In C#, I have coded a function to send API to send a json body to azure which creates a managed aks cluster. But I get this errors.
{
"code": "BadRequest",
"message": "PodSecurityPolicy is not allowed since feature \"Microsoft.ContainerService/PodSecurityPolicyPreview\" is not enabled. Please see https://aka.ms/aks/previews for how to enable features.",
"subcode": ""
}
In azure-cli, I do this but not sure how to do so in C#
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService
az extension add --name aks-preview
az extension update --name aks-preview
need to send a POST to register the feature first https://learn.microsoft.com/en-us/rest/api/resources/features/register?tabs=HTTP
Related
I am trying to create an Azure Key Vault but I am getting below error:
az keyvault create --location ${regionName} --name ${MyKeyVault} --resource-group ${resourceGroupName}
Error: (VaultAlreadyExists) The name 'check' is already in use.
Please help me write a code to check if the Key Vault name is avaialable.
There is no built-in CLI command to do this, your option is to use az rest call the REST API directly.
Sample:
az rest --method post --uri 'https://management.azure.com/subscriptions/<subscription-id>/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2019-09-01' --headers 'Content-Type=application/json' --body '{"name": "joykeyvault","type": "Microsoft.KeyVault/vaults"}'
You can use Azure API to check that Keyvault name is valid and is not already in use.
https://learn.microsoft.com/en-us/rest/api/keyvault/vaults/checknameavailability
I'm trying to use the Azure CLI to update the Incoming Client Certificate option under Web App > Configuration > General Settings > Incoming Client Certificates to use the value Allow.
Currently I can only set the value to true/false which correlates to Require/Ignore.
az webapp update --set clientCertEnabled=true--name MyWebApp --resource-group MyRsGrp
I haven't been able to find anything in the reference documentation.
https://learn.microsoft.com/en-us/cli/azure/webapp?view=azure-cli-latest#az_webapp_update
Does anyone have a nifty way to configure this setting? Thanks!
To set it to Allow, there are two properties need to be set, clientCertEnabled and clientCertMode, clientCertMode is not available in command az webapp update, you need to use az resource update.
Just use the command below, it works for me.
az resource update --name <webapp-name> --resource-group <group-name> --namespace Microsoft.Web --resource-type sites --set properties.clientCertEnabled=true properties.clientCertMode=Optional
I am trying to update an Azure Traffic Manager endpoint with the Azure CLI, I run the following code:
az network traffic-manager endpoint update \
--name ${ENDPOINT_NAME} \
--profile-name ${PROFILE_NAME} \
--resource-group ${RESOURCE_GROUP} \
--type azureEndpoints \
--endpoint-status enabled \
--set targetResourceId=${INGRESS_IP_ID}
The values for those different flags were obtained by previous calls to az network traffic-manager endpoint list But trying to set the endpoint targetResourceId to a different resource fails with this error:
Operation failed with status: 'Bad Request'. Details: The
'resourceTargetId' property of endpoint 'we' is invalid or missing.
The property must be specified only for the following endpoint types:
AzureEndpoints, NestedEndpoints. You must have read access to the
resource to which it refers.
I can say with absolute certainty that the endpoint I am trying to update is an AzureEndpoint, and the resource I am trying to set it to exists in the same location as the endpoint itself. I have looked through the documentation and tried to google for this error, but haven't found anything useful so far.
I can produce this issue. Probably, you pass the --target-resource-id incorrectly. It should be a full resource Id instead of the resource name.
If you target a public IP as the endpoint, you can use the command to get the resource Id.
az network public-ip show --name <publicIPName> --resource-group <resourceGroupName> --query "id"
The Start-AzPolicyComplianceScan works fine in PowerShell. I am trying to achieve the same using az cli but am unable to find an equivalent.
Looks there is no built-in command in azure cli, the workaround is to use az rest to call the REST API directly.
Sample:
1.Start a compliance scan at resource group scope - https://learn.microsoft.com/en-us/rest/api/policy-insights/policystates/triggerresourcegroupevaluation
az rest --method POST --uri https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01
2.Start a compliance scan at subscription scope - https://learn.microsoft.com/en-us/rest/api/policy-insights/policystates/triggersubscriptionevaluation
az rest --method POST --uri https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.PolicyInsights/policyStates/latest/triggerEvaluation?api-version=2019-10-01
After running the command, you could check the result in the Activity log in the resource group/subscription, it works fine.
This is currently possible using:
az policy state trigger-scan
More in the documentation: https://learn.microsoft.com/en-us/cli/azure/policy/state?view=azure-cli-latest#az-policy-state-trigger-scan
I'm trying to follow this guide to setting up a K8s cluster with external-dns' Azure DNS provider.
The guide states that:
When your Kubernetes cluster is created by ACS, a file named /etc/kubernetes/azure.json is created to store the Azure credentials for API access. Kubernetes uses this file for the Azure cloud provider.
When I create a cluster using aks (e.g. az aks create --resource-group myResourceGroup --name myK8sCluster --node-count 1 --generate-ssh-keys) this file doesn't exist.
Where do the API credentials get stored when using AKS?
Essentially I'm trying to work out where to point this command:
kubectl create secret generic azure-config-file --from-
file=/etc/kubernetes/azure.json
From what I can see when using AKS the /etc/kubernetes/azure.json doesn't get created. As an alternative I followed the instructions for use with non Azure hosted sites and created a service principal (https://github.com/kubernetes-incubator/external-dns/blob/master/docs/tutorials/azure.md#optional-create-service-principal)
Creating the service principal produces some json that contains most of the detail. This can be used to manually create the azure.json file and the secret can be created from it.
Use this command to get credentials:
az aks get-credentials --resource-group myResourceGroup --name myK8sCluster
Source:
https://learn.microsoft.com/en-us/azure/aks/kubernetes-walkthrough
Did you try this command ?
cat ~/.kube/config
It provided all i needed for my CI to connect to the Kubernetes Cluster and use API