Creating an AKS Cluster

You can use Rancher to create a cluster hosted in Microsoft Azure Kubernetes Service (AKS).

Prerequisites in Microsoft Azure

Creating an AKS Cluster - 图1caution

Deploying to AKS will incur charges.

To interact with Azure APIs, an AKS cluster requires an Azure Active Directory (AD) service principal. The service principal is needed to dynamically create and manage other Azure resources, and it provides credentials for your cluster to communicate with AKS. For more information about the service principal, refer to the AKS documentation.

Before creating the service principal, you need to obtain the following information from the Microsoft Azure Portal:

  • Subscription ID
  • Client ID
  • Client secret

The below sections describe how to set up these prerequisites using either the Azure command line tool or the Azure portal.

Setting Up the Service Principal with the Azure Command Line Tool

You can create the service principal by running this command:

  1. az ad sp create-for-rbac --skip-assignment

The result should show information about the new service principal:

  1. {
  2. "appId": "xxxx--xxx",
  3. "displayName": "<SERVICE-PRINCIPAL-NAME>",
  4. "name": "http://<SERVICE-PRINCIPAL-NAME>",
  5. "password": "<SECRET>",
  6. "tenant": "<TENANT NAME>"
  7. }

You also need to add roles to the service principal so that it has privileges for communication with the AKS API. It also needs access to create and list virtual networks.

Below is an example command for assigning the Contributor role to a service principal. Contributors can manage anything on AKS but cannot give access to others:

  1. az role assignment create \
  2. --assignee $appId \
  3. --scope /subscriptions/$<SUBSCRIPTION-ID>/resourceGroups/$<GROUP> \
  4. --role Contributor

You can also create the service principal and give it Contributor privileges by combining the two commands into one. In this command, the scope needs to provide a full path to an Azure resource:

  1. az ad sp create-for-rbac \
  2. --scope /subscriptions/$<SUBSCRIPTION-ID>/resourceGroups/$<GROUP> \
  3. --role Contributor

Create the Resource Group by running this command:

  1. az group create --location AZURE_LOCATION_NAME --resource-group AZURE_RESOURCE_GROUP_NAME

Setting Up the Service Principal from the Azure Portal

You can also follow these instructions to set up a service principal and give it role-based access from the Azure Portal.

  1. Go to the Microsoft Azure Portal home page.

  2. Click Azure Active Directory.

  3. Click App registrations.

  4. Click New registration.

  5. Enter a name. This will be the name of your service principal.

  6. Optional: Choose which accounts can use the service principal.

  7. Click Register.

  8. You should now see the name of your service principal under Azure Active Directory > App registrations.

  9. Click the name of your service principal. Take note of the application ID (also called app ID or client ID) so that you can use it when provisioning your AKS cluster. Then click Certificates & secrets.

  10. Click New client secret.

  11. Enter a short description, pick an expiration time, and click Add. Take note of the client secret so that you can use it when provisioning the AKS cluster.

Result: You have created a service principal and you should be able to see it listed in the Azure Active Directory section under App registrations. You still need to give the service principal access to AKS.

To give role-based access to your service principal,

  1. Click All Services in the left navigation bar. Then click Subscriptions.
  2. Click the name of the subscription that you want to associate with your Kubernetes cluster. Take note of the subscription ID so that you can use it when provisioning your AKS cluster.
  3. Click Access Control (IAM).
  4. In the Add role assignment section, click Add.
  5. In the Role field, select a role that will have access to AKS. For example, you can use the Contributor role, which has permission to manage everything except for giving access to other users.
  6. In the Assign access to field, select Azure AD user, group, or service principal.
  7. In the Select field, select the name of your service principal and click Save.

Result: Your service principal now has access to AKS.

1. Create the AKS Cloud Credentials

  1. In the Rancher UI, click ☰ > Cluster Management.
  2. Click Cloud Credentials.
  3. Click Create.
  4. Click Azure.
  5. Fill out the form. For help with filling out the form, see the configuration reference.
  6. Click Create.

2. Create the AKS Cluster

Use Rancher to set up and configure your Kubernetes cluster.

  1. Click ☰ > Cluster Management.
  2. In the Clusters section, click Create.
  3. Click Azure AKS.
  4. Fill out the form. For help with filling out the form, see the configuration reference.
  5. Click Create.

Result: Your cluster is created and assigned a state of Provisioning. Rancher is standing up your cluster.

You can access your cluster after its state is updated to Active.

Role-based Access Control

When provisioning an AKS cluster in the Rancher UI, RBAC is not configurable because it is required to be enabled.

RBAC is required for AKS clusters that are registered or imported into Rancher.

Setting Up the Role Assignment to Service Principal with the Azure Command Line Tool

Assign the Rancher AKSv2 role to the service principal with the Azure Command Line Tool:

  1. az role assignment create \
  2. --assignee CLIENT_ID \
  3. --scope "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME" \
  4. --role "Rancher AKSv2"

AKS Cluster Configuration Reference

For more information about how to configure AKS clusters from the Rancher UI, see the configuration reference.

Private Clusters

Typically, AKS worker nodes do not get public IPs, regardless of whether the cluster is private. In a private cluster, the control plane does not have a public endpoint.

Rancher can connect to a private AKS cluster in one of two ways.

The first way to ensure that Rancher is running on the same NAT as the AKS nodes.

The second way is to run a command to register the cluster with Rancher. Once the cluster is provisioned, you can run the displayed command anywhere you can connect to the cluster’s Kubernetes API. This command is displayed in a pop-up when you provision an AKS cluster with a private API endpoint enabled.

