Overview
Azure Kubernetes Service (AKS) simplifies deploying a managed Kubernetes cluster in Azure by offloading the operational overhead to Azure. As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes. Thus, AKS is free; you only pay for the agent nodes within your clusters, not for the masters.
Prerequisites
AKS Deployment requires a few things to be in-place before you deploy the cluster through Nirmata:
-
Virtual Network: Azure Virtual Network (VNet) is the fundamental building block for your private network in Azure. VNet enables many types of Azure resources, such as Azure Virtual Machines (VM), to securely communicate with each other, the internet, and on-premises networks. VNet is similar to a traditional network that you’d operate in your own data center, but brings with it additional benefits of Azure’s infrastructure such as scale, availability, and isolation. Azure Virutal Network
-
Subnet: Subnets enable you to segment the virtual network into one or more sub-networks and allocate a portion of the virtual network’s address space to each subnet. You can then deploy Azure resources in a specific subnet. Just like in a traditional network, subnets allow you to segment your VNet address space into segments that are appropriate for the organization’s internal network. This also improves address allocation efficiency.
-
Network Security Group: You can use an Azure network security group to filter network traffic to and from Azure resources in an Azure virtual network. A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, several types of Azure resources. For each rule, you can specify source and destination, port, and protocol. Azure Network Security Group
-
NAT Gateway: Virtual Network NAT is a fully managed and highly resilient Network Address Translation (NAT) service. Virtual Network NAT simplifies outbound Internet connectivity for virtual networks. When configured on a subnet, all outbound connectivity uses the Virtual Network NAT’s static public IP addresses. Azure Virtual NAT Gateway
-
Route Table: Azure Route Tables, allow you to create network routes so that your CloudGen Firewall VM can handle the traffic both between your subnets and to the Internet.
-
Resource Group: A resource group is a container that holds related resources for an Azure solution. The resource group can include all the resources for the solution, or only those resources that you want to manage as a group. You decide how you want to allocate resources to resource groups based on what makes the most sense for your organization. Generally, add resources that share the same lifecycle to the same resource group so you can easily deploy, update, and delete them as a group.
-
App Registration: The Microsoft identity platform performs identity and access management (IAM) only for registered applications. Whether it’s a client application like a web or mobile app, or it’s a web API that backs a client app, registering it establishes a trust relationship between your application and the identity provider, the Microsoft identity platform. App Registration
-
Cloud Credentials: In Nirmata UI, configure the Cloud Credentials for azure.
To access the Add Cloud Credentials options, select Cloud Credentials from the sidebar menu. Then click on the Add Cloud Credentials icon. Click Here to Create Cloud Credentials
Create a Resource Group for the Cluster
You must confirm that a Resource Group for the cluster is created and accessible.
To verify Resource Group:
- Login to the Azure portal and select Resource Groups from the sidebar menu.
- Click +Add.
- Enter a name and Location for the resource group and click Create.
- Click Refresh to view the new Resource Group.
- Note the Subscription ID from Resource Group.
- Also Assign Below List of Roles to App Registration for Resource Group,Easy way of configuring the permissions.
Contributor Role
OR
If you wants to provide more specific permissions you can follow below steps: 6. In the Azure portal, open a subscription or resource group where you want the custom role (Azure Custom Role ) to be assignable and then open Access control (IAM). 7. Click Add and then click Add custom role. 8. Click on JSON, and Edit the JSON. 9. Copy and Past Below JSON into Azure.
