Creating an Azure Kubernetes Cluster (AKS) with Managed Identities
By default AKS cluster is created with a Service Principal. Clusters using service principals eventually reach a state in which the service principal must be renewed to keep the cluster working. Managing service principals adds complexity, which is why it’s easier to use managed identities instead. Managed Identities are essentially a wrapper around service principals, and makes the cluster management simpler. Credential rotation for managed identities (MI) happens automatically every 46 days ( Azure Active Directory default setting).
Prerequisites
- Valid Azure Subscription.
- The Azure CLI, version 2.15.1 or later
Let’s get started
# Create an Azure resource group
az group create --name myResourceGroup --location westus2#Create an AKS Cluster with MI
az aks create -g myResourceGroup -n myMIAKSCluster --enable-managed-identity
Use the following command to query objectid of your control plane managed identity:
az aks show -g myResourceGroup -n myMIAKSCluster --query “identity”Once the cluster is created, you can then deploy your application workloads to the new cluster and interact with it just as you’ve been doing with service-principal-based AKS clusters.
Finally, get credentials to access the AKS cluster:
az aks get-credentials — resource-group myResourceGroup --name myManagedClusterYou can also update an existing AKS cluster to managed identities. This is in preview though.
az feature register --namespace Microsoft.ContainerService -n MigrateToMSIClusterPreviewaz aks update -g <RGName> -n <AKSName> --enable-managed-identityaz feature register --namespace Microsoft.ContainerService -n UserAssignedIdentityPreviewaz aks update -g <RGName> -n <AKSName> --enable-managed-identity --assign-identity <UserAssignedIdentityResourceID>
Note: Once the system-assigned or user-assigned identities have been updated to managed identity, run the following on your nodes to complete the update to managed identity.
az nodepool upgrade --node-image-only When I work with customers on AKS best practices Creating AKS clusters with MI is one thing that I always recommend. This best practice is often overlooked by most of our customers.
References
Pls review the limitations https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#limitations
Managed Identities in Azure https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview