Cluster connect on Azure Arc enabled Kubernetes
The Azure Arc enabled Kubernetes cluster connect feature provides connectivity to the
apiserver of the cluster without requiring any inbound port to be enabled on the firewall. A reverse proxy agent running on the cluster can securely start a session with the Azure Arc service in an outbound manner.
Cluster connect allows developers to access their clusters from anywhere for interactive development and debugging. It also lets cluster users and administrators access or manage their clusters from anywhere. You can even use hosted agents/runners of Azure Pipelines, GitHub Actions, or any other hosted CI/CD service to deploy applications to on-prem clusters, without requiring self-hosted agents.
Azure Arc enabled Kubernetes preview features are available on a self-service, opt-in basis. Previews are provided "as is" and "as available," and they're excluded from the service-level agreements and limited warranty. Azure Arc enabled Kubernetes previews are partially covered by customer support on a best-effort basis.
On the cluster side, a reverse proxy agent called
clusterconnect-agent deployed as part of agent helm chart, makes outbound calls to Azure Arc service to establish the session.
When the user calls
az connectedk8s proxy:
- Azure Arc proxy binary is downloaded and spun up as a process on the client machine.
- Azure Arc proxy fetches a
kubeconfigfile associated with the Azure Arc enabled Kubernetes cluster on which the
az connectedk8s proxyis invoked.
- Azure Arc proxy uses the caller's Azure access token and the Azure Resource Manager ID name.
kubeconfigfile, saved on the machine by Azure Arc proxy, points the server URL to an endpoint on the Azure Arc proxy process.
When a user sends a request using this
- Azure Arc proxy maps the endpoint receiving the request to the Azure Arc service.
- Azure Arc service then forwards the request to the
clusterconnect-agentrunning on the cluster.
clusterconnect-agentpasses on the request to the
kube-aad-proxycomponent, which performs Azure AD authentication on the calling entity.
- After Azure AD authentication,
kube-aad-proxyuses Kubernetes user impersonation feature to forward the request to the cluster's