Node Optimisation Setup for AKS

Learn how to add credentials for node optimization to Sedai.

Sedai independently connects to each Azure Kubernetes Service (AKS) cluster within an Azure account. AKS uses Azure Active Directory (AD) for authentication and custom role with permissions listed below for authorization.

If you have already set up an agentless account go to Step 3 & 4.

Step 1: Create Azure Active Directory Group

1. Log in to you Azure CLI and create a new Azure AD group (you can name this whatever you'd like):

az ad group create --display-name AKSGroup --mail-nickname AKSGroup

2. Get the AD Group ID — this is needed to create/update your AKS cluster:

az ad group show --group AKSGroup --query id -o tsv

3. Create an Azure resource group (you can skip this step if you have an existing cluster):

Enter the region of your choice, just ensure your desired node size for the cluster is available in your selected region.

az group create --name AKS --location southindia

Step 2: Enable access for AD Group Users

Create or update an AKS cluster to enable access for the AD Group:

az aks create --resource-group AKS \
--name AKSCluster \
--enable-aad \
--aad-admin-group-object-ids <object-id> \
--node-vm-size Standard_D2--node-count 1

Replace the <object-id> with the one copied in the previous step.

This includes a few options, but can you can add more — reference az aks create for more options.

Step 3: Create a Custom role

You need a cluster-role-definition.json with the following content:

{
  "Name": "cluster-custom-role",
  "IsCustom": true,
  "Description": "Custom role with specific permissions at resource group scope for the cluster",
  "Actions": [
    "Microsoft.ContainerService/managedClusters/agentPools/write",
    "Microsoft.ContainerService/managedClusters/agentPools/delete",
    "Microsoft.ContainerService/managedClusters/agentPools/read",
    "Microsoft.ContainerService/managedClusters/read",
    "Microsoft.Authorization/locks/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/<subscription-id>/resourceGroups/AKS"
  ]
}

You need a vnet-role-definition.json with the following content:

{
  "Name": "vnet-custom-role",
  "IsCustom": true,
  "Description": "Custom role with specific permissions at resource group scope for the virtual network",
  "Actions": [
    "Microsoft.Network/virtualNetworks/subnets/join/action",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.Network/virtualNetworks/subnets/read"
  ],
  "NotActions": [],
  "AssignableScopes": [
    "/subscriptions/<subscription-id>/resourceGroups/<vnet-resource-group>"
  ]
}

Replace the <subscription-id> and <vnet-resource-group> with the Resource Group in which the Virtual Network is created.

Run the following command to create the custome role for the AD Group in the Cluster scope:

az role definition create --role-definition cluster-role-definition.json
az role definition create --role-definition vnet-role-definition.json

Step 4: Provide the required access to AD Group

Run the following commands to assign the Custom Roles to the AD Group:

AKS_CLUSTER=$(az aks show --resource-group AKS --name AKSCluster --query id -o tsv)
ACCOUNT_ID=$(az ad group show --group AKSGroup --query id -o tsv)
V_NET=$(az network vnet show --resource-group AKS --name <vnet-name> --query id -o tsv)

az role assignment create \
  --assignee $ACCOUNT_ID \
  --assignee-principal-type Group \
  --scope $AKS_CLUSTER \
  --role cluster-custom-role

az role assignment create \
  --assignee $ACCOUNT_ID \
  --assignee-principal-type Group \
  --scope $V_NET \
  --role vnet-custom-role

Replace the <vnet-name> with your Virtual Network's name.

Step 5: Create app registration and client secret

For Sedai to interact with your Azure account as well as the AKS cluster, create an app registration in Azure AD. When you create an app registration, Azure also creates a Service Principal, which also needs to be linked to the AD Group.

Copy the Client ID and Tenant ID (this will be used to connect Sedai to your cluster within the platform).
Add a client secret for the app registration with a validity of your choice (you can update the client secret in Sedai if your current one expires).
Copy the secret (this will be used as the client secret).

Step 6: Link app with AD Group

Navigate to the Azure AD page and select the AD Group. Select Add members and search for the app registration name.

Last updated 2 months ago

Was this helpful?