-
Notifications
You must be signed in to change notification settings - Fork 68
/
Copy pathazure-managed-identities.html.md.erb
174 lines (132 loc) · 7.26 KB
/
azure-managed-identities.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
---
title: Creating Managed Identities in Azure for Tanzu Kubernetes Grid Integrated Edition
owner: Ops Manager
---
This topic describes how to create managed identities for VMware Tanzu Kubernetes Grid Integrated Edition (TKGI) on Microsoft Azure.
## <a id='overview'></a> Overview
In order for Kubernetes to create load balancers and attach persistent disks to pods, you must create managed identities with sufficient permissions.
You need separate managed identities for the Kubernetes cluster control plane and worker node VMs.
<%= vars.vm_credentials %>
## <a id='id-resource-group'></a>Retrieve Your Subscription ID and Resource Group
To perform the procedures in this topic, you must have your Azure Subscription ID and the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.
If you do not know your Subscription ID or Resource Group:
1. Navigate to the Azure portal.
1. Click **Resource groups**.
1. Determine the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.
1. Determine the Subscription ID for your Tanzu Kubernetes Grid Integrated Edition Resource Group.
<p class="note"><strong>Note:</strong> You specified the Subscription ID to use and your Tanzu Kubernetes Grid Integrated Edition Resource Group name
when completing the steps in <a href="https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/tanzu-operations-manager/3-0/tanzu-ops-manager/azure-deploy-manual.html#network">Step 1: Create Network Resources</a>
in <i>Deploying Ops Manager on Azure Manually</i>.
</p>
## <a id='create-master'></a>Create the Control Plane Node Managed Identity
Perform the following steps to create the managed identity for the control plane nodes:
1. Create a role definition using the following template:
```
{
"Name": "TKGI control plane",
"IsCustom": true,
"Description": "Permissions for TKGI control plane",
"Actions": [
"Microsoft.Network/*",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Storage/storageAccounts/*"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
]
}
```
Where:
* `SUBSCRIPTION-ID` is your Subscription ID.
* `RESOURCE-GROUP` is the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.
For more information about custom roles in Azure, see
[Custom Roles in Azure](https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles)
in the Azure documentation.
1. Save your template as `tkgi_master_role.json`.
1. To log in, run the following command with the Azure CLI:
```
az login
```
To authenticate, navigate to the URL in the output, enter the provided code, and click your account.
1. Create the role in Azure by running the following command from the directory with `tkgi_master_role.json`:
```
az role definition create --role-definition tkgi_master_role.json
```
1. Create a managed identity by running the following command:
```
az identity create -g RESOURCE-GROUP -n tkgi-master
```
Where `RESOURCE-GROUP` is the name of your Tanzu Kubernetes Grid Integrated Edition resource group.
<br><br>
For more information about managed identities, see [Create a user-assigned managed identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-manage-ua-identity-cli#create-a-user-assigned-managed-identity) in the Azure documentation.
1. Assign managed identity access to the Tanzu Kubernetes Grid Integrated Edition resource group by performing the following steps:
1. Navigate to the Azure Portal and log in.
1. Open the Tanzu Kubernetes Grid Integrated Edition resource group.
1. Click **Access control (IAM)** on the left panel.
1. Click **Add role assignment**.
1. On the **Add role assignment** page, enter the following configurations:
1. For **Assign access to**, select **User Assigned Managed Identity**.
1. For **Role**, select **TKGI master**.
1. For **Select**, select the **tkgi-master** identity created above.
<p class="note"><strong>Note:</strong> The <strong>TKGI control plane</strong> custom role created above is less permissive
than the built-in roles provided by Azure. However, if you want to use the built-in roles
instead of the recommended custom role, you can select the following three built-in roles in Azure: <strong>Storage Account Contributor</strong>, <strong>Network Contributor</strong>, and <strong>Virtual Machine Contributor</strong>.</p>
## <a id='create-worker'></a>Create the Worker Node Managed Identity
Perform the following steps to create the managed identity for the worker nodes:
1. Create a role definition using the following template:
```
{
"Name": "TKGI worker",
"IsCustom": true,
"Description": "Permissions for TKGI worker",
"Actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Storage/storageAccounts/*"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
]
}
```
Where:
* `SUBSCRIPTION-ID` is your Subscription ID.
* `RESOURCE-GROUP` is the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.
1. Save your template as `tkgi_worker_role.json`.
1. Create the role in Azure by running the following command from the directory with `tkgi_worker_role.json`:
```
az role definition create --role-definition tkgi_worker_role.json
```
1. Create a managed identity by running the following command:
```
az identity create -g RESOURCE-GROUP -n tkgi-worker
```
Where `RESOURCE-GROUP` is the name of your Tanzu Kubernetes Grid Integrated Edition resource group.
1. Assign managed identity access to the Tanzu Kubernetes Grid Integrated Edition resource group by performing the following steps:
1. Navigate to the Azure Portal and log in.
1. Open the Tanzu Kubernetes Grid Integrated Edition resource group.
1. Click **Access control (IAM)** on the left panel.
1. Click **Add role assignment**.
1. On the **Add role assignment** page, enter the following configurations:
1. For **Assign access to**, select **User Assigned Managed Identity**.
1. For **Role**, select **TKGI worker**.
1. For **Select**, select the **tkgi-worker** identity created above.
<p class="note"><strong>Note:</strong> The <strong>TKGI worker</strong> custom role created above is less permissive
than the built-in roles provided by Azure. However, if you want to use the built-in roles instead of the recommended custom role,
you can select the <strong>Storage Account Contributor</strong> built-in role in Azure.</p>
## <a id="next-steps"></a>Next Installation Step
To install and configure Tanzu Kubernetes Grid Integrated Edition, follow the instructions in
[Installing Tanzu Kubernetes Grid Integrated Edition on Azure](installing-azure.html).