question

AndreaFlorio-9481 avatar image
0 Votes"
AndreaFlorio-9481 asked BrunoLucas-9843 edited

Connect Azure keyvault and container registry to on-prem kubernetes cluster

Good morning.

I'm trying to connect a kubernetes cluster running on prem in our DC with Azure's key vault and container registry.

I cannot find any exhaustive documentation on how to do that (everything revolves around AKS).
Is it possible to achieve what I'm after?

azure-kubernetes-service
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

srbhatta-msft avatar image
0 Votes"
srbhatta-msft answered AndreaFlorio-9481 commented

@AndreaFlorio-9481 ,this should be possible if you are able to create a cloud identity as well for you k8s cluster on-prem..
The below links can be helpful to implement the same.
ACR => https://docs.microsoft.com/en-us/azure/container-registry/container-registry-authentication?tabs=azure-cli
KV => https://github.com/Azure/secrets-store-csi-driver-provider-azure

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

i am bit new to azure, so i apologize if the question looks dumb..
i don't see any reference to a "cloud" identity , but only to AD identity, service principal or Managed identity ..

0 Votes 0 ·
srbhatta-msft avatar image srbhatta-msft AndreaFlorio-9481 ·

@AndreaFlorio-9481 , what I mean by cloud identity is that the AKS cluster must have a corresponding identity in Azure AD to be able to authenticate with ACR and store secrets in Azure Key Vault. Since your k8s cluster is on-prem, it has an on-prem identity, and not any Azure AD identity. So creation of Azure AD identity is required to implement your requirement.

1 Vote 1 ·

Hello,

the answer gives me a direction but i'm struggling to understand how i create the identity and assign it to the on prem cluster.
I have asked help internally to my team handling most of the azure stuff but i haven't got anything back from them yet making me think they don't know how to do it either.

the reason why i didn't accept it as an answer yet, is because, i haven't been able to implement it and get a valid result yet

0 Votes 0 ·
srbhatta-msft avatar image srbhatta-msft AndreaFlorio-9481 ·

@AndreaFlorio-9481 , hope my answer helped? please do accept as answer if you found the information useful, and don't hesitate to reach out for any queries.

0 Votes 0 ·
BrunoLucas-9843 avatar image
0 Votes"
BrunoLucas-9843 answered BrunoLucas-9843 edited

Hi @AndreaFlorio-9481 ,

I'm also looking into do something like that. I have not tried this yet but this may be able to help you a little more:

Is your on-prem synched with Azure AD?
I believe you may need to do something like this: https://docs.microsoft.com/en-us/answers/questions/523856/how-to-use-vms-with-azuread.html

Than will depend on the VM/Server OS. is Your k8 running on Linux?: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-arm
Once the identity is installed you should be able to see it when creating a Vault Policy.

Case it becomes to hard, you can drop that approach and try to use an Azure Service Principal :
https://dev.to/azure/azure-tip-how-to-get-your-kubernetes-cluster-service-principal-and-use-it-to-access-other-azure-services-2735

Once you have k8 with Service Principal, you just need to create a vault policy for the service principal

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.