AKS Cluster Access for Cloudaware
The article explains how to provide access to AKS Cluster with enabled Active Directory(AD) integration for Cloudaware to discover AKS resources automatically. If your AKS cluster is not AD managed, grant Cloudaware the permission Microsoft.ContainerService/managedClusters/listClusterUserCredential/read as described here.
If AD integration is enabled for AKS cluster, Azure allows access to AKS cluster resources (pods, nodes, etc) automatically using authorization via AD.
Set up the cluster role binding in AKS cluster for the Azure Application that has been added into Cloudaware.
Access Setup
1. Locate the service principal ID of the Azure Application added to Cloudaware:
Log in to Azure Portal → Microsoft Entra ID. Select the tab ‘Enterprise applications’.
Select the application (in this example, cloudaware-api-access) → Overview. Copy and save the Object ID which is the unique ID of the service principal object associated with this application.
3. In your AKS cluster create cloudaware-rbac.yaml using the section below:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloudaware-reader
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cloudaware-reader-application-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cloudaware-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: <SERVICE-PRINCIPAL-OBJECT-ID>
WHERE
in ClusterRole:
ClusterRole
cloudaware-reader grants Cloudaware the read access to all resources within the cluster.
in ClusterRoleBinding:
ClusterRoleBinding
cloudaware-reader-application-binding grants Cloudaware Cluster Role the read access to Azure Application.
<SERVICE-PRINCIPAL-OBJECT-ID> in subjects
is a placeholder that needs to be replaced by your Azure Application Object ID.
4. Run the following command:
kubectl create -f cloudaware-rbac.yaml
Further Configuration
If your Amazon EKS Cluster is running in a private network, check this guide to install Cloudaware Breeze agent for secure connection.
Please allow up to 24 hours for the AKS resources to be collected and displayed in Cloudaware CMDB.
List of AKS Cluster Objects
Cloudaware supports the following AKS cluster objects:
Azure AKS Cluster
Azure AKS Cluster Agent Pool Profile
Azure AKS Cluster Config Map
Azure AKS Cluster Daemon Set
Azure AKS Cluster Deployment
Azure AKS Cluster Endpoint
Azure AKS Cluster HPA
Azure AKS Cluster Ingress
Azure AKS Cluster Limit Range
Azure AKS Cluster Namespace
Azure AKS Cluster Network Policy
Azure AKS Cluster Network Policy Rule
Azure AKS Cluster Node
Azure AKS Cluster Node Address
Azure AKS Cluster Node Condition
Azure AKS Cluster Public IP Address Link
Azure AKS Cluster Public IP Prefix Link
Azure AKS Cluster Pod
Azure AKS Cluster Pod Container
Azure AKS Cluster Pod Disruption Budget
Azure AKS Cluster Replica Set
Azure AKS Cluster Role
Azure AKS Cluster Role Bindings
Azure AKS Cluster Resource Quota
Azure AKS Cluster Secret
Azure AKS Cluster Service
Azure AKS Cluster Stateful Set