We are trying to automate the SPN renewal process for multiple AKS clusters. Basically we want to change SPN client-id and secret.
This is the command to update SPN in an AKS cluster (via Azure CLI)
az aks update-credentials \ --resource-group "resource_group_name" \ --name "aks_cluster_name" \ --reset-service-principal \ --service-principal "your_spn_id_here" \ --client-secret "your_spn_secret_here"
We tried to replicate this in an Ansible workflow but could not come up with a solution after looking at the Ansible Azure Collection.
Related
I am using Azure CLI version 2.34.1. I ran following commands to create a resource group and then a virtual machine. Note that I used options to delete relevant resources when the VM is deleted.
az group create --name myTestRG --location eastus
az vm create --resource-group myTestRG --name myTestWindows11VM --image MicrosoftWindowsDesktop:windows-11:win11-21h2-pro:22000.493.220201 --admin-username someusername --os-disk-delete-option delete --nic-delete-option delete
Later I deleted the VM using following command.
az vm delete --name MyTestWin11VM --resource-group myTestRG -y
However, when I browse to the portal, the resource group still showing following resources that are relevant to the VM.
What I may be doing wrong? Is there anyway to delete all resources associated to VM when I delete the virtual machine itself?
UPDATE ITS A BUG:
The way Azure works is to group resources in Resource Groups - its a mandatory field in all creation of services. Azure does this because many resources have dependencies, such as a VM with a NIC, VNet & NSG.
You can use this to your advantage and simply delete the Resource Group:
az group delete --name myTestRG
Azure will work out the dependency order, eg NSG, VNet, NIC, VM. You can read up on how it does the ordering: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/delete-resource-group?tabs=azure-cli
What happens if I have multiple VMs in a Resource Group and I only want to delete one?
There's 3 new options --os-disk-delete-option, --data-disk-delete-option, --nic-delete-option to support deleting VMs and dependencies:
az vm create \
--resource-group myResourceGroup \
--name myVM \
--image UbuntuLTS \
--public-ip-sku Standard \
--nic-delete-option delete \
--os-disk-delete-option delete \
--admin-username azureuser \
--generate-ssh-keys
Otherwise script the whole thing using Azure Resource Manager Templates (ARM Templates), or the new tool to generate ARM Templates called Bicep. It's worth continuing with raw CLI commands and delete dependencies in order. IF you get good with the CLI you end up with a library of commands that you can use with ARM templates.
I am using the below commands for creating the webapp using Azure CLI but getting the below exception-
Unable to retrieve details of the existing app 'newapp2'. Please check that the app is a part of the current subscription
Command -
az webapp create --name newapp2000 --resource-group staging-grp --plan newappplan2000 --runtime "DOTNETCORE|3.1"
subscription- payasgo
Looking forward for assistance.
A very effective way to check if your commands work or not is going to portal, login with your account, check if your web app exist in your subscription or not.
If you don't want to use portal, you could also use CLI commands. You should check if the session you are using linked to your subscription or not:
az account show --output table
If not, use this command to switch to a different subscription:
az account set --subscription "My Demos"
You could also specify the subscription in the command while creating your web app:
az webapp create --resource-group StorageGroups --subscription "My Demos" \
--name newapp2000 --location eastus --plan newappplan2000 --runtime "DOTNETCORE|3.1"
Update:
A colleague who works for Microsoft said:
Changelog entry for this behaviour change is here: https://github.com/MicrosoftDocs/azure-docs-cli/blob/master/docs-ref-conceptual/release-notes-azure-cli.md#aks-3
I'm following the proper instructions and the documentation must be out of date.
https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal
Automatically create and use a service principal.
When you create an AKS cluster in the Azure portal or using the az aks create command, Azure can automatically generate a service principal.
In the following Azure CLI example, a service principal is not specified. In this scenario, the Azure CLI creates a service principal for the AKS cluster. To successfully complete the operation, your Azure account must have the proper rights to create a service principal.
az aks create --name myAKSCluster --resource-group myResourceGroup
This is what happened a few months ago - see Finished service principal creation:
Now when I try I get Add role propagation:
The problem is querying the servicePrincipalProfile.clientId results in msi, I need the guid of the service principal not the Managed Service Identity.
$CLIENT_ID=$(az aks show --resource-group $AKS_RESOURCE_GROUP --name $AKS_CLUSTER_NAME --query "servicePrincipalProfile.clientId" --output tsv)
echo $CLIENT_ID
Used to work:
Now its changed:
How do I create the Kubernetes Cluster with a Service Principal as the documentation states and how it used to work?
Repro steps:
https://github.com/MeaningOfLights/AzureTraining/blob/master/Hands-On-Labs-That-Work/80-Kubernetes.md
https://github.com/MeaningOfLights/AzureTraining/blob/master/Hands-On-Labs-That-Work/85-Kubernetes-Deployment.md
For Reference: I got the same and following your link I found that this worked.
az aks show -g aks -n cluster --query identityProfile.kubeletidentity.clientId -o tsv
and this returned the appropriate guide, that I could use for my RBAC assignment
# get the clientId of the cluster
$clientId = (az aks show -g aks -n cluster --query identityProfile.kubeletidentity.clientId -o tsv)
# get the resourceId of the registry
$acrId=(az acr show -g acr -n myacr --query id -o tsv)
# give authority for cluster id to the acr pull
az role assignment create $clientId --role AcrPull --scope $acrId
How do you apply already create clusterrolebindings to a cluster in Azure Kubernetes?
I have a new cluster and I'm trying to open and view it in the browser, but I am getting forbidden errors.
I tried to run this script, but the terminal says I've already created it. Now I don't know how to apply it to this cluster. Is there a way to do this in the Azure GUI? Any help or suggestions would be great. Thanks!!
az aks get-credentials --resource-group myAKScluster --name myAKScluster --admin
kubectl create clusterrolebinding kubernetes-dashboard --clusterrole=cluster-admin --serviceaccount=kube-system:kubernetes-dashboard
az aks browse --resource-group myAKScluster --name myAKScluster
It because that you enable the RBAC of your AKS cluster and access to it has been disabled by default. You can follow the troubleshooting described here and the solution here.
I faced below error when I tried to create AKS with Windows OS following steps in here
az aks create \
--resource-group DockerResourceGroup \
--name win-test-aks \
--node-count 2 \
--enable-addons monitoring \
--kubernetes-version 1.14.6 \
--generate-ssh-keys \
--windows-admin-password "P#ssw0rd12345" \
--windows-admin-username testuser \
--enable-vmss \
--network-plugin azure
Error:
Operation failed with status: 'Bad Request'. Details: Virtual Machine Scale Set agent nodes are not allowed since feature "Microsoft.ContainerService/WindowsPreview" is not enabled. Please see https://aka.ms/aks/previews for how to enable features.
I tried to run az feature list -o table with below features installed already:
Microsoft.ContainerService/MultiAgentpoolPreview Registered
Microsoft.ContainerService/VMSSPreview Registered
Microsoft.ContainerService/WindowsPreview Registered
Microsoft.Web/CentralUSRegionEnabled Registered
Did you refresh your registration of the AKS resource provider?
az provider register -n Microsoft.ContainerService