AKS private cluster deployment from Azure DevOps

HamzaSharif
February 22, 2024
178 views
0 votes
2 Answers

I have an Azure subscription in which I have deployed an AKS private cluster. I created a VM in same virtual network and I can access AKS kubeapi and am able to create/update/delete resources in AKS cluster.

When it comes to CICD with Azure DevOps pipeline (dev.azure.com portal), I am not able to find any way for CICD to work. I cannot create a Service Connection for private AKS cluster, hence cannot move forward with next steps of pipeline.

Following is a screenshot where it waits infinite on loading namespace.

Screenshot of Azure DevOps error

When I earlier created a private Azure Container Registry, I faced same issue that my CI pipeline was not able to push image on private ACR. Then I created Service Connection for my private ACR and also created self-hosted agents on a VM and using both in CI pipeline, I was able to push docker image from Azure DevOps pipeline on to Azure Container Registry.

Now, in order to complete the CD pipeline (release) on Azure DevOps, I have to be able to create Service Connection of Kubernetes on Azure DevOps portal which I am not able to make currently since namespace is not loading as it’s trying to access private IP 10.11.x.x which belongs ot my Kubernetes cluster private network.

What can be possible solution. Since I am new to Azure, I would highly appreciate if someone can answer with steps easy to understand and apply.

Answers

Chosen as BEST ANSWER
- HamzaSharif
- February 22, 2024 at 12:13 pm
- 0 votes
0
I tried to implement the suggested process in an answer but it did not go well.

Then I found out an alternative. This time with Azure Resource Manager Service Connection.

I created an ARM Service Connection and used the following part in Azure DevOps Pipeline:
```
- task: Kubernetes@1
  displayName: Deployment in Kubernetes
  inputs:
    connectionType: Azure Resource Manager
    azureSubscriptionEndpoint: $(azureSubscriptionEndpoint)
    azureResourceGroup: $(azureResourceGroup)
    kubernetesCluster: $(kubernetesCluster)
    useClusterAdmin: $(useClusterAdmin)
    namespace: $(namespace)
    command: apply
    arguments: -f $(kubernetesFilePath)
```
This worked well for my use case.

I shall still review the process again once I get some time from my workload.

Thaks for answers everyone. Really appreciate the help.

(Edit)

- Arko
- February 21, 2024 at 6:30 pm
- 0 votes
0
The screenshot you’ve provided shows that Azure DevOps is having trouble loading namespaces from your AKS private cluster when trying to create a service connection. This is typically because Azure DevOps cannot reach the private cluster’s API server, which is not accessible from the public internet.

Given that you’ve already successfully set up a self-hosted agent for your Azure Container Registry (ACR), you can follow a similar approach for your AKS cluster. Here are the steps to create a service connection for your AKS private cluster using a self-hosted agent in Azure DevOps.

To create a Service Connection for a private AKS cluster, you need to use a self-hosted agent. This agent should be deployed in the same virtual network as the AKS cluster. You can then use this agent to create the Service Connection for the private AKS cluster. Private AKS Clusters has the API Server accessible only within the virtual network. This limits the deployments from Hosted Azure DevOps agents. To overcome this, a self-hosted agent within the same virtual network needs to be deployed.

To resolve the issue with the namespace not loading in Azure DevOps, you can try the following steps mentioned here

Also would request you to-
1. Check if the virtual network peering is set up correctly between the AKS cluster and the VM.
2. Ensure that the VM has the necessary network security group rules to allow traffic to and from the AKS cluster.
3. Check if the DNS resolution is working correctly between the VM and the AKS cluster.
4. Try accessing the Kubernetes API server from the VM using kubectl to ensure that it’s accessible.
Follow the document and create a Virtual Network and add the subnets accordingly.
```
az network vnet create 
  --name gov-devops-vnet 
  --resource-group arko-devops 
  --subnet-name default
  
az network vnet subnet create 
  --address-prefixes 10.0.1.0/24
  --name acr-snt 
  --resource-group arko-devops 
  --vnet-name gov-devops-vnet
  
az network vnet subnet create 
  --address-prefixes 10.0.2.0/24
  --name devops-snt 
  --resource-group arko-devops 
  --vnet-name gov-devops-vnet
  
az network vnet subnet create 
  --address-prefixes 10.0.4.0/22
  --name aks-snt 
  --resource-group arko-devops 
  --vnet-name gov-devops-vnet
```
Create a private AKS cluster in the aks-snt subnet

If you need to push an image from your acr then integrate ACR with AKS

Since you have already created a VM in same virtual network and can access AKS kubeapi and am able to create/update/delete resources in AKS cluster. No action required on that front.
Finally create the pipeline and create Service Connections

To create a Service Connection for a private AKS cluster in Azure DevOps, you need to follow these steps:
1. In Azure DevOps, open the Service connections page from the project settings page.
2. Choose + New service connection and select Kubernetes.
3. Fill in the parameters for the service connection.
Same way to link your Azure Container registry,

Finally to run kubectl task against the AKS cluster, Create Service Principal and grant contributor access to the resource group

References:
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.