Create Service Principal for Cluster Autoscaler¶
This section will guide you through creating a Service Principal for the Cluster Autoscaler of your AKS cluster.
Fast Forward
If you already have a Service Principal for the Cluster Autoscaler, expand this box to fast-forward.
Retrieve the node resource group of your AKS cluster:
root@rok-tools:~/ops/deployments# export NODES_RESOURCE_GROUP=$(az \ > aks show --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} --query nodeResourceGroup -o tsv)Specify the application ID of the Service Principal:
root@rok-tools:~# export SERVICE_PRINCIPAL_ID=<ID>Replace
<ID>
with the Service Principal ID, for example:root@rok-tools:~# export SERVICE_PRINCIPAL_ID=0Specify the tenant ID of the Service Principal:
root@rok-tools:~# export SERVICE_PRINCIPAL_TENANT=<TENANT>Replace
<TENANT>
with the Service Principal tenant ID, for example:root@rok-tools:~# export SERVICE_PRINCIPAL_TENANT=0Specify the password of the Service Principal:
Read a line from the standard input:
root@rok-tools:~# read -s SERVICE_PRINCIPAL_PASSWORDPaste the Service Principal password and hit
enter
.Export the Service Principal password:
root@rok-tools:~# export SERVICE_PRINCIPAL_PASSWORD
Proceed to the Verify section.
See also
- Official Azure guide on Service Principals.
Overview
What You’ll Need¶
- A configured management environment.
- Your clone of the Arrikto GitOps repository.
- An existing AKS cluster.
Procedure¶
Go to your GitOps repository, inside your
rok-tools
management environment:root@rok-tools:~# cd ~/ops/deploymentsRetrieve the node resource group of your AKS cluster:
root@rok-tools:~/ops/deployments# export NODES_RESOURCE_GROUP=$(az \ > aks show --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} --query nodeResourceGroup -o tsv)Retrieve the resource ID of the node resource group:
root@rok-tools:~/ops/deployments# export NODES_RESOURCE_ID=$(az \ > group show --name ${NODES_RESOURCE_GROUP?} -o tsv --query "id")Create a Service Principal with Contributor privileges on the node resource group:
root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL=$(az ad sp \ > create-for-rbac --role="Contributor" --scopes="${NODES_RESOURCE_ID?}" \ > --display-name "Cluster Autoscaler" --output json)Retrieve the application ID of the Service Principal:
root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL_ID=$(echo \ > ${SERVICE_PRINCIPAL?} | jq -r .appId)Retrieve the tenant ID of the Service Principal:
root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL_TENANT=$(echo \ > ${SERVICE_PRINCIPAL?} | jq -r .tenant)Retrieve the password of the Service Principal:
root@rok-tools:~/ops/deployments# export SERVICE_PRINCIPAL_PASSWORD=$(echo \ > ${SERVICE_PRINCIPAL?} | jq -r .password)
Verify¶
Retrieve the resource ID of the node resource group:
root@rok-tools:~/ops/deployments# export NODES_RESOURCE_ID=$(az \ > group show --name ${NODES_RESOURCE_GROUP?} -o tsv --query "id")Ensure that the Service Principal has Contributor access to the nodes resource group of your AKS cluster. Verify that the output of the following command is not empty:
root@rok-tools:~/ops/deployments# az role assignment list \ > --assignee ${SERVICE_PRINCIPAL_ID?} \ > --scope ${NODES_RESOURCE_ID?} --role Contributor -o table Principal Role Scope ------------------------------------ ----------- ---------------------------------------------------------------------------------------------------- 596539f6-795f-4a25-a028-7667fddb1633 Contributor /subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/MC_arrikto_arrikto-cluster_eastus
Summary¶
You have successfully created a Service Principal for the Cluster Autoscaler on your AKS cluster.
What’s Next¶
The next step is to deploy the Cluster Autoscaler on your AKS cluster.