Deploy Portworx using Azure managed identity on new AKS cluster
This topic explains how to install Portworx using managed identity on Azure Kubernetes Service (AKS).
Prepare your AKS platform
Perform the following steps to enable Azure managed identity on new AKS cluster:
-
Log in to Azure and set the subscription:
az login
az account set –subscription <Your-Azure-Subscription-UUID> -
Check locations to create AKS cluster:
az account list-locations -
Create an Azure Resource Group:
az group create –name <resource-group-name> –location <location> -
Create an AKS cluster with managed identities:
az aks create -g <resource-group-name> -n <cluster-name> --enable-managed-identity -
Identify object and client IDs:
az aks show -g <resource-group-name> -n <cluster-name> --query identityProfileFor example:
az aks show -g cass-rg -n msi-test --query identityProfile{
"kubeletidentity": {
"clientId": "68XXXXXX-f3a5-459d-9b57-XXXXXXXXXX70",
"objectId": "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35",
"resourceId": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-test-agentpool"
}
} -
Assign contributor role to managed identity:
az role assignment create --assignee <objectId> --role "Contributor" --scope <resourceId>noteThe
objectIdis from the step #5, as well as theresourceId, though string needs to be cut after resource groups name /subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus, right before the providersFor example:
az role assignment create --assignee "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35" --role "Contributor" --scope "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus"{
"canDelegate": null,
"condition": null,
"conditionVersion": null,
"description": null,
"id": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourceGroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.Authorization/roleAssignments/d0XXXXXX-4e9f-452c-8e43-1a661eXXXXXX",
"name": "d0XXXXXX-4e9f-452c-8e43-1a661eXXXXXX",
"principalId": "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35",
"principalType": "ServicePrincipal",
"resourceGroup": "MC_cass-rg_msi-test_eastus",
"roleDefinitionId": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/providers/Microsoft.Authorization/roleDefinitions/b2XXXXXX-6180-42a0-ab88-20f738XXXXXX",
"scope": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourceGroups/MC_cass-rg_msi-test_eastus",
"type": "Microsoft.Authorization/roleAssignments"
} -
Create a Kubernetes secret based on
clientIdthat you retrieved in step 5:kubectl create secret generic -n <px-namespace> px-azure --from-literal=AZURE_CLIENT_ID="<clientId>”For example:
kubectl create secret generic -n portworx px-azure --from-literal=AZURE_CLIENT_ID="68XXXXXX-f3a5-459d-9b57-XXXXXXXXXX70”
Install Portworx
To install Portworx on your Kubernetes cluster, follow these steps to generate the necessary Kubernetes manifests using Portworx Central and deploy them in your cluster:
- Navigate to Portworx Central and log in or create an account.
- Select Portworx Enterprise from the product catalog and click Continue.
- On the Product Line page, choose the appropriate option based on the license you intend to use, then click Continue.
- For Platform, select Azure. For Distribution Name, select Azure Kubernetes Service (AKS), then click Customize at the bottom of the Summary section.
- On the Storage page, select the Managed Identity option, and click Next.
- (Optional) If you are deploying Portworx on an Azure Sovereign cloud, specify the value of the
AZURE_ENVIRONMENTvariable under Environment Variable in the Customize page. - Click Finish to generate the specs.
- Follow the on-screen instructions to install Portworx on your AKS cluster.
- Once the installation is complete, verify your Portworx installation by following the steps to completion.