Table of contents
Prerequisites
- ✅ ACR deployed
- ✅ AKS deployed
- ✅ Hands on lab Variables loaded
- ✅ Resources groups deployed
- ✅ Virtual network deployed
- ✅ User Managed Identities deployed
Update AKS Cluster to Use User Managed Identities
If Cluster has been created with Ansible (which doesn’t support User Managed Identities), It is mandatory to update the cluster to use the User Managed identities.
Grant aks Control Plane Identity to cluster nodes resources group
Hands-on lab
- Get Control plane and Kubelet identities
# Get Control Plane identity
$aksControlPlaneIdentityPrincipalId =$(az identity show --name $aksControlPlaneIdentity --resource-group $managedIdentitiesResourceGroup --query "principalId" -o tsv)
write-host "Aks Control Plane identity Principal Id : $aksControlPlaneIdentityPrincipalId"
# Get kubelet identity
$aksKubeletIdentityPrincipalId =$(az identity show --name $aksKubeletIdentity --resource-group $managedIdentitiesResourceGroup --query "principalId" -o tsv)
write-host "Aks Kubelet identity Principal Id : $aksKubeletIdentityPrincipalId"
-
Grant Control Plane Identity on nodes resource group
# Get aks nodes resource group Id $aksNodesResourceGroupId = $(az group show -n $aksNodesResourceGroup --query "id" -o tsv) if ($null -eq $aksNodesResourceGroupId) { throw "Unable to retrieve aks nodes resource group $aksNodesResourceGroup Id"} write-host "Aks nodes Resource group Id : $aksNodesResourceGroupId" # Assign contributor to AKS Identity on resource group Hub az role assignment list --scope $aksNodesResourceGroupId az role assignment create --assignee $aksControlPlaneIdentityPrincipalId --scope $aksNodesResourceGroupId --role "Contributor" -
Grant Kubelet Identity on Kubelet resource
# Get Kubelet resource ID $aksKubeletResourceId = $(az aks show -g $aksresourceGroup -n $aksName --query "identityProfile.kubeletidentity.resourceId" -o tsv) if ($null -eq $aksKubeletResourceId) { throw "Unable to retrieve kubelet resource Id on aks cluster $aksName"} write-host "Aks Kubelet Resource Id : $aksKubeletResourceId" # Assign Managed Identity Operator to kubelet Identity on Kubelet resource id az role assignment list --scope $aksKubeletResourceId az role assignment create --assignee $aksKubeletIdentityPrincipalId --scope $aksKubeletResourceId --role "Managed Identity Operator"
Update cluster with Identities
-
Get Identities Id
# Get Control plane Identity Id $aksControlPlaneIdentityId =$(az identity show --name $aksControlPlaneIdentity --resource-group $managedIdentitiesResourceGroup --query "id" -o tsv) write-host "Aks Control Plane identity Principal Id : $aksControlPlaneIdentityId" # Get kubelet identity Id $aksKubeletIdentityId =$(az identity show --name $aksKubeletIdentity --resource-group $managedIdentitiesResourceGroup --query "id" -o tsv) write-host "Aks Control Plane identity Principal Id : $aksKubeletIdentityId" -
Update AKS CLuster
Update duration
Update operation take long time
az aks update ` --resource-group $aksresourceGroup ` --name $aksName ` --enable-managed-identity ` --assign-identity $aksControlPlaneIdentityId ` --assign-kubelet-identity $aksKubeletIdentityId ` --yes -
Upgrade node pool to use the new Kubelet Identity
# Upgrade default node pool az aks nodepool upgrade --cluster-name $aksName --resource-group $aksresourceGroup --name default --node-image-only -
Restart the cluster
# Stop the cluster az aks stop --name $aksName --resource-group $aksresourceGroup # Wait one minute Start-Sleep -Seconds 60 # Start the cluster az aks start --name $aksName --resource-group $aksresourceGroup -
Attach to ACR
# Attach to ACR az aks update --name $aksName --resource-group $aksresourceGroup ` --attach-acr $acrName
Attach ACR and enable managed identity
Deployment location
ACR and AKS should be in the same location
# Attach using acr-name
az aks update -n $aksName -g $aksresourceGroup --attach-acr $acrName --enable-managed-identity
# Check if ACR access is well configured
az aks check-acr --resource-group $aksresourceGroup --name $aksName --acr $acrName