The article explains how to provide access to AKS Cluster with enabled Active Directory(AD) integration for Cloudaware to discover AKS resources automatically. If your AKS cluster is not AD managed, grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read as described here.
If AD integration is enabled for AKS cluster, Azure allows access to AKS cluster resources (pods, nodes, etc) automatically using authorization via AD.
Set up the cluster role binding in AKS cluster for the Azure Application that has been added into Cloudaware.
Access Setup
1. Locate the service principal ID of the Azure App added to Cloudaware. Log in to Azure Portal → Azure Active Directory → Enterprise applications → select the Application. Copy and save the Object ID which is the unique ID of the service principal object associated with this application.
2. In your AKS cluster create cloudaware-rbac.yaml using the section below:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudaware-reader rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get", "watch", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: cloudaware-reader-application-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cloudaware-reader subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: <SERVICE-PRINCIPAL-OBJECT-ID>
WHERE
in ClusterRole:
ClusterRole
cloudaware-reader grants Cloudaware the read access to all resources within the cluster.
in ClusterRoleBinding:
ClusterRoleBinding
cloudaware-reader-application-binding grants Cloudaware Cluster Role the read access to Azure Application.
<SERVICE-PRINCIPAL-OBJECT-ID> in subjects
is a placeholder that needs to be replaced by your Azure Application Object ID.
3. Run the following command:
kubectl create -f cloudaware-rbac.yaml
Further Configuration
If your Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.
Please allow up to 24 hours for the AKS resources to be collected and displayed in Cloudaware CMDB.
List of AKS Cluster Objects
Cloudaware supports the following AKS cluster objects:
Azure AKS Cluster |