Creating Managed Identities in Azure for PKS

Page last updated:

This topic describes how to create managed identities for Pivotal Container Service (PKS) on Azure.

In order for Kubernetes to create load balancers and attach persistent disks to pods, you must create managed identities with sufficient permissions.

You need separate managed identities for the Kubernetes cluster master and worker node VMs. Pivotal recommends configuring each service account with the least permissive privileges and unique credentials.

Retrieve Your Subscription ID and Resource Group

To perform the procedures in this topic, you must retrieve your subscription ID and the name of your PKS resource group.

You entered your subscription ID into the terraform.tfvars file in Step 1: Download and Edit the Terraform Variables File of Deploying Ops Manager on Azure.

The name of your PKS resource group is exported from Terraform as the output pcf_resource_group_name.

To retrieve your subscription ID and the name of your PKS resource group, you must have access to the output from when you ran terraform apply to create resources for the PKS deployment in Deploying Ops Manager to Azure Using Terraform. You can view this output at any time by running terraform output.

Create the Master Node Managed Identity

Perform the following steps to create the managed identity for the master nodes:

  1. Create a role definition using the following template, replacing SUBSCRIPTION_ID and RESOURCE_GROUP with your subscription ID and the name of your PKS resource group. For more information about custom roles in Azure, see Custom Roles in Azure in the Azure documentation.

    {
        "Name":  "PKS master",
        "IsCustom":  true,
        "Description":  "Permissions for PKS master",
        "Actions":  [
            "Microsoft.Network/*",
            "Microsoft.Compute/disks/*",
            "Microsoft.Compute/virtualMachines/write",
            "Microsoft.Compute/virtualMachines/read",
            "Microsoft.Storage/storageAccounts/*"
        ],
        "NotActions":  [
    
        ],
        "DataActions":  [
    
        ],
        "NotDataActions":  [
    
        ],
        "AssignableScopes":  [
          "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
        ]
    }
    
  2. Save your template as pks_master_role.json.

  3. To log in, run the following command with the Azure CLI:

    az login
    

    To authenticate, navigate to the URL in the output, enter the provided code, and click your account.

  4. Create the role in Azure by running the following command from the directory with pks_master_role.json:

    az role definition create --role-definition pks_master_role.json
    
  5. Create a managed identity by running the following command:

    az identity create -g RESOURCE_GROUP -n pks-master
    

    Where RESOURCE_GROUP is the name of your PKS resource group.

    For more information about managed identities, see Create a user-assigned managed identity in the Azure documentation.

  6. Assign managed identity access to the PKS resource group by performing the following steps:

    1. Navigate to the Azure Portal and log in.
    2. Open the PKS resource group.
    3. Click Access control (IAM) on the left panel.
    4. Click Add role assignment.
    5. On the Add role assignment page, enter the following configurations:
      1. For Assign access to, select User Assigned Managed Identity.
      2. For Role, select PKS master.
      3. For Select, select the pks-master identity created above.

Note: The PKS master custom role created above is less permissive than the built-in roles provided by Azure. However, if you want to use the built-in roles instead of the recommended custom role, you can select the following three built-in roles in Azure: Storage Account Contributor, Network Contributor, and Virtual Machine Contributor.

Create the Worker Node Managed Identity

Perform the following steps to create the managed identity for the worker nodes:

  1. Create a role definition using the following template, replacing SUBSCRIPTION-ID and RESOURCE-GROUP with your subscription ID and the name of your PKS resource group:

    {
        "Name":  "PKS worker",
        "IsCustom":  true,
        "Description":  "Permissions for PKS worker",
        "Actions":  [
            "Microsoft.Storage/storageAccounts/*"
        ],
        "NotActions":  [
    
        ],
        "DataActions":  [
    
        ],
        "NotDataActions":  [
    
        ],
        "AssignableScopes":  [
          "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
        ]
    }
    
  2. Save your template as pks_worker_role.json.

  3. Create the role in Azure by running the following command from the directory with pks_worker_role.json:

    az role definition create --role-definition pks_worker_role.json
    
  4. Create a managed identity by running the following command:

    az identity create -g RESOURCE_GROUP -n pks-worker
    

    Where RESOURCE_GROUP is the name of your PKS resource group.

  5. Assign managed identity access to the PKS resource group by performing the following steps:

    1. Navigate to the Azure Portal and log in.
    2. Open the PKS resource group.
    3. Click Access control (IAM) on the left panel.
    4. Click Add role assignment.
    5. On the Add role assignment page, enter the following configurations:
      1. For Assign access to, select User Assigned Managed Identity.
      2. For Role, select PKS worker.
      3. For Select, select the pks-worker identity created above.

Note: The PKS worker custom role created above is less permissive than the built-in roles provided by Azure. However, if you want to use the built-in roles instead of the recommended custom role, you can select the Storage Account Contributor built-in role in Azure.

After you create managed identities for both the master and worker nodes, follow the procedures in Installing PKS on Azure.


Please send any feedback you have to pks-feedback@pivotal.io.