Enable AKS monitoring addon using Azure Policy

This article describes how to enable AKS Monitoring Addon using Azure Custom Policy. Monitoring Addon Custom Policy can be assigned either at subscription or resource group scope. If Azure Log Analytics workspace and AKS cluster are in different subscriptions then the managed identity used by the policy assignment has to have the required role permissions on both the subscriptions or least on the resource of the Log Analytics workspace. Similarly, if the policy is scoped to the resource group, then the managed identity should have the required role permissions on the Log Analytics workspace if the workspace not in the selected resource group scope.

Monitoring Addon require following roles on the managed identity used by Azure Policy:

Create and assign policy definition using Azure portal

Create policy definition

  1. Download the Azure Custom Policy definition to enable AKS Monitoring Addon.

    curl -o azurepolicy.json -L https://aka.ms/aks-enable-monitoring-custom-policy
    
  2. Navigate to https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyMenuBlade/Definitions and create policy definition with the following details in the Policy definition create dialogue box.

    • Definition location: Choose the Azure subscription where the policy definition should be stored.
    • Name: (Preview)AKS-Monitoring-Addon
    • Description: Azure Custom Policy to enable Monitoring Addon onto Azure Kubernetes Cluster(s) in specified scope
    • Category: Choose use existing and pick Kubernetes from drop-down.
    • Policy Rule: Remove the existing sample rules and copy the contents of azurepolicy.json downloaded in step #1 above.

Assign policy definition to specified scope

Note

Managed identity will be created automatically and assigned specified roles in the Policy definition.

  1. Select the policy definition (Preview) AKS Monitoring Addon that you just created.
  2. Click Assign** and specify a Scope of where the policy should be assigned.
  3. Click Next and provide the Resource ID of the Azure Log Analytics Workspace. The Resource ID should be in this format /subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>.
  4. Create a remediation task in case if you want to apply to policy to existing AKS clusters in the selected scope.
  5. Click Review + Create option to create the policy assignment.

Create and assign policy definition using Azure CLI

Create policy definition

  1. Download the Azure custom policy definition rules and parameters files with the following commands:

    curl -o azurepolicy.rules.json -L https://aka.ms/aks-enable-monitoring-custom-policy-rules
    curl -o azurepolicy.parameters.json -L https://aka.ms/aks-enable-monitoring-custom-policy-parameters
    
  2. Create the policy definition with the following command:

    az cloud set -n <AzureCloud | AzureChinaCloud | AzureUSGovernment> # set the Azure cloud
    az login # login to cloud environment 
    az account set -s <subscriptionId>
    az policy definition create --name "(Preview)AKS-Monitoring-Addon" --display-name "(Preview)AKS-Monitoring-Addon" --mode Indexed --metadata version=1.0.0 category=Kubernetes --rules azurepolicy.rules.json --params azurepolicy.parameters.json
    

Assign policy definition to specified scope

  • Create the policy assignment with the following command:

    az policy assignment create --name aks-monitoring-addon --policy "(Preview)AKS-Monitoring-Addon" --assign-identity --identity-scope /subscriptions/<subscriptionId> --role Contributor --scope /subscriptions/<subscriptionId> --location <locatio> --role Contributor --scope /subscriptions/<subscriptionId> -p "{ \"workspaceResourceId\": { \"value\":  \"/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.operationalinsights/workspaces/<workspaceName>\" } }"
    

Next steps