft.Network/networkSecurityGroups/write	Grants permission to create or update network security groups. This is essential for configuring and managing network security settings.

note

Sometimes creation of an Azure custom role takes at least 20 minutes for the role (with the specified permissions) to reflect in your Azure cluster environment.

Permissions to add application cluster

You need the following list of permissions/actions required to add a cluster as an application cluster:

Permissions	Purpose
Microsoft.Compute/disks/beginGetAccess/action	Grants temporary access to a disk, typically used for scenarios where a disk snapshot needs to be accessed or copied.
Microsoft.Compute/snapshots/delete	Allows for the deletion of snapshots, crucial for managing storage and ensuring outdated snapshots are removed.
Microsoft.Compute/snapshots/write	Permits creating or updating snapshots of virtual machine disks, essential for backup and restore operations.
Microsoft.Compute/snapshots/read	Enables reading snapshot properties and metadata, necessary for monitoring and managing snapshots.
Microsoft.Compute/disks/write	Grants permission to create or update managed disks. This is crucial for provisioning storage for virtual machines.
Microsoft.Compute/disks/read	Enables reading the properties and metadata of managed disks. Necessary for monitoring and managing disk resources.
Microsoft.Compute/disks/delete	Allows the deletion of managed disks. This is essential for managing storage and cleaning up unused resources.
Microsoft.Storage/storageAccounts/read	Enables reading the properties and metadata of storage accounts, necessary for accessing and managing storage resources.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write	Grants permission to create or update virtual machines within a scale set, important for scaling and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read	Allows reading the properties and metadata of virtual machines within a scale set, necessary for monitoring and managing VM instances.
Microsoft.Compute/virtualMachineScaleSets/read	Enables reading the properties and metadata of VM scale sets, important for monitoring and managing scale sets.

You can now add an Azure cloud account in Portworx Backup with the inputs obtained from the above steps.

Restore prerequisites

If you have to restore a backup of Azure volumes created in an Azure cluster or you have to restore a backup to a cluster in a different resource group, follow the below steps.

note

Following steps are not required if you have backed up some applications and want to restore to a cluster in the same resource group or if both the clusters are created with the same managed identity/service principal, or if you want to restore Portworx volumes then these steps are not required.

1. Create a custom role with the following JSON content and command:

   a. JSON content

   {
   
     "Name": "<custom_role_name>",
     "Description": "",
     "AssignableScopes": [
       "/subscriptions/<subscription_ID>"
     ],
     "Permissions": [
         {
             "Actions": [
             "Microsoft.Compute/disks/beginGetAccess/action"
             ],
             "NotActions": [],
             "DataActions": [],
             "NotDataActions": []
         }
     ]
   }

   b. Command:

   az role definition create --role-definition roles.json

2. Fetch your AKS Infrastructure Resource Group Name with the following command:

   az aks show -n <aks_cluster_name> -g <source_backup_resource_group_name> | jq -r '.nodeResourceGroup'

3. Get the Principal ID associated with your Kubernetes source cluster

   az aks show --resource-group <destination_cluster_resource_group_name> --name <kubernetes_cluster_name> --query identity

4. Add Assignee with the following command:

   az role assignment create --assignee <"Principal_Id"> --role <"Role_name"> --scope "/subscriptions/<Subscription_Id>/resourceGroups/<AKS_Infrastructure_Resource_Name>"

Network prerequisites

Make sure that the following ports are open or enabled in Portworx Backup cluster:

Port	Purpose
10001	For REST API communication
10002	For gRPC server communication

Related topics:

• Add Azure cloud account
• Add Azure backup location
• Add Azure AKS cluster