Creating an AKS Cluster - 图2note

Please be aware that when registering an existing AKS cluster, the cluster might take some time, possibly hours, to appear in the Cluster To register dropdown list. This outcome will be based on region.

For more information about connecting to an AKS private cluster, see the AKS documentation.

Setting Up the Minimum Permission Role with the Azure Command Line Tool

  1. Create the Minimum Rancher AKSv2 Permission Role by running this command:

    1. cat >> rancher-azure.json << EOF
    2. {
    3. "Name": "Rancher AKSv2",
    4. "IsCustom": true,
    5. "Description": "Everything needed by Rancher AKSv2 operator",
    6. "Actions": [
    7. "Microsoft.Compute/disks/delete",
    8. "Microsoft.Compute/disks/read",
    9. "Microsoft.Compute/disks/write",
    10. "Microsoft.Compute/diskEncryptionSets/read",
    11. "Microsoft.Compute/locations/DiskOperations/read",
    12. "Microsoft.Compute/locations/vmSizes/read",
    13. "Microsoft.Compute/locations/operations/read",
    14. "Microsoft.Compute/proximityPlacementGroups/write",
    15. "Microsoft.Compute/snapshots/delete",
    16. "Microsoft.Compute/snapshots/read",
    17. "Microsoft.Compute/snapshots/write",
    18. "Microsoft.Compute/virtualMachineScaleSets/manualUpgrade/action",
    19. "Microsoft.Compute/virtualMachineScaleSets/delete",
    20. "Microsoft.Compute/virtualMachineScaleSets/read",
    21. "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read",
    22. "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read",
    23. "Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read",
    24. "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read",
    25. "Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write",
    26. "Microsoft.Compute/virtualMachineScaleSets/write",
    27. "Microsoft.Compute/virtualMachines/read",
    28. "Microsoft.Compute/virtualMachines/write",
    29. "Microsoft.ContainerService/managedClusters/read",
    30. "Microsoft.ContainerService/managedClusters/write",
    31. "Microsoft.ContainerService/managedClusters/delete",
    32. "Microsoft.ContainerService/managedClusters/accessProfiles/listCredential/action",
    33. "Microsoft.ContainerService/managedClusters/agentPools/read",
    34. "Microsoft.ContainerService/managedClusters/agentPools/write",
    35. "Microsoft.ContainerService/managedClusters/agentPools/delete",
    36. "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
    37. "Microsoft.Network/applicationGateways/read",
    38. "Microsoft.Network/applicationGateways/write",
    39. "Microsoft.Network/loadBalancers/write",
    40. "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
    41. "Microsoft.Network/loadBalancers/delete",
    42. "Microsoft.Network/loadBalancers/read",
    43. "Microsoft.Network/networkInterfaces/join/action",
    44. "Microsoft.Network/networkInterfaces/read",
    45. "Microsoft.Network/networkInterfaces/write",
    46. "Microsoft.Network/networkSecurityGroups/read",
    47. "Microsoft.Network/networkSecurityGroups/write",
    48. "Microsoft.Network/publicIPAddresses/delete",
    49. "Microsoft.Network/publicIPAddresses/join/action",
    50. "Microsoft.Network/publicIPAddresses/read",
    51. "Microsoft.Network/publicIPAddresses/write",
    52. "Microsoft.Network/publicIPPrefixes/join/action",
    53. "Microsoft.Network/privatednszones/*",
    54. "Microsoft.Network/routeTables/read",
    55. "Microsoft.Network/routeTables/routes/delete",
    56. "Microsoft.Network/routeTables/routes/read",
    57. "Microsoft.Network/routeTables/routes/write",
    58. "Microsoft.Network/routeTables/write",
    59. "Microsoft.Network/virtualNetworks/read",
    60. "Microsoft.Network/virtualNetworks/subnets/join/action",
    61. "Microsoft.Network/virtualNetworks/subnets/read",
    62. "Microsoft.Network/virtualNetworks/joinLoadBalancer/action",
    63. "Microsoft.OperationalInsights/workspaces/sharedkeys/read",
    64. "Microsoft.OperationalInsights/workspaces/read",
    65. "Microsoft.OperationsManagement/solutions/write",
    66. "Microsoft.OperationsManagement/solutions/read",
    67. "Microsoft.Resources/subscriptions/resourcegroups/read",
    68. "Microsoft.Resources/subscriptions/resourcegroups/write",
    69. "Microsoft.Storage/operations/read",
    70. "Microsoft.Storage/storageAccounts/listKeys/action",
    71. "Microsoft.Storage/storageAccounts/delete",
    72. "Microsoft.Storage/storageAccounts/read",
    73. "Microsoft.Storage/storageAccounts/write"
    74. ],
    75. "NotActions": [],
    76. "DataActions": [],
    77. "NotDataActions": [],
    78. "AssignableScopes": [
    79. "/subscriptions/SUBSCRIPTION_ID"
    80. ]
    81. }
    82. EOF
  2. Apply the Rancher AKSv2 Role:

    1. az role definition create --role-definition rancher-azure.json
  3. Verify if the Rancher AKSv2 Role was created:

    1. az role definition list | grep "Rancher AKSv2"

Syncing

The AKS provisioner can synchronize the state of an AKS cluster between Rancher and the provider. For an in-depth technical explanation of how this works, see Syncing.

For information on configuring the refresh interval, see this section.

Programmatically Creating AKS Clusters

The most common way to programmatically deploy AKS clusters through Rancher is by using the Rancher2 Terraform provider. The documentation for creating clusters with Terraform is here.