Skip to main content
Skip table of contents

AKS Cluster Access for Cloudaware

This article explains how to provide access to AKS Cluster with enabled Active Directory(AD) integration for Cloudaware to discover AKS resources automatically.

If your AKS cluster is not AD-managed, grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read.

If Active Directory(AD) integration is enabled for AKS cluster, Azure allows access to AKS cluster resources (pods, nodes, etc) automatically using authorization via AD.

Set up the cluster role binding in AKS cluster for the Azure Application that has been added into Cloudaware.

Access Setup

1. Locate the service principal ID of the Azure Application added to Cloudaware:

Log in to the Azure portal → Microsoft Entra ID. Select the tab 'Enterprise applications'.

Select the application (in this example, cloudaware-api-access) → Overview. Copy and save the Object ID which is the unique ID of the service principal object associated with this application.

AKS cluster access - enterprise applications - overview - copy object id .png

2. In your AKS cluster create cloudaware-rbac.yaml using the section below:

CODE
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudaware-reader
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cloudaware-reader-application-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cloudaware-reader
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <SERVICE-PRINCIPAL-OBJECT-ID>

WHERE

in ClusterRole:

ClusterRole cloudaware-reader grants Cloudaware the read access to all resources within the cluster.

in ClusterRoleBinding:

ClusterRoleBinding cloudaware-reader-application-binding grants Cloudaware Cluster Role the read access to Azure Application.

<SERVICE-PRINCIPAL-OBJECT-ID> in subjects is a placeholder that needs to be replaced by your Azure Application Object ID.

3. Run the command:

CODE
kubectl create -f cloudaware-rbac.yaml

Further Configuration

If your Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.

Please allow up to 24 hours for the AKS resources to be collected and displayed in Cloudaware CMDB. 

List of AKS Cluster objects

Cloudaware supports the following AKS cluster objects:

Azure AKS Cluster
Azure AKS Cluster Agent Pool Profile
Azure AKS Cluster Config Map
Azure AKS Cluster Daemon Set
Azure AKS Cluster Deployment
Azure AKS Cluster Endpoint
Azure AKS Cluster HPA
Azure AKS Cluster Ingress
Azure AKS Cluster Limit Range
Azure AKS Cluster Namespace
Azure AKS Cluster Network Policy
Azure AKS Cluster Network Policy Rule
Azure AKS Cluster Node
Azure AKS Cluster Node Address
Azure AKS Cluster Node Condition
Azure AKS Cluster Public IP Address Link
Azure AKS Cluster Public IP Prefix Link
Azure AKS Cluster Pod
Azure AKS Cluster Pod Container
Azure AKS Cluster Pod Disruption Budget
Azure AKS Cluster Replica Set
Azure AKS Cluster Role
Azure AKS Cluster Role Bindings
Azure AKS Cluster Resource Quota
Azure AKS Cluster Secret
Azure AKS Cluster Service
Azure AKS Cluster Stateful Set

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.