{
"id": "/subscriptions/baf89069-e8f3-46f8-b74e-c146931ce7a4/providers/Microsoft.Authorization/roleDefinitions/86ec5edf-2a93-4951-986d-0f3538f47abf",
"properties": {
"roleName": "Nirmata-AKS-Access",
"description": "This role will enable Nirmata to Create manage and operate the AKS Cluster at Subscription Level",
"assignableScopes": [
"/subscriptions/baf89069-e8f3-46f8-b74e-c146931ce7a4"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/diskEncryptionSets/read",
"Microsoft.Compute/proximityPlacementGroups/write",
"Microsoft.Network/applicationGateways/read",
"Microsoft.Network/applicationGateways/write",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/publicIPPrefixes/join/action",
"Microsoft.OperationalInsights/workspaces/sharedkeys/read",
"Microsoft.OperationalInsights/workspaces/read",
"Microsoft.OperationsManagement/solutions/write",
"Microsoft.OperationsManagement/solutions/read",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.ContainerService/managedClusters/*",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/publicIPAddresses/delete",
"Microsoft.Network/publicIPAddresses/read",
"Microsoft.Network/publicIPAddresses/write",
"Microsoft.Network/publicIPAddresses/join/action",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Compute/locations/DiskOperations/read",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Storage/operations/read",
"Microsoft.Network/routeTables/read",
"Microsoft.Network/routeTables/routes/delete",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/routeTables/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachineScaleSets/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Compute/virtualMachineScaleSets/write",
"Microsoft.Compute/virtualMachineScaleSets/delete",
"Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write",
"Microsoft.Network/networkInterfaces/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
"Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/locations/operations/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/routeTables/routes/read",
"Microsoft.Network/routeTables/routes/write",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/privatednszones/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Note: Make sure you update the
Subscription ID
in above mentioned JSON.
- Click Save and Review + Create review the custom role and Click on Create.
- You can assign previously created Custom Role to App Registration for Providing Access to Resource Group.
AKS Cluster Type Configuration Steps
To create an AKS cluster type, select Clusters from the sidebar menu and then click +Cluster Types and Add Cluster Type button. Choose AKS from the Add Cluster Type panel.
Cluster
- Cloud Credentials- Select the Cloud Credentials you would like to use for this cluster type.
- Region - Select the region where your cluster will be deployed.
- Kubernetes Version - Select the Kubernetes version.
- Enable Auto-sync Namespaces - Select Option if you would like to enable automatic syncronization for namespaces for your cluster.
- Resource Group - Select Resource Group in which you would like to create cluster.
- Enable Container Monitoring - Select Option if you would like to enable logging using Azure Log Analytics Workspace for your AKS Cluster.
Note: The Kubernetes version associated with a cluster cannot be downgraded.
Networking
- Network Configuration - Select what type of network configuration you would like for your AKS cluster.
- Pod CIDR - Provide CIDR for Pod, IP address range will be used dedicatally for Pods.
- Kubernetes Service Address Range - Provide Address Range for Kubernetes Service.
- Kubernetes DNS Service IP - Provide Address Range for Kubernetes DNS Service.
- Docker Bridge Address - Provide Address Range for Docker Birdge address.
- Network Policy - Select the Network Policy you would like to use for this cluster type.
- Enable HTTPS Application Routing - Select Option if you would like to Secure your Application Routing with HTTPS.
- Enable Private Cluster - Select Option if you would like to make your Cluster Private.
Node Pools
- Name - Provide name you would like for your node pool.
- VM Size - Select VM Size as per your requirment.
- Disk Size (GB) - Provide Disk Size for your nodes.
- OS Type - Select OS Type for your Nodepool.
- Mode - Select Mode for your Node pool.
- Virtual Network - Select Virtual Network in which you would like to run you nodepool.
- Cluster Subnet - Select Subnet Network in which you would like to run you nodepool.
- Max Pods - Provide maximum number of pods can be run on each Node in Nodepool.
- Enable Virtual Machine Scale Sets - Virtual machine scale sets are required for scenarios including autoscaling, multiple node pools, and Windows support.
Note: AKS cluster Should have atleast 1 nodepool with System Mode.
Additional Configurations
- Overrides - Select fields that you would like to allow to be modified when a new cluster is created. This lets you hide complex configuration in the cluster type while allowing the user to modify configuration such as machine type, networks etc. when the cluster is created.
- System Metadata - Specify any metadata that you would like to add to the cluster. The metadata will be added to the ‘system-metadata-map’ ConfigMap in the ‘nirmata’ namespace in your cluster.
- Add-Ons - Select the add-ons that you would like to deploy to the cluster. The selected add-ons will automatically be deployed once the cluster is created and ‘Ready’.
After completing the configuration steps, click Create. Your EKS cluster type will be created. Now, you can use this cluster type to create an AKS
Create AKS Cluster
- To create an EKS cluster, select Clusters > Clusters > Add Cluster.
- Select AKS from Cloud Provider Managed Clusters.
- Provide Cluster Name and Select Cluster type that you previously Created.
- Provide the Node count and alternately Enable Auto Scaling for your node pool.
- Once you click on Create cluster button, the cluster will be created in 10-15 minutes.