Azure Kubernetes Service integration

This uses the Kubescape CLI to scan the clusters and run commands.

Collect the ClusterID and PrincipalID

In the Azure CLI, run the following commands:

  1. List managed identities for the cluster.
  2. Collect the principalID using the ID returned from the previous command.
    az identity show --ids \<id_from_step_1>
    
  3. Collect the clusterID.
    az aks list | grep \<cluster_name>
    

Install Kubescape with credentials

There are two ways to manage identities in Azure- System-assigned and User-assigned.

It depends on how you manage your identities:

System-Assigned Managed Identities

Assign the Reader role to the PrincipalID in the scope of the cluster

In the Azure CLI, run the following command:

az role assignment create --assignee "\<principal_id>" --role "Reader" --scope "\<cluster_id>"

You must have the ability to assign a role, if you get an authorization error while creating the role, please get in touch with your AZURE administrator.

Install Kubescape

Change the account to your ARMO Platform account ID, and then run the following command:

helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set account=<ACCOUNT_ID> --set server=api.armosec.io  --set cloudProviderMetadata.aksSubscriptionID=`az account show --query id --output tsv` --set cloudProviderMetadata.aksResourceGroup=`az resource list --name \`kubectl config current-context\` --query [].resourceGroup --output tsv` --set cloudProviderMetadata.cloudProviderEngine=aks

User-Assigned Managed Identities

Assign the Reader role to the Managed Identity of the kubelet to the scope of the cluster control plane.

In the Azure CLI, run the following command:

az role assignment create --assignee $(az aks show --resource-group $(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv) --name $(kubectl config current-context) --query "identityProfile.kubeletidentity.clientId" --output tsv) --role "Reader" --scope /subscriptions/$(az account show --query id --output tsv)/resourceGroups/$(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv)

You must have the ability to assign a role, if you get an authorization error while creating the role, please get in touch with your AZURE administrator.

Install Kubescape

Run the following command:

Pay attention that you need to add manually the following:

  1. ACCOUNT_ID - The ARMO account ID that you can see in the ARMO portal.
  2. ACCESSKEY - The ARMO account access key that you can see in the ARMO portal.
  3. AZURE tenant ID - your AZURE tenant ID.
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=$(kubectl config current-context) --set account=<ACCOUNT_ID> --set accessKey=<ACCESSKEY> --set server=api.armosec.io  --set cloudProviderMetadata.aksSubscriptionID=$(az account show --query id --output tsv) --set cloudProviderMetadata.aksResourceGroup=$(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv) --set cloudProviderMetadata.cloudProviderEngine=aks --set cloudProviderMetadata.aksTenantID=<AZURE tenant ID> --set cloudProviderMetadata.aksClientID=$(az aks show --resource-group $(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv) --name $(kubectl config current-context) --query "identityProfile.kubeletidentity.clientId" --output tsv)