Skip to main content

Connect your AKS cluster

This guide walks you through securely connecting your Azure Kubernetes Service (AKS) clusters to PointFive.

Updated over a month ago

This guide walks you through securely connecting your Azure Kubernetes Service (AKS) clusters to PointFive.


To see the list of available AKS clusters to integrate please go to Integrations > AKS

You can connect both public and private clusters, using either Azure RBAC or Kubernetes RBAC authentication.

For Public Clusters PointFive will connect directly to the AKS control plane using its DNS endpoint.

For Private Clusters PointFive will initiate a secure PrivateLink connection between the AKS cluster control plane and PointFive. The connection request will be pending an approval from the customer.

Please Note: AKS PrivateLink can currently be approved from the Azure Console or Azure REST API. Azure CLI is not yet supported.

Each section below corresponds to one connection mode displayed in the PointFive UI. PointFive will automatically identify the type of your cluster and authentication method and will show you the relevant steps to integrate your AKS cluster.

To connect a cluster click on the Connect button next to it.

Integration Steps

Prerequisites:

Please make sure PointFive service principal was granted the following roles at the management group level:

  • Azure Kubernetes Service Cluster User Role

  • Azure Kubernetes Service RBAC Reader

You can run the following commands to assign the role, please make sure to replace the SERVICE_PRINCIPAL_APP_ID and MANAGEMENT_GROUP_ID

az role assignment create --role "Azure Kubernetes Service RBAC Reader" --assignee <SERVICE_PRINCIPAL_APP_ID> --scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>"

az role assignment create --role "Azure Kubernetes Service Cluster User Role" --assignee <SERVICE_PRINCIPAL_APP_ID> --scope "/providers/Microsoft.Management/managementGroups/<MANAGEMENT_GROUP_ID>"

1. Public Cluster + Azure RBAC

Steps:

  1. PointFive will initiate a connection to your AKS cluster.

  2. Once the connection begins, you’ll see a loading indicator.

  3. If a connection issue occurs, the system will prompt you with the relevant error message.

  4. When successful, you’ll see the confirmation screen — “Almost there!”

2. Public Cluster + Kubernetes RBAC

Steps:

  1. Apply the ClusterRoleBinding snippet to your AKS cluster. (see a reference below)

  2. Click Connect, once the connection begins, you’ll see a loading indicator..

  3. If connection fails, occurs, the system will prompt you with the relevant error message.

  4. Once complete, you’ll see the “Almost there!” success screen.

3. Public (Limited) Cluster + Azure RBAC

Steps:

  1. Add PointFive’s IPs to your cluster’s authorized IP list:

    • Navigate to your cluster in the Azure portal.

    • Open the Networking tab.

    • Add the IPs provided by PointFive under Authorized IP ranges.

      44.210.32.226,
      50.19.113.28,
      34.206.248.51

  2. Click Connect, once the connection begins, you’ll see a loading indicator..

  3. If connection fails, occurs, the system will prompt you with the relevant error message.

  4. You’ll see “Almost there!” once setup completes.

(Screenshot: IP config → Connecting → Error → Success)

4. Public (Limited) Cluster + Kubernetes RBAC

Steps:

  1. Add PointFive’s IPs to your cluster’s authorized IP list:

    • Navigate to your cluster in the Azure portal.

    • Open the Networking tab.

    • Add the IPs provided by PointFive under Authorized IP ranges.

    44.210.32.226,
    50.19.113.28,
    34.206.248.51

  2. Apply the provided ClusterRoleBinding (see below) YAML.

  3. Click Connect, once the connection begins, you’ll see a loading indicator.

  4. If connection fails, occurs, the system will prompt you with the relevant error message.

  5. Successful connection will show the “Almost there!” message.

5. Private Cluster + Azure RBAC

Steps:

  1. Once initiated, a secure PrivateLink connection will be established between your AKS cluster and PointFive.

  2. Complete the process by applying the provided PrivateLink Approval snippet in your Azure environment to grant access and accept the handshake request.

  3. Click Connect, once the connection begins, you’ll see a loading indicator.

  4. If connection fails, occurs, the system will prompt you with the relevant error message.

  5. You’ll see “Almost there!” when the connection is finalized.

6. Private Cluster + Kubernetes RBAC

Steps:

  1. Apply the displayed ClusterRoleBinding YAML to your cluster. (see reference below)

  2. Initiate the PrivateLink setup for network connectivity between your AKS cluster and PointFive.

  3. Complete the process by applying the provided PrivateLink Approval snippet in your Azure environment to grant access and accept the handshake request.

  4. Click Connect, once the connection begins, you’ll see a loading indicator.

  5. If connection fails, occurs, the system will prompt you with the relevant error message.

  6. You’ll see “Almost there!” when the connection is finalized.

ClusterRole

apiVersion: rbac.authorization.k8s.io/v1 
kind: ClusterRoleBinding 
metadata:
   name: pointfive:view
subjects:
   - kind: {{ .SubjectKind }}
     name: "{{ .SubjectName }}"
     apiGroup: rbac.authorization.k8s.io
 roleRef:
   kind: ClusterRole
   name: pointfive:view
   apiGroup: rbac.authorization.k8s.io 
--- apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: pointfive:view
 rules:
   - apiGroups: ["apps"]
     resources:
       - controllerrevisions
       - daemonsets
       - daemonsets/status
       - deployments
       - deployments/scale
       - deployments/status
       - replicasets
       - replicasets/scale
       - replicasets/status
       - statefulsets
       - statefulsets/scale
       - statefulsets/status
     verbs:
       - get
       - list
       - watch
    - apiGroups: ["autoscaling"]
     resources:
       - horizontalpodautoscalers
       - horizontalpodautoscalers/status
     verbs:
       - get
       - list
       - watch
    - apiGroups: ["batch"]
     resources:
       - cronjobs
       - cronjobs/status
       - jobs
       - jobs/status
     verbs:
       - get
       - list
       - watch
    - apiGroups: ["discovery.k8s.io"]
     resources:
       - endpointslices
     verbs:
       - get
       - list
       - watch
    - apiGroups: ["extensions"]
     resources:
       - daemonsets
       - daemonsets/status
       - deployments
       - deployments/scale
       - deployments/status
       - ingresses
       - ingresses/status
       - networkpolicies
       - replicasets
       - replicasets/scale
       - replicasets/status
       - replicationcontrollers/scale
     verbs:
       - get
       - list
       - watch
    - apiGroups: ["networking.k8s.io"]
     resources:
       - ingresses
       - ingresses/status
       - networkpolicies
     verbs:
       - get
       - list
       - watch
    - apiGroups: ["policy"]
     resources:
       - poddisruptionbudgets
       - poddisruptionbudgets/status
     verbs:
       - get
       - list 
       - watch
    - apiGroups: [""]
     resources:
       - endpoints 
       - persistentvolumeclaims
       - persistentvolumeclaims/status
       - pods
       - replicationcontrollers
       - replicationcontrollers/scale
       - services
