In Into the Wild with AKS Automatic: A New Deployment Hope, we covered the prerequisites required to get started. In this post, we’ll move on to deploying a private AKS Automatic cluster within a customer-managed virtual network. Specificlly, we’ll cover the following topics:
Throughout this post, I’ll use the Azure CLI (Bash), as it offers the clearest and most effective way to demonstrate and explain each step of the deployment process.
Navigational Data Points (Parameters)
To create the cluster using the Azure CLI, the az aks create command is used. Before proceeding with the deployment, there are several key parameters worth highlighting:
- sku: Specifies the type of managed cluster to deploy. To deploy an AKS Automatic cluster, this parameter must be set to automatic.
- apiserver-subnet-id: Defines the resource ID of the subnet to which the control plane API load balancer (kube-apiserver) will be assigned.
- vnet-subnet-id: Specifies the resource ID of the subnet into which the cluster nodes will be deployed.
- enable-private-cluster: Indicates that the cluster should be deployed as a private cluster. This parameter must be included to enable private cluster functionality.
- outbound-type: Determines how outbound traffic is handled for the cluster. Supported values include loadBalancer, userDefinedRouting, managedNATGateway, userAssignedNATGateway, none, and block. As discussed in Into the Wild with AKS Automatic: A New Deployment Hope, the target environment uses a NAT Gateway. Accordingly, this parameter must be set to userAssignedNATGateway.
Engaging the Hyperdrive (Cluster Deployment)
Entering the Navicomputer Data
In the Into the Wild with AKS Automatic: A New Deployment Hope, several prerequisite resources were deployed for this deployment. Use the following commands to populate the variables for the resources that will be used when creating the cluster.
RG_NAME='rg-demo-01-aks'
RG_NETWORK_NAME='rg-demo-01-network'
LOCATION='AustraliaEast'
IDENTITY_NAME='uami-demo-01-aks'
VNET_NAME='demo-01-vnet'
CLUSTER_NAME='aks-demo-01'
API_SERVER_SUBNET_NAME='APIServerSubnet'
CLUSTER_NODE_SUBNET_NAME='ClusterNodeSubnet'
Locating the API Server Coordinates
The next step is to retrieve the API Server subnet resource ID and store it in a variable. This variable will be used later during the cluster deployment. Use the following command to obtain the value:
API_SERVER_SUBNET_ID=$(az network vnet subnet show \
--resource-group $RG_NETWORK_NAME \
--vnet-name $VNET_NAME \
--name $API_SERVER_SUBNET_NAME \
--query id \
--output tsv)Locating the Cluster Node Coordinates
The next step is to retrieve the Cluster Node subnet resource ID and store it in a variable. This variable will be used later during the cluster deployment. Use the following command to obtain the value:
CLUSTER_NODE_SUBNET_ID=$(az network vnet subnet show \
--resource-group $RG_NETWORK_NAME \
--vnet-name $VNET_NAME \
--name $CLUSTER_NODE_SUBNET_NAME \
--query id \
--output tsv)Locating the Assigned Identity Coordinates
The next step is to retrieve the User Assigned Managed Identity resource ID and store it in a variable. This variable will be used later during the cluster deployment. Use the following command to obtain the value:
IDENTITY_PRINCIPAL_ID=$(az identity show \
--resource-group $RG_NAME \
--name $IDENTITY_NAME \
--query id \
--output tsv)Launching the AKS Automatic Cluster
I’ll now commence the cluster deployment using a minimal set of parameters, allowing us to review the default, out-of-the-box configuration in the next post. Use the following command to initiate the cluster build.
az aks create \
--resource-group $RG_NAME \
--name $CLUSTER_NAME \
--location $LOCATION \
--apiserver-subnet-id $API_SERVER_SUBNET_ID \
--vnet-subnet-id $CLUSTER_NODE_SUBNET_ID \
--assign-identity $IDENTITY_PRINCIPAL_ID \
--sku automatic \
--enable-private-cluster \
--outbound-type userAssignedNATGateway \
--no-ssh-keyIf the deployment completes successfully, you should see output similar to the following.
We’re Not Out of the Asteroid Field Yet (Post Deployment Task)
After the cluster has deployed, you may notice it tranisition to a failed state with the following error message “This cluster is in a failed state. If you didn’t do an operation, AKS may resolve the provisioning status automatically if your cluster applications continue to run.”
Two additional roles must be assigned to the User Assigned Managed Identity (UAMI) to complete the configuration. Use the following command to apply these role assignments.
Locating the Assigned Identity Coordinates
The next step is to retrieve the User Assigned Managed Identity ID and store it in a variable. This variable will be used later during the cluster deployment. Use the following command to obtain the value:
IDENTITY_PRINCIPAL_ID=$(az identity show \
--resource-group $RG_NAME \
--name $IDENTITY_NAME \
--query principalId \
--output tsv)Locating the Cluster Identity Coordinates
The next step is to retrieve the Clusters resource ID and store it in a variable. This variable will be used later during the cluster deployment. Use the following command to obtain the value:
CLUSTER_ID=$(az aks show \
--name $CLUSTER_NAME\
--resource-group $RG_NAME \
--query id \
--output tsv)Granting Clearance
The next step is to assign the User Assigned Managed Identity the following RBAC roles:
- Azure Kubernetes Service Cluster User Role
- Azure Kubernetes Service RBAC Writer
Use the following command to apply the roles:
az role assignment create \
--scope $CLUSTER_ID \
--role "Azure Kubernetes Service Cluster User Role" \
--assignee $IDENTITY_PRINCIPAL_ID
az role assignment create \
--scope $CLUSTER_ID \
--role "Azure Kubernetes Service RBAC Writer" \
--assignee $IDENTITY_PRINCIPAL_ID
Restoring Balance to the Cluster
After assigning the required RBAC roles, you must reconcile the cluster to apply the changes. Use the following command to reconcile the cluster.
az aks update \
--resource-group $RG_NAME \
--name $CLUSTER_NAMENow that balance has been restored, and the cluster should now return to a healthy state.
Leave a Reply