Kubernetes on AKS (Azure) Setup

Overview

Heeler can automatically harvest AKS resources and model them as services linked to your existing code base. To do so, four pieces must be in place:

  • Azure connection

  • AKS access granted to Heeler IPs (the same IPs noted under Getting Started)

  • The AKS clusters grant the Service Principal used for Azure connection the Access control (IAM) > Role Assignment Azure Kubernetes Service RBAC Cluster Admin

  • The AKS clusters have Security Configuration > Authentication and Authorization set to Microsoft Entra ID authentication with Azure RBAC

Azure Connection

Heeler must be able to connect to your Azure subscriptions that host your AKS resources. By following the steps outlined in the Azure Cloud Setup, you will have met this condition for AKS connectivity.

AKS Access Granted to Heeler IPs

Heeler must have connectivity to reach your AKS clusters. Their networking configurations must include Heeler's two IPs in the Authorized IP ranges. To set those values in the Azure console for each cluster:

  1. Navigate to the Settings > Networking > Overview > Resource Settings

  2. Click on Manage and populate the Authorized IP ranges setting with a comma-separated list 44.221.229.40/32,52.73.231.96/32

  3. Click Save

If using terraform to manage your AKS cluster, the api_server_access_profile definition should include these values for authorized_ip_ranges: 

resource "azurerm_kubernetes_cluster" "this" {
  resource_group_name = var.resource_group_name
  location            = var.location
  tags                = var.tags

  name               = var.aks_name
  dns_prefix         = var.dns_prefix
  kubernetes_version = var.kubernetes_version

  default_node_pool {
    name                 = "system"
    vm_size              = var.system_vm_size
    node_count           = var.system_node_count
    vnet_subnet_id       = var.aks_subnet_id
    type                 = "VirtualMachineScaleSets"
    orchestrator_version = var.kubernetes_version
    upgrade_settings { max_surge = "33%" }
  }

  # authorized_ip_ranges must include Heeler's two IPs
  api_server_access_profile {
    authorized_ip_ranges = [
      "44.221.229.40/32",
      "52.73.231.96/32",
      "<your other IPs>"
    ]
  }

  azure_active_directory_role_based_access_control {
    admin_group_object_ids = []
    azure_rbac_enabled     = true
    tenant_id              = var.tenant_id
  }

  identity { type = "SystemAssigned" }

  local_account_disabled = true

  network_profile {
    network_plugin    = "azure"
    network_policy    = "azure"
    outbound_type     = "loadBalancer"
    load_balancer_sku = "standard"
  }
}

AKS Service Principal assigned Role

The Service Principal used for Azure connection must have the Role Assignment Azure Kubernetes Service RBAC Cluster Admin. To check and possibly update the Role Assignment in the Azure console for each cluster:

  1. Navigate to the Access control (IAM)

  2. Select Add and Add role assignment

  1. Search for Azure Kubernetes Service RBAC Cluster Admin, select it, and click Next

  1. Under Add role assignment > Members:

    1. Confirm Assign access to is set to User, group, or service principal

    2. Click on + Select members

    3. Search for the name of your Service Principal, select, and then click Select

    4. Click on Review + assign until returning to the Access control (IAM) view and confirm the role assignment has been added

If using terraform to manage your AKS cluster, there should be a azurerm_role_assignment resource that adds the role Azure Kubernetes Service RBAC Cluster Admin to the service principal defined by its app/client ID and scoped to the AKS cluster:

data "azuread_service_principal" "aks_service_principal" {
  client_id = var.client_id
}

resource "azurerm_role_assignment" "aks_cluster_service_principal_role_assignment" {
  scope                = azurerm_kubernetes_cluster.aks.id
  role_definition_name = "Azure Kubernetes Service RBAC Cluster Admin"
  principal_id         = data.azuread_service_principal.aks_service_principal.object_id
}

AKS Authentication and Authorization

The Service Principal used for Azure connection must have the Role Assignment Azure Kubernetes Service RBAC Cluster Admin. To check and possibly update the Role Assignment in the Azure console for each cluster:

  1. Navigate to the Settings > Security Configuration > Authentication and Authorization

  2. Click on the Authentication and Authorization drop down and select Microsoft Entra ID authentication with Azure RBAC

  3. Click on Apply

If using terraform to manage your AKS cluster, the key settings used above that apply are

resource "azurerm_kubernetes_cluster" "this" {
  ...
  azure_active_directory_role_based_access_control {
    azure_rbac_enabled     = true
  }
  local_account_disabled = true
  ...
}

After completing these steps and allowing time for the settings to propagate, Heeler should be able to harvest your AKS resources and relate them to other harvested Azure resources in your cloud environment.

PreviousKubernetes (Native) SetupNextEnvironment Boundaries

Last updated

Was this helpful?