Kubernetes on AKS (Azure) Setup

Overview

Heeler can automatically harvest AKS resources and model them as services linked to your existing code base. To do so, four pieces must be in place:

Azure connection
AKS access granted to Heeler IPs (the same IPs noted under Getting Started)
The AKS clusters grant the Service Principal used for Azure connection the Access control (IAM) > Role Assignment Azure Kubernetes Service RBAC Cluster Admin
The AKS clusters have Security Configuration > Authentication and Authorization set to Microsoft Entra ID authentication with Azure RBAC

Azure Connection

Heeler must be able to connect to your Azure subscriptions that host your AKS resources. By following the steps outlined in the Azure Cloud Setup, you will have met this condition for AKS connectivity.

AKS Access Granted to Heeler IPs

Heeler must have connectivity to reach your AKS clusters. Their networking configurations must include Heeler's two IPs in the Authorized IP ranges. To set those values in the Azure console for each cluster:

Navigate to the Settings > Networking > Overview > Resource Settings
Click on Manage and populate the Authorized IP ranges setting with a comma-separated list 44.221.229.40/32,52.73.231.96/32
Click Save

If using terraform to manage your AKS cluster, the api_server_access_profile definition should include these values for authorized_ip_ranges:

resource "azurerm_kubernetes_cluster" "this" {
  resource_group_name = var.resource_group_name
  location            = var.location
  tags                = var.tags

  name               = var.aks_name
  dns_prefix         = var.dns_prefix
  kubernetes_version = var.kubernetes_version

  default_node_pool {
    name                 = "system"
    vm_size              = var.system_vm_size
    node_count           = var.system_node_count
    vnet_subnet_id       = var.aks_subnet_id
    type                 = "VirtualMachineScaleSets"
    orchestrator_version = var.kubernetes_version
    upgrade_settings { max_surge = "33%" }
  }

  # authorized_ip_ranges must include Heeler's two IPs
  api_server_access_profile {
    authorized_ip_ranges = [
      "44.221.229.40/32",
      "52.73.231.96/32",
      "<your other IPs>"
    ]
  }

  azure_active_directory_role_based_access_control {
    admin_group_object_ids = []
    azure_rbac_enabled     = true
    tenant_id              = var.tenant_id
  }

  identity { type = "SystemAssigned" }

  local_account_disabled = true

  network_profile {
    network_plugin    = "azure"
    network_policy    = "azure"
    outbound_type     = "loadBalancer"
    load_balancer_sku = "standard"
  }
}

AKS Service Principal assigned Roles

The Service Principal used for Azure connection must have two Role Assignments

Azure Kubernetes Service Cluster User Role
Azure Kubernetes Service RBAC Cluster Admin

To add/update the Role Assignments in the Azure console for each cluster:

Navigate to the Access control (IAM)
Select Add and Add role assignment

For each role, search for the role, select it, and click Next

Azure Kubernetes Service Cluster User Role
Azure Kubernetes Service RBAC Cluster Admin

Under Add role assignment > Members:
1. Confirm Assign access to is set to User, group, or service principal
2. Click on + Select members
3. Search for the name of your Service Principal, select, and then click Select
4. Click on Review + assign until returning to the Access control (IAM) view and confirm the role assignment has been added

Repeat for the second role

If using terraform to manage your AKS cluster, there should be two azurerm_role_assignment resources that add the two roles to the service principal defined by its app/client ID and scoped to the AKS cluster:

data "azuread_service_principal" "aks_service_principal" {
  client_id = var.client_id
}

resource "azurerm_role_assignment" "aks_cluster_user_role" {
  scope                = azurerm_kubernetes_cluster.aks.id
  role_definition_name = "Azure Kubernetes Service Cluster User Role"
  principal_id         = data.azuread_service_principal.aks_service_principal.object_id
}

resource "azurerm_role_assignment" "aks_rbac_cluster_admin" {
  scope                = azurerm_kubernetes_cluster.aks.id
  role_definition_name = "Azure Kubernetes Service RBAC Cluster Admin"
  principal_id         = data.azuread_service_principal.aks_service_principal.object_id
}

AKS Authentication and Authorization

The Security configuration must include an Authentication and Authorization setting of Microsoft Entra ID authentication with Azure RBAC:

Navigate to the Settings > Security Configuration > Authentication and Authorization
Click on the Authentication and Authorization drop down and select Microsoft Entra ID authentication with Azure RBAC
Click on Apply

If using terraform to manage your AKS cluster, the key settings used above that apply are

resource "azurerm_kubernetes_cluster" "this" {
  ...
  azure_active_directory_role_based_access_control {
    azure_rbac_enabled     = true
  }
  local_account_disabled = true
  ...
}

After completing these steps and allowing time for the settings to propagate, Heeler should be able to harvest your AKS resources and relate them to other harvested Azure resources in your cloud environment.

PreviousMicrosoft Azure Supported Services NextKubernetes (Native) Setup

Last updated 1 month ago

Was this helpful?

hashtagOverview

hashtagAzure Connection

hashtagAKS Access Granted to Heeler IPs

hashtagAKS Service Principal assigned Roles

hashtagAKS Authentication and Authorization

Overview

Azure Connection

AKS Access Granted to Heeler IPs

AKS Service Principal assigned Roles

AKS Authentication and Authorization