Azure Kubernetes Service integration
This uses the Kubescape CLI to scan the clusters and run commands.
Collect the ClusterID and PrincipalID
In the Azure CLI, run the following commands:
- List managed identities for the cluster.
- Collect the principalID using the ID returned from the previous command.
az identity show --ids \<id_from_step_1> - Collect the clusterID.
az aks list | grep \<cluster_name>
Install Kubescape with credentials
There are two ways to manage identities in Azure- System-assigned and User-assigned.
It depends on how you manage your identities:
System-Assigned Managed Identities
Assign the Reader role to the PrincipalID in the scope of the cluster
Reader role to the PrincipalID in the scope of the clusterIn the Azure CLI, run the following command:
az role assignment create --assignee "\<principal_id>" --role "Reader" --scope "\<cluster_id>"
You must have the ability to assign a role, if you get an authorization error while creating the role, please get in touch with your AZURE administrator.
Install Kubescape
Pay attention that you need to add manually the following:
cloudProviderMetadata.cloudProviderEngine=akscloudProviderMetadata.aksSubscriptionID=<Subscription ID>cloudProviderMetadata.aksResourceGroup=<Resource Group>
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=`kubectl config current-context` --set account=<ACCOUNT_ID> --set server=api.armosec.io --set cloudProviderMetadata.aksSubscriptionID=`az account show --query id --output tsv` --set cloudProviderMetadata.aksResourceGroup=`az resource list --name \`kubectl config current-context\` --query [].resourceGroup --output tsv` --set cloudProviderMetadata.cloudProviderEngine=aks
User-Assigned Managed Identities
Assign the Reader role to the Managed Identity of the kubelet to the scope of the cluster control plane.
Reader role to the Managed Identity of the kubelet to the scope of the cluster control plane.In the Azure CLI, run the following command:
az role assignment create --assignee $(az aks show --resource-group $(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv) --name $(kubectl config current-context) --query "identityProfile.kubeletidentity.clientId" --output tsv) --role "Reader" --scope /subscriptions/$(az account show --query id --output tsv)/resourceGroups/$(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv)
You must have the ability to assign a role, if you get an authorization error while creating the role, please get in touch with your AZURE administrator.
Install Kubescape
Pay attention that you need to add manually the following:
cloudProviderMetadata.cloudProviderEngine=akscloudProviderMetadata.aksSubscriptionID=<Subscription ID>cloudProviderMetadata.aksResourceGroup=<Resource Group>cloudProviderMetadata.aksTenantID=<Tenant ID>cloudProviderMetadata.aksClientID=<Client ID>cloudProviderMetadata.aksClientSecret=<ClientSecret>
It should look like this:
helm repo add kubescape https://kubescape.github.io/helm-charts/ ; helm repo update ; helm upgrade --install kubescape kubescape/kubescape-operator -n kubescape --create-namespace --set clusterName=$(kubectl config current-context) --set account=<ACCOUNT_ID> --set accessKey=<ACCESSKEY> --set server=api.armosec.io --set cloudProviderMetadata.aksSubscriptionID=$(az account show --query id --output tsv) --set cloudProviderMetadata.aksResourceGroup=$(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv) --set cloudProviderMetadata.cloudProviderEngine=aks --set cloudProviderMetadata.aksTenantID=<AZURE tenant ID> --set cloudProviderMetadata.aksClientID=$(az aks show --resource-group $(az resource list --name $(kubectl config current-context) --query "[].resourceGroup" --output tsv) --name $(kubectl config current-context) --query "identityProfile.kubeletidentity.clientId" --output tsv) --set cloudProviderMetadata.aksClientSecret=<Client secret>
Updated about 1 month ago