forked from pivotal-cf/docs-pks
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure-managed-identities.html.md.erb
140 lines (110 loc) · 5.75 KB
/
azure-managed-identities.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
---
title: Creating Managed Identities in Azure for PKS
owner: Ops Manager
---
<strong><%= modified_date %></strong>
This topic describes how to create managed identities for Pivotal Container Service (PKS) on Azure.
In order for Kubernetes to create load balancers and attach persistent disks to pods, you must create managed identities with sufficient permissions.
You need separate managed identities for the Kubernetes cluster master and worker node VMs.
<%= vars.vm_credentials %>
## <a id='id-resource-group'></a>Retrieve Your Subscription ID and Resource Group
To perform the procedures in this topic, you must retrieve your subscription ID and the name of your PKS resource group.
You entered your subscription ID into the `terraform.tfvars` file in [Step 1: Download and Edit the Terraform Variables File](azure-om-deploy.html#download) of <em>Deploying Ops Manager on Azure</em>.
The name of your PKS resource group is exported from Terraform as the output `pcf_resource_group_name`.
To retrieve your subscription ID and the name of your PKS resource group, you must have access to the output from when you ran `terraform apply` to create resources for the PKS deployment in [Deploying Ops Manager on Azure](azure-om-deploy.html). You can view this output at any time by running `terraform output`.
## <a id='create-master'></a>Create the Master Node Managed Identity
Perform the following steps to create the managed identity for the master nodes:
1. Create a role definition using the following template, replacing `SUBSCRIPTION_ID` and `RESOURCE_GROUP` with your subscription ID and the name of your PKS resource group. For more information about custom roles in Azure, see [Custom Roles in Azure](https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles) in the Azure documentation.
```
{
"Name": "PKS master",
"IsCustom": true,
"Description": "Permissions for PKS master",
"Actions": [
"Microsoft.Network/*",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Storage/storageAccounts/*"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
]
}
```
1. Save your template as `pks_master_role.json`.
1. To log in, run the following command with the Azure CLI:
```
az login
```
To authenticate, navigate to the URL in the output, enter the provided code, and click your account.
1. Create the role in Azure by running the following command from the directory with `pks_master_role.json`:
```
az role definition create --role-definition pks_master_role.json
```
1. Create a managed identity by running the following command:
```
az identity create -g RESOURCE_GROUP -n pks-master
```
Where `RESOURCE_GROUP` is the name of your PKS resource group.
<br><br>
For more information about managed identities, see [Create a user-assigned managed identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli#create-a-user-assigned-managed-identity) in the Azure documentation.
1. Assign managed identity access to the PKS resource group by performing the following steps:
1. Navigate to the Azure Portal and log in.
1. Open the PKS resource group.
1. Click **Access control (IAM)** on the left panel.
1. Click **Add role assignment**.
1. On the **Add role assignment** page, enter the following configurations:
1. For **Assign access to**, select **User Assigned Managed Identity**.
1. For **Role**, select **PKS master**.
1. For **Select**, select the **pks-master** identity created above.
## <a id='create-worker'></a>Create the Worker Node Managed Identity
Perform the following steps to create the managed identity for the worker nodes:
1. Create a role definition using the following template, replacing `SUBSCRIPTION-ID` and
`RESOURCE-GROUP` with your subscription ID and the name of your PKS resource group:
```
{
"Name": "PKS worker",
"IsCustom": true,
"Description": "Permissions for PKS worker",
"Actions": [
"Microsoft.Storage/storageAccounts/*"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
]
}
```
1. Save your template as `pks_worker_role.json`.
1. Create the role in Azure by running the following command from the directory with `pks_worker_role.json`:
```
az role definition create --role-definition pks_worker_role.json
```
1. Create a managed identity by running the following command:
```
az identity create -g RESOURCE_GROUP -n pks-worker
```
Where `RESOURCE_GROUP` is the name of your PKS resource group.
1. Assign managed identity access to the PKS resource group by performing the following steps:
1. Navigate to the Azure Portal and log in.
1. Open the PKS resource group.
1. Click **Access control (IAM)** on the left panel.
1. Click **Add role assignment**.
1. On the **Add role assignment** page, enter the following configurations:
1. For **Assign access to**, select **User Assigned Managed Identity**.
1. For **Role**, select **PKS worker**.
1. For **Select**, select the **pks-worker** identity created above.
After you create managed identities for both the master and worker nodes, follow the procedures in
[Installing PKS on Azure](installing-pks-azure.html).