Good morning.
I'm trying to connect a kubernetes cluster running on prem in our DC with Azure's key vault and container registry.
I cannot find any exhaustive documentation on how to do that (everything revolves around AKS).
Is it possible to achieve what I'm after?
@AndreaFlorio-9481 ,this should be possible if you are able to create a cloud identity as well for you k8s cluster on-prem..
The below links can be helpful to implement the same.
ACR => https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli
KV => https://github.com/Azure/secrets-store-csi-driver-provider-azure
Hello,
i am bit new to azure, so i apologize if the question looks dumb..
i don't see any reference to a "cloud" identity , but only to AD identity, service principal or Managed identity ..
@AndreaFlorio-9481 , what I mean by cloud identity is that the AKS cluster must have a corresponding identity in Azure AD to be able to authenticate with ACR and store secrets in Azure Key Vault. Since your k8s cluster is on-prem, it has an on-prem identity, and not any Azure AD identity. So creation of Azure AD identity is required to implement your requirement.
Hello,
the answer gives me a direction but i'm struggling to understand how i create the identity and assign it to the on prem cluster.
I have asked help internally to my team handling most of the azure stuff but i haven't got anything back from them yet making me think they don't know how to do it either.
the reason why i didn't accept it as an answer yet, is because, i haven't been able to implement it and get a valid result yet
@AndreaFlorio-9481 , hope my answer helped? please do accept as answer if you found the information useful, and don't hesitate to reach out for any queries.
Hi @AndreaFlorio-9481 ,
I'm also looking into do something like that. I have not tried this yet but this may be able to help you a little more:
Is your on-prem synched with Azure AD?
I believe you may need to do something like this: https://docs.microsoft.com/en-us/answers/questions/523856/how-to-use-vms-with-azuread.html
Than will depend on the VM/Server OS. is Your k8 running on Linux?: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
Once the identity is installed you should be able to see it when creating a Vault Policy.
Case it becomes to hard, you can drop that approach and try to use an Azure Service Principal :
https://dev.to/azure/azure-tip-how-to-get-your-kubernetes-cluster-service-principal-and-use-it-to-access-other-azure-services-2735
Once you have k8 with Service Principal, you just need to create a vault policy for the service principal
11 people are following this question.
