Azure is currently in Private Preview and is not available for General Availability (GA). It should not be used in production environments, as features and functionality may change before the final GA release.
Prerequisites
Microsoft Azure Resource Providers
The following Microsoft Azure resource providers are registered.
Microsoft.ContainerServiceMicrosoft.NetworkMicrosoft.ComputeMicrosoft.StorageMicrosoft.KeyVaultMicrosoft.ManagedIdentity
AKS Permissions
Contact the Infrastructure Team to get the necessary permissions to create an AKS cluster, typically Managed Identity must be provided with Disk Snapshot Contributor, Managed Identity Operator and Virtual Machine Contributor roles on the target subscription or resource group.
Permissions to deploy AKS
Update the following custom role permissions.
Before you begin
- Identify the resource group where the AKS cluster will be created.
- Ensure that a custom role is already created in the subscription or resource group.
- Complete this configuration before starting the AKS installation process.
To update the permission for the custom role, perform the following steps:
Navigate to the required resource group in the Azure portal.
Open Access control (IAM) for the selected resource group.
Locate the existing custom role.
Select the custom role and click Edit.
Select JSON and click Edit.
Update the role by adding the following permissions:
{
"id": "/subscriptions/1e9ef7b6-cdc4-4a6b-98f7-a408ac1e19e0/providers/Microsoft.Authorization/roleDefinitions/66b9c89b-6df5-4c00-8c82-241326841bc2",
"properties": {
"roleName": "permissiontestaks",
"description": "",
"assignableScopes": [
"/subscriptions/1e9ef7b6-cdc4-4a6b-98f7-a408ac1e19e0/resourceGroups/<RG-Name>"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/roleAssignments/delete",
"Microsoft.Authorization/roleAssignments/read",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Authorization/roleDefinitions/read",
"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.KeyVault/vaults/delete",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
"Microsoft.ManagedIdentity/userAssignedIdentities/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/locations/checknameavailability/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/delete",
"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.Storage/storageAccounts/blobServices/containers/write",
"Microsoft.Storage/storageAccounts/blobServices/read",
"Microsoft.Storage/storageAccounts/blobServices/write",
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/storageAccounts/fileServices/read",
"Microsoft.Storage/storageAccounts/fileServices/write",
"Microsoft.Storage/storageAccounts/listKeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/write",
"Microsoft.Network/privateDnsZones/read",
"Microsoft.Network/privateDnsZones/write",
"Microsoft.Network/privateDnsZones/join/action",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
"Microsoft.ContainerService/managedClusters/delete",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/agentPools/read",
"Microsoft.ContainerService/managedClusters/agentPools/write",
"Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write",
"Microsoft.ContainerService/managedClusters/agentPools/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Click Save after updating the permissions.
- Click Review + update to finalise the changes.
Jump Box or Local Machine
Use a dedicated Debian jump box created in Microsoft Azure. Do not use a jump box hosted on any other cloud.
Microsoft Azure Resource IDs from Infrastructure Team
Obtain the following resource IDs from the Infrastructure Team. These resource IDs are prompted during installation.
UAMI Resource ID: User-assigned managed identity for the AKS cluster.
For example:
/subscriptions/<subscription-id>/resourceGroups/<it-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-aks-applianceframeworkAKS Subnet Resource ID: Required subnet for deploying the AKS nodes.
For example:
/subscriptions/<subscription-id>/resourceGroups/<it-resource-group>/providers/Microsoft.Network/virtualNetworks/<vnet-name>/subnets/snet-aks-applianceframeworkPrivate DNS Zone Resource ID: Private DNS zone used by the AKS private cluster, must match the cluster region, for example,
privatelink.<region>.azmk8s.io.For example:
/subscriptions/<subscription-id>/resourceGroups/<dns-resource-group>/providers/Microsoft.Network/privateDnsZones/privatelink.eastus.azmk8s.ioVelero UAMI Resource ID: User-assigned managed identity used by Velero for backups to the storage account.
For example:
/subscriptions/<subscription-id>/resourceGroups/<velero-resource-group>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/id-aks-velero
Feedback
Was this page helpful?