Create AKS Cluster

This section will guide you through creating an AKS cluster using the Azure portal or the Azure CLI. Once done you will have an AKS cluster with:

  • one of the supported Kubernetes versions on AKS.
  • Azure CNI network configuration.
  • The control plane spread on all availability zones.
  • A system node pool with two nodes that will host critical system Pods.
  • Pod Identities enabled.

Procedure

  1. Switch to your management environment and specify the cluster name to use:

    root@rok-tools:~# export AKS_CLUSTER=arrikto-cluster
  2. Specify the Kubernetes cluster version. Choose one of the following options, among the supported Kubernetes versions:

    root@rok-tools:~# export CLUSTER_VERSION=1.24.9
    root@rok-tools:~# export CLUSTER_VERSION=1.23.8
  3. Specify the number of nodes:

    root@rok-tools:~# export SNP_NODE_COUNT=2
  4. Specify the VM size:

    root@rok-tools:~# export SNP_VM_SIZE=Standard_DS2_v2
  5. Specify the zones in which to deploy the cluster:

    root@rok-tools:~# export SNP_ZONES="1 2 3"
  6. Create the AKS cluster:

    root@rok-tools:~# az aks create \ > --subscription ${SUBSCRIPTION_ID?} \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} \ > --location ${AZURE_DEFAULTS_LOCATION?} \ > --zones ${SNP_ZONES?} \ > --kubernetes-version ${AKS_CLUSTER_VERSION?} \ > --node-vm-size ${SNP_VM_SIZE?} \ > --node-count ${SNP_NODE_COUNT?} \ > --nodepool-name agentpool \ > --no-ssh-key { ... "agentPoolProfiles": [ { "availabilityZones": [ "1", "2", "3" ], "count": 2, "enableAutoScaling": null, ... "mode": "System", "name": "agentpool", ... "orchestratorVersion": "1.24.9", ... "osSku": "Ubuntu", "osType": "Linux", ... "provisioningState": "Succeeded", ... "vmSize": "Standard_DS2_v2", ... } ], ... "kubernetesVersion": "1.24.9", ... "location": "eastus", ... "name": "arrikto-cluster", "networkProfile": { ... "networkMode": null, "networkPlugin": "azure", ... }, ... "provisioningState": "Succeeded", "resourceGroup": "arrikto", "servicePrincipalProfile": { "clientId": "msi", "secret": null }, ... }

    Troubleshooting

    The specified orchestrator version is not supported

    1. List the available Kubernetes versions:

      root@rok-tools:~# az aks get-versions --location ${AZURE_DEFAULT_LOCATION} -o table KubernetesVersion Upgrades ------------------- ------------------------ 1.24.6 None available 1.24.3 1.24.6 1.23.12 1.24.3, 1.24.6 1.23.8 1.23.12, 1.24.3, 1.24.6 1.22.15 1.23.8, 1.23.12 1.22.11 1.22.15, 1.23.8, 1.23.12
    2. Go back to step 2 and select the latest supported patch version of your Kubernetes version.

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/write' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to create an AKS cluster.

    To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has Owner permissions. If you only have Reader permissions, contact your administrator to grant Owner permissions to your identity or to create the AKS cluster for you.

  7. Taint the system node pool so that application Pods are scheduled only on the user node pool that you will create afterwards:

    root@rok-tools:~# az aks nodepool update \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --cluster-name ${AKS_CLUSTER?} \ > --name agentpool \ > --node-taints CriticalAddonsOnly=true:NoSchedule ... "nodeTaints": [ "CriticalAddonsOnly=true:NoSchedule" ],

Verify

  1. From inside your management environment, ensure that the AKS cluster exists and that ProvisioningState is Succeeded:

    root@rok-tools:~# az aks show -o table \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} Name Location ResourceGroup KubernetesVersion ProvisioningState Fqdn --------------- ---------- --------------- ------------------- ------------------- ------------------------------------------------- arrikto-cluster eastus arrikto 1.24.9 Succeeded arrikto-cluster-dns-e5ab9967.hcp.eastus.azmk8s.io

    Troubleshooting

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to retrieve an AKS cluster.

    To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

  2. Ensure that managed identities are enabled in your AKS cluster by verifying that the Service Principal’s clientId is equal to msi:

    root@rok-tools:~# az aks show \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} \ > --query "servicePrincipalProfile" { "clientId": "msi" }

    Troubleshooting

    The client ID is a UUID

    If the output of the above command looks like the following:

    { "clientId": "baee89f9-59f1-4c37-8147-221a373fcf7a" }

    then managed identities are disabled in your AKS cluster. You can enable managed identities in your AKS cluster as follows:

    1. Update your AKS cluster (i.e., the control plane and addon Pods) to work with managed identities:

      root@rok-tools:~# az aks update \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --name ${AKS_CLUSTER?} \ > --enable-managed-identity

      Troubleshooting

      The command failed with an authorization error

      If the above command fails with an error message similar to the following:

      (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/write' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.

      it means that your identity does not have sufficient permissions to update an AKS cluster.

      To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has Owner permissions. If you only have Reader permissions, contact your administrator to grant Owner permissions to your identity or to enable managed identities in your cluster for you.

    2. Upgrade your system node pool so that the kubelet component uses the managed identity:

      root@rok-tools:~# az aks nodepool upgrade \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --cluster-name ${AKS_CLUSTER?} \ > --name agentpool \ > --node-image-only

      Troubleshooting

      The command failed with an authorization error

      If the above command fails with an error message similar to the following:

      (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster/agentPools/agentpool' or the scope is invalid. If access was recently granted, please refresh your credentials.

      it means that your identity does not have sufficient permissions to upgrade a node pool.

      To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has Owner permissions. If you only have Reader permissions, contact your administrator to grant Owner permissions to your identity or to upgrade the node pool for you.

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to retrieve an AKS cluster.

    To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

  3. Ensure that the cluster uses the default Kubenet networking. Verify that the network plugin of the cluster is equal to kubenet:

    root@rok-tools:~# az aks show \ > --name ${AKS_CLUSTER?} \ > --resource-group ${AZ_RESOURCE_GROUP?} \ > --query networkProfile.networkPlugin "kubenet"

    Troubleshooting

    The command failed with an authorization error

    If the above command fails with an error message similar to the following:

    (AuthorizationFailed) The client '0c799e27-a84f-41a2-a02b-236af002af99' with object id '0c799e27-a84f-41a2-a02b-236af002af99' does not have authorization to perform action 'Microsoft.ContainerService/managedClusters/read' over scope '/subscriptions/3b63afce-113a-4798-a303-f37dada04319/resourceGroups/arrikto/providers/Microsoft.ContainerService/managedClusters/arrikto-cluster' or the scope is invalid. If access was recently granted, please refresh your credentials.

    it means that your identity does not have sufficient permissions to retrieve an AKS cluster.

    To proceed, make sure you have followed the Configure Azure CLI section to configure your Azure CLI with an identity that has either Owner or Reader permissions. If you do not have the required permissions, contact your administrator to grant them to your identity.

Summary

You have successfully created your AKS cluster.

What’s Next

The next step is to get access to your AKS cluster.