Create AKS Cluster¶

This section will guide you through creating an AKS cluster using the Azure portal or the Azure CLI. Once done you will have an AKS cluster with:

Kubernetes 1.19.
Azure CNI network configuration.
The control plane spread on all availability zones.
A system node pool with two nodes that will host critical system pods.
Pod Identities enabled.

What You'll Need¶

(Optional) Access to the Azure portal.
A configured management environment.
A configured cloud environment.
An existing resource group.

Procedure¶

Switch to your management environment and specify the cluster name to use:
```
root@rok-tools:~# export AKS_CLUSTER=arrikto-cluster
```

Create the AKS cluster. Choose one of the following options, based on how your are managing your Azure resources.

Sign in to the Azure portal.
Click Create a resource and search for Kubernetes service.
Click Create.
For Project details:
- Set Subscription to your desired subscription.
- Set Resource group to arrikto, the resource group you previously created.
For Cluster details:
- Set Kubernetes cluster name to arrikto-cluster.
- Set Region to your desired region.
- Set Availability zones to Zones 1,2,3. Select all zones to ensure your cluster operates reliably. Your control plane and the primary node pool will be spread across these zones.
- Set Kubernetes version to the latest 1.19 available, 1.19.11.
For Primary node pool:
- Set Node size to Standard DS2 v2 (the default one).
- Set Node count to 2.
Click Next: Node pools.
Keep the default options.
Click Next: Authentication.
Keep the default options.
Click Next: Networking.
Set Network configuration to Azure CNI, since Kubenet does not support Pod identities. Keep the defaults for the remaining options.
Click Review + create and Create.
Wait for Azure to provision your cluster.

Specify the number of nodes:

root@rok-tools:~# export SNP_NODE_COUNT=2

Specify the VM size:

root@rok-tools:~# export SNP_VM_SIZE=Standard_DS2_v2

Specify the zones in which to deploy the cluster:
```
root@rok-tools:~# export SNP_ZONES="1 2 3"
```

Create the AKS cluster:

root@rok-tools:~# az aks create \
>    --subscription ${SUBSCRIPTION_ID?} \
>    --resource-group ${AZ_RESOURCE_GROUP?} \
>    --name ${AKS_CLUSTER?} \
>    --location ${AZURE_DEFAULTS_LOCATION?} \
>    --zones ${SNP_ZONES?} \
>    --kubernetes-version 1.19.11 \
>    --node-vm-size ${SNP_VM_SIZE?} \
>    --node-count ${SNP_NODE_COUNT?} \
>    --nodepool-name agentpool \
>    --network-plugin azure \
>    --generate-ssh-keys
{
  ...
  "agentPoolProfiles": [
    {
      "availabilityZones": [
        "1",
        "2",
        "3"
      ],
      "count": 2,
      "enableAutoScaling": null,
      ...
      "mode": "System",
      "name": "agentpool",
      ...
      "orchestratorVersion": "1.19.11",
      ...
      "osSku": "Ubuntu",
      "osType": "Linux",
      ...
      "provisioningState": "Succeeded",
      ...
      "vmSize": "Standard_DS2_v2",
      ...
    }
  ],
  ...
  "kubernetesVersion": "1.19.11",
  ...
  "location": "eastus",
  ...
  "name": "arrikto-cluster",
  "networkProfile": {
    ...
    "networkMode": null,
    "networkPlugin": "azure",
    ...
  },
  ...
  "provisioningState": "Succeeded",
  "resourceGroup": "arrikto",
  "servicePrincipalProfile": {
    "clientId": "msi",
    "secret": null
  },
  ...
}

Verify¶

From inside your management environment, ensure that the AKS cluster exists and that ProvisioningState is Succeeded:

root@rok-tools:~# az aks show -o table \
>    --resource-group ${AZ_RESOURCE_GROUP?} \
>    --name ${AKS_CLUSTER?}
Name             Location    ResourceGroup    KubernetesVersion    ProvisioningState    Fqdn
---------------  ----------  ---------------  -------------------  -------------------  -------------------------------------------------
arrikto-cluster  eastus      arrikto          1.19.11              Succeeded            arrikto-cluster-dns-e5ab9967.hcp.eastus.azmk8s.io

Ensure that managed identities are enabled in your AKS cluster by verifying that the Service Principal's clientId is equal to msi:

root@rok-tools:~# az aks show \
>    --resource-group ${AZ_RESOURCE_GROUP?} \
>    --name ${AKS_CLUSTER?} \
>    --query "servicePrincipalProfile"
{
  "clientId": "msi"
}

Troubleshooting

The client ID is a UUID

If the output of the above command looks like the following:

{
  "clientId": "baee89f9-59f1-4c37-8147-221a373fcf7a"
}

then managed identities are disabled in your AKS cluster. You can enable managed identities in your AKS cluster as follows:

Update your AKS cluster (i.e., the control plane and addon Pods) to work with managed identities:

root@rok-tools:~# az aks update \
>    --resource-group ${AZ_RESOURCE_GROUP?} \
>    --name ${AKS_CLUSTER?} \
>    --enable-managed-identity

Upgrade your system node pool so that the kubelet component uses the managed identity:

root@rok-tools:~# az aks nodepool upgrade \
>    --resource-group ${AZ_RESOURCE_GROUP?} \
>    --cluster-name ${AKS_CLUSTER?} \
>    --name agentpool \
>    --node-image-only

Ensure that Azure CNI is enabled in the cluster by verifying that the network plugin name is equal to azure:

root@rok-tools:~# az aks show \
>    --name ${AKS_CLUSTER?} \
>    --resource-group ${AZ_RESOURCE_GROUP?} \
>    --query networkProfile.networkPlugin
"azure"

Summary¶

You have successfully created your AKS cluster.

What's Next¶

The next step is to get access to your AKS cluster.

Access AKS Cluster