This topic describes how to create managed identities for VMware Tanzu Kubernetes Grid Integrated Edition on Azure.
In order for Kubernetes to create load balancers and attach persistent disks to pods, you must create managed identities with sufficient permissions.
You need separate managed identities for the Kubernetes cluster control plane and worker node VMs. VMware recommends configuring each service account with the least permissive privileges and unique credentials.
To perform the procedures in this topic, you must have your Azure Subscription ID and the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.
If you do not know your Subscription ID or Resource Group:
Note: You specified the Subscription ID to use and your Tanzu Kubernetes Grid Integrated Edition Resource Group name when completing the steps in Step 1: Create Network Resources in Deploying Ops Manager on Azure Manually.
Perform the following steps to create the managed identity for the control plane nodes:
Create a role definition using the following template:
{
"Name": "TKGI control plane",
"IsCustom": true,
"Description": "Permissions for TKGI control plane",
"Actions": [
"Microsoft.Network/*",
"Microsoft.Compute/disks/*",
"Microsoft.Compute/virtualMachines/write",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Storage/storageAccounts/*"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
]
}
Where:
SUBSCRIPTION-ID
is your Subscription ID.RESOURCE-GROUP
is the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.For more information about custom roles in Azure, see Custom Roles in Azure in the Azure documentation.
Save your template as tkgi_master_role.json
.
To log in, run the following command with the Azure CLI:
az login
To authenticate, navigate to the URL in the output, enter the provided code, and click your account.
Create the role in Azure by running the following command from the directory with tkgi_master_role.json
:
az role definition create --role-definition tkgi_master_role.json
Create a managed identity by running the following command:
az identity create -g RESOURCE-GROUP -n tkgi-master
Where RESOURCE-GROUP
is the name of your Tanzu Kubernetes Grid Integrated Edition resource group.
For more information about managed identities, see Create a user-assigned managed identity in the Azure documentation.
Note: The TKGI control plane custom role created above is less permissive than the built-in roles provided by Azure. However, if you want to use the built-in roles instead of the recommended custom role, you can select the following three built-in roles in Azure: Storage Account Contributor, Network Contributor, and Virtual Machine Contributor.
Perform the following steps to create the managed identity for the worker nodes:
Create a role definition using the following template:
{
"Name": "TKGI worker",
"IsCustom": true,
"Description": "Permissions for TKGI worker",
"Actions": [
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Storage/storageAccounts/*"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
]
}
Where:
SUBSCRIPTION-ID
is your Subscription ID.RESOURCE-GROUP
is the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.Save your template as tkgi_worker_role.json
.
Create the role in Azure by running the following command from the directory with tkgi_worker_role.json
:
az role definition create --role-definition tkgi_worker_role.json
Create a managed identity by running the following command:
az identity create -g RESOURCE-GROUP -n tkgi-worker
Where RESOURCE-GROUP
is the name of your Tanzu Kubernetes Grid Integrated Edition resource group.
Note: The TKGI worker custom role created above is less permissive than the built-in roles provided by Azure. However, if you want to use the built-in roles instead of the recommended custom role, you can select the Storage Account Contributor built-in role in Azure.
To install and configure Tanzu Kubernetes Grid Integrated Edition, follow the instructions in Installing Tanzu Kubernetes Grid Integrated Edition on Azure.