Creating Managed Identities in Azure for Tanzu Kubernetes Grid Integrated Edition

This topic describes how to create managed identities for VMware Tanzu Kubernetes Grid Integrated Edition on Azure.

In order for Kubernetes to create load balancers and attach persistent disks to pods, you must create managed identities with sufficient permissions.

You need separate managed identities for the Kubernetes cluster control plane and worker node VMs. VMware recommends configuring each service account with the least permissive privileges and unique credentials.

Retrieve Your Subscription ID and Resource Group

To perform the procedures in this topic, you must have your Azure Subscription ID and the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.

If you do not know your Subscription ID or Resource Group:

Navigate to the Azure portal.
Click Resource groups.
Determine the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.
Determine the Subscription ID for your Tanzu Kubernetes Grid Integrated Edition Resource Group.

Note: You specified the Subscription ID to use and your Tanzu Kubernetes Grid Integrated Edition Resource Group name when completing the steps in Step 1: Create Network Resources in Deploying Ops Manager on Azure Manually.

Create the Control Plane Node Managed Identity

Perform the following steps to create the managed identity for the control plane nodes:

Create a role definition using the following template:

{
    "Name":  "TKGI control plane",
    "IsCustom":  true,
    "Description":  "Permissions for TKGI control plane",
    "Actions":  [
        "Microsoft.Network/*",
        "Microsoft.Compute/disks/*",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Storage/storageAccounts/*"
    ],
    "NotActions":  [

    ],
    "DataActions":  [

    ],
    "NotDataActions":  [

    ],
    "AssignableScopes":  [
      "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
    ]
}

Where:

SUBSCRIPTION-ID is your Subscription ID.
RESOURCE-GROUP is the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.

For more information about custom roles in Azure, see Custom Roles in Azure in the Azure documentation.

Save your template as tkgi_master_role.json.
To log in, run the following command with the Azure CLI:
```
az login
```
To authenticate, navigate to the URL in the output, enter the provided code, and click your account.
Create the role in Azure by running the following command from the directory with tkgi_master_role.json:
```
az role definition create --role-definition tkgi_master_role.json
```
Create a managed identity by running the following command:
```
az identity create -g RESOURCE-GROUP -n tkgi-master
```
Where RESOURCE-GROUP is the name of your Tanzu Kubernetes Grid Integrated Edition resource group.

For more information about managed identities, see Create a user-assigned managed identity in the Azure documentation.
Assign managed identity access to the Tanzu Kubernetes Grid Integrated Edition resource group by performing the following steps:
1. Navigate to the Azure Portal and log in.
2. Open the Tanzu Kubernetes Grid Integrated Edition resource group.
3. Click Access control (IAM) on the left panel.
4. Click Add role assignment.
5. On the Add role assignment page, enter the following configurations:
  1. For Assign access to, select User Assigned Managed Identity.
  2. For Role, select TKGI master.
  3. For Select, select the tkgi-master identity created above.

Note: The TKGI control plane custom role created above is less permissive than the built-in roles provided by Azure. However, if you want to use the built-in roles instead of the recommended custom role, you can select the following three built-in roles in Azure: Storage Account Contributor, Network Contributor, and Virtual Machine Contributor.

Create the Worker Node Managed Identity

Perform the following steps to create the managed identity for the worker nodes:

Create a role definition using the following template:

{
    "Name":  "TKGI worker",
    "IsCustom":  true,
    "Description":  "Permissions for TKGI worker",
    "Actions":  [
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Storage/storageAccounts/*"
    ],
    "NotActions":  [

    ],
    "DataActions":  [

    ],
    "NotDataActions":  [

    ],
    "AssignableScopes":  [
      "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP"
    ]
}

Where:

SUBSCRIPTION-ID is your Subscription ID.
RESOURCE-GROUP is the name of your Tanzu Kubernetes Grid Integrated Edition Resource Group.

Save your template as tkgi_worker_role.json.
Create the role in Azure by running the following command from the directory with tkgi_worker_role.json:
```
az role definition create --role-definition tkgi_worker_role.json
```
Create a managed identity by running the following command:
```
az identity create -g RESOURCE-GROUP -n tkgi-worker
```
Where RESOURCE-GROUP is the name of your Tanzu Kubernetes Grid Integrated Edition resource group.
Assign managed identity access to the Tanzu Kubernetes Grid Integrated Edition resource group by performing the following steps:
1. Navigate to the Azure Portal and log in.
2. Open the Tanzu Kubernetes Grid Integrated Edition resource group.
3. Click Access control (IAM) on the left panel.
4. Click Add role assignment.
5. On the Add role assignment page, enter the following configurations:
  1. For Assign access to, select User Assigned Managed Identity.
  2. For Role, select TKGI worker.
  3. For Select, select the tkgi-worker identity created above.

Note: The TKGI worker custom role created above is less permissive than the built-in roles provided by Azure. However, if you want to use the built-in roles instead of the recommended custom role, you can select the Storage Account Contributor built-in role in Azure.

Next Installation Step

To install and configure Tanzu Kubernetes Grid Integrated Edition, follow the instructions in Installing Tanzu Kubernetes Grid Integrated Edition on Azure.