Create Service Principal for Cluster Autoscaler¶

This section will guide you through creating a Service Principal for the Cluster Autoscaler of your AKS cluster.

Fast Forward

If you already have a Service Principal for the Cluster Autoscaler, expand this box to fast-forward.

Retrieve the node resource group of your AKS cluster:

root@rok-tools:~/ops/deployments# export NODES_RESOURCE_GROUP=$(az \ > aks show --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} --query nodeResourceGroup -o tsv)
Specify the application ID of the Service Principal:

root@rok-tools:~# export SERVICE_PRINCIPAL_ID=<ID>

Replace <ID> with the Service Principal ID, for example:

root@rok-tools:~# export SERVICE_PRINCIPAL_ID=0
Specify the tenant ID of the Service Principal:

root@rok-tools:~# export SERVICE_PRINCIPAL_TENANT=<TENANT>

Replace <TENANT> with the Service Principal tenant ID, for example:

root@rok-tools:~# export SERVICE_PRINCIPAL_TENANT=0
Specify the password of the Service Principal:
1. Read a line from the standard input:
  
  root@rok-tools:~# read -s SERVICE_PRINCIPAL_PASSWORD
2. Paste the Service Principal password and hit enter.
3. Export the Service Principal password:
  
  root@rok-tools:~# export SERVICE_PRINCIPAL_PASSWORD
Proceed to the Verify section.

What You’ll Need ¶

Go to your GitOps repository, inside your rok-tools management environment:

root@rok-tools:~# cd ~/ops/deployments
Retrieve the node resource group of your AKS cluster:

root@rok-tools:~/ops/deployments# export NODES_RESOURCE_GROUP=$(az \ > aks show --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} --query nodeResourceGroup -o tsv)
Retrieve the resource ID of the node resource group:

root@rok-tools:~/ops/deployments# export NODES_RESOURCE_ID=$(az \ > group show --name ${NODES_RESOURCE_GROUP?} -o tsv --query "id")
Create a Service Principal with Contributor privileges on the node resource group:

root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL=$(az ad sp \ > create-for-rbac --role="Contributor" --scopes="${NODES_RESOURCE_ID?}" \ > --display-name "Cluster Autoscaler" --output json)
Retrieve the application ID of the Service Principal:

root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL_ID=$(echo \ > ${SERVICE_PRINCIPAL?} | jq -r .appId)
Retrieve the tenant ID of the Service Principal:

root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL_TENANT=$(echo \ > ${SERVICE_PRINCIPAL?} | jq -r .tenant)
Retrieve the password of the Service Principal:

root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL_PASSWORD=$(echo \ > ${SERVICE_PRINCIPAL?} | jq -r .password)

Retrieve the resource ID of the node resource group:

root@rok-tools:~/ops/deployments# export NODES_RESOURCE_ID=$(az \ > group show --name ${NODES_RESOURCE_GROUP?} -o tsv --query "id")
Ensure that the Service Principal has Contributor access to the nodes resource group of your AKS cluster. Verify that the output of the following command is not empty:

root@rok-tools:~/ops/deployments# az role assignment list \ > --assignee ${SERVICE_PRINCIPAL_ID?} \ > --scope ${NODES_RESOURCE_ID?} --role Contributor -o table Principal Role Scope ------------------------------------ ----------- ---------------------------------------------------------------------------------------------------- 596539f6-795f-4a25-a028-7667fddb1633 Contributor /subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/MC_arrikto_arrikto-cluster_eastus

You have successfully created a Service Principal for the Cluster Autoscaler on your AKS cluster.

The next step is to deploy the Cluster Autoscaler on your AKS cluster.