This topic explains how to prepare Microsoft Azure for running Tanzu Kubernetes Grid.

If you are installing Tanzu Kubernetes Grid on Azure VMware Solution (AVS), you are installing to a vSphere environment. See Preparing Azure VMware Solution on Microsoft Azure in Prepare a vSphere Management as a Service Infrastructure to prepare your environment, and Deploy Management Clusters to vSphere to deploy management clusters.

General Requirements

  • The Tanzu Kubernetes Grid CLI installed locally. See Install the Tanzu Kubernetes Grid CLI.
  • OpenSSL installed locally. See OpenSSL.
  • A Microsoft Azure account with:
    • Permissions required to register an app. See Permissions required for registering an app in the Azure documentation.
    • Sufficient VM core (vCPU) quotas for your clusters. A standard Azure account has a quota of 10 vCPU per region. Tanzu Kubernetes Grid clusters require 2 vCPU per node, which translates to:
      • Management cluster: 8 vCPU for prod plan (3 main nodes, 1 worker) 4 for dev (1 main, one worker)
      • Workoad clusters: 12 vCPU for prod plan (3 main nodes, 3 worker); 4 for dev (1 main, 1 worker)
  • Traffic is allowed between your local bootstrap machine and port 6443 of all VMs in the clusters you create. Port 6443 is where the Kubernetes API is exposed.
  • Traffic is allowed between your local bootstrap machine and the image repositories listed in the management cluster Bill of Materials (BoM) file, over port 443, for TCP.*

    • The BoM file is under ~/.tkg/bom/ and its name includes the Tanzu Kubernetes Grid version, for example bom-1.2.0+vmware.1.yaml for v1.2.0.
    • Run a DNS lookup on all imageRepository values to find their CNAMEs, for example registry.tkg.vmware.run requires network access to registry.tkg.vmware.run.bintray.com.
  • (Optional) A VNET with:

    • A subnet for the management cluster control plane node
    • A subnet for the management cluster worker nodes
    • A Network Security Group on the control plane subnet with the following inbound security rules, to enable SSH and Kubernetes API server connections:
      • Allow TCP over Port 22 for any source and destination
      • Allow TCP over Port 6443 for any source and destination

    If you do not use an existing VNET, the installation process creates a new one.

  • The Azure CLI installed locally. See Install the Azure CLI in the Microsoft Azure documentation.

*Or see Deploying Tanzu Kubernetes Grid in an Internet-Restricted Environment for installing without external network access.

Register a Tanzu Kubernetes Grid App on Azure

Tanzu Kubernetes Grid manages Azure resources as a registered application that accesses Azure via a service principal account. The following steps register your Tanzu Kubernetes Grid application with Azure Active Directory, create its service account, create a client secret for authenticating communications, and record information needed later to deploy a management cluster.

  1. Log into the Azure Portal.

  2. Record your Tenant ID by hovering over your account name at upper-right, or else browse to Azure Active Directory > <Your Azure Org> > Properties > Tenant ID. The value is a GUID, for example b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0.

  3. Browse to Active Directory > App registrations and click + New registration.

  4. Enter a display name for the app, such as tkg, and select who else can use it. You can leave the Redirect URI (optional) field blank.

  5. Click Register. This registers the app with Azure and also creates a service principal as described in How to: Use the portal to create an Azure AD application and service principal that can access resources in the Azure documentation.

  6. An overview pane for the app appears. Record its Application (client) ID value, which is a GUID.

  7. From the Azure Portal top level, browse to Subscriptions. At the bottom of the pane, select one of the subscriptions you have access to, and record its Subscription ID. Click the subscription listing to open its overview pane.

  8. Select to Access control (IAM) and click Add a role assignment.

  9. In the Add role assignment pane

    • Select the Owner role
    • Leave Assign access to selection as "Azure AD user, group, or service principal"
    • Under Select enter the name of your app, tkg. It appears underneath under Selected Members
  10. Click Save. A popup appears confirming that your app was added as an owner for your subscription.

  11. From the Azure Portal > Azure Active Directory > App Registrations, select your tkg app under Owned applications. The app overview pane opens.

  12. From Certificates & secrets > Client secrets click + New client secret.

  13. In the Add a client secret popup, enter a Description, choose an expiration period, and click Add.

  14. Azure lists the new secret with its generated value under Client Secrets. Record the value.

Accept the Base OS Image License

To run management cluster VMs on Azure, accept the license for their base Kubernetes version and machine OS.

  1. Sign in to the Azure CLI using the Client ID, Client Secret, and Tenant ID values recorded above:

    az login --service-principal --username $AZURE_CLIENT_ID --password $AZURE_CLIENT_SECRET --tenant $AZURE_TENANT_ID
    
  2. Record the management cluster image --plan value, which is based on the Kubernetes version and machine OS:

    • Tanzu Kubernetes Grid v1.2.0: k8s-1dot19dot1-ubuntu-1804
    • Tanzu Kubernetes Grid v1.2.1: k8s-1dot19dot3-ubuntu-1804
  3. Run the az vm image terms accept command, specifying the --plan and Subscription ID values recorded above:

    az vm image terms accept --publisher vmware-inc --offer tkg-capi --plan PLAN --subscription SUBSCRIPTION-ID
    

Once you have accepted this license, you can skip this step in the future.

Create an SSH Key Pair (Optional)

You deploy management clusters from a machine referred to as the bootstrap machine, using the Tanzu Kubernetes Grid CLI. To connect to Azure, the bootstrap machine must provide the public key part of an SSH key pair. If your bootstrap machine does not already have an SSH key pair, you can use a tool such as ssh-keygen to generate one.

  1. On your bootstrap machine, run the following ssh-keygen command.

    ssh-keygen -t rsa -b 4096 -C "email@example.com"

  2. At the prompt Enter file in which to save the key (/root/.ssh/id_rsa): press Enter to accept the default.
  3. Enter and repeat a password for the key pair.
  4. Add the private key to the SSH agent running on your machine, and enter the password you created in the previous step.

    ssh-add ~/.ssh/id_rsa
    
  5. Open the file .ssh/id_rsa.pub in a text editor so that you can easily copy and paste it when you deploy a management cluster.

What to Do Next

Your environment is now ready for you to deploy the management cluster to Azure.

check-circle-line exclamation-circle-line close-line
Scroll to top icon