Azure AKS (Kubernetes)

Instructions for adding Azure AKS Clusters to InsightCloudSec

InsightCloudSec is pleased to include support for Azure AKS Kubernetes (K8s). This page includes instructions for adding one or more Azure AKS clusters to InsightCloudSec using the steps detailed below.

Prerequisites

Before you can complete this setup, you will need to ensure you have the following:

  • A functioning InsightCloudSec platform
  • InsightCloudSec admin permissions
  • Azure CLI installed and configured
  • Jq JSON processor installed
  • AKS Cluster created and configured in Azure

Note: While some steps or files may reference DivvyCloud vs. InsightCloudSec,
the capabilities and functionality are the same.

For questions or concerns, reach out to us through the Customer Support Portal.

Files Required for Setup

Before getting started with the setup steps, copy the four files provided below to the same directory.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  labels:
  name: divvycloud-ro-role
  namespace: default
rules:
- apiGroups:
  - ""
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources: ["*"]
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources: ["pods/portforward"]
  verbs:
  - create
apiVersion: v1
kind: ServiceAccount
metadata:
  name: divvycloud-ro-sa
  namespace: default
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: divvycloud-ro-sa-binding
subjects:
- kind: ServiceAccount
  name: divvycloud-ro-sa
  namespace: default
roleRef:
  kind: ClusterRole
  name: divvycloud-ro-role
  apiGroup: rbac.authorization.k8s.io
#!/bin/bash
set -e
set -o pipefail

# Add user to k8s using service account, no RBAC (must create RBAC after this script)
if [[ -z "$1" ]] || [[ -z "$2" ]]; then
 echo "usage: $0 <service_account_name> <namespace>"
 exit 1
fi

SERVICE_ACCOUNT_NAME=$1
NAMESPACE="$2"
KUBECFG_FILE_NAME="/tmp/kube/k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf"
TARGET_FOLDER="/tmp/kube"

mkdir $TARGET_FOLDER

create_target_folder() {
    echo -n "Creating target directory to hold files in ${TARGET_FOLDER}..."
    mkdir -p "${TARGET_FOLDER}"
    printf "done"
}

create_service_account() {
    echo -e "\\nCreating a service account in ${NAMESPACE} namespace: ${SERVICE_ACCOUNT_NAME}"
    kubectl create sa "${SERVICE_ACCOUNT_NAME}" --namespace "${NAMESPACE}"
}

get_secret_name_from_service_account() {
    echo -e "\\nGetting secret of service account ${SERVICE_ACCOUNT_NAME} on ${NAMESPACE}"
    SECRET_NAME=$(kubectl get sa "${SERVICE_ACCOUNT_NAME}" --namespace="${NAMESPACE}" -o json | jq -r .secrets[].name)
    echo "Secret name: ${SECRET_NAME}"
}

extract_ca_crt_from_secret() {
    echo -e -n "\\nExtracting ca.crt from secret..."
    kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq \
    -r '.data["ca.crt"]' | base64 -D > "${TARGET_FOLDER}/ca.crt"
    printf "done"
}

get_user_token_from_secret() {
    echo -e -n "\\nGetting user token from secret..."
    USER_TOKEN=$(kubectl get secret --namespace "${NAMESPACE}" "${SECRET_NAME}" -o json | jq -r '.data["token"]' | base64 -D)
    printf "done"
}

set_kube_config_values() {
    context=$(kubectl config current-context)
    echo -e "\\nSetting current context to: $context"

    CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
    echo "Cluster name: ${CLUSTER_NAME}"

    ENDPOINT=$(kubectl config view \
    -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
    echo "Endpoint: ${ENDPOINT}"

    # Set up the config
    echo -e "\\nPreparing k8s-${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-conf"
    echo -n "Setting a cluster entry in kubeconfig..."
    kubectl config set-cluster "${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}" \
    --server="${ENDPOINT}" \
    --certificate-authority="${TARGET_FOLDER}/ca.crt" \
    --embed-certs=true

    echo -n "Setting token credentials entry in kubeconfig..."
    kubectl config set-credentials \
    "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}" \
    --token="${USER_TOKEN}"

    echo -n "Setting a context entry in kubeconfig..."
    kubectl config set-context \
    "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}" \
    --cluster="${CLUSTER_NAME}" \
    --user="${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --namespace="${NAMESPACE}"

    echo -n "Setting the current-context in the kubeconfig file..."
    kubectl config use-context "${SERVICE_ACCOUNT_NAME}-${NAMESPACE}-${CLUSTER_NAME}" \
    --kubeconfig="${KUBECFG_FILE_NAME}"
}

#create_target_folder
#create_service_account
get_secret_name_from_service_account
extract_ca_crt_from_secret
get_user_token_from_secret
set_kube_config_values

echo -e "\\nAll done! Test with:"
echo "KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods"
echo "you should not have any permissions by default - you have just created the authentication part"
echo "You will need to create RBAC permissions"
KUBECONFIG=${KUBECFG_FILE_NAME} kubectl get pods

Steps for Azure AKS Setup

These steps assume you have downloaded the files supplied above.

1. Connect to AKS cluster using the Azure CLI and the follwoing command:

  • az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

2. Navigate to the directory where you extracted the files and run the following commands:

  • kubectl apply -f 1-role-ro.yaml
  • kubectl apply -f 2-readonly-sa.yaml
  • kubectl apply -f 3-bind-sa-to-role.yaml
  • ./4-generate_config.sh divvycloud-ro-sa

Running the commands above will generate a file named k8s-divvycloud-ro-sa-default-conf in the directory /tmp/kube.

3. You can verify the configuration above by running the following command to get information from the cluster using the generated credentials:

  • KUBECONFIG=/tmp/kube/k8s-divvycloud-ro-sa-default-conf kubectl get pods

Assuming this command works, open the associated file and copy/save the contents (you will need these details for completing the setup in InsightCloudSec).

Steps for Setup in InsightCloudSec

From your InsightCloudSec platform you will need to complete the following steps to finalize the setup.

1. Navigate "Cloud --> Clouds" on the main navigation and click the "Add Cloud" button.

2. Select Kubernetes to open the form to add your configuration.

3. Enter your Kubernetes Information:

  • Provide a Nickname for your Cloud Account.
  • Paste in Kubernetes your configuration from the previous steps. Note: configuration must be in YAML format.

4. Click "Add Cloud" to complete the setup.


Did this page help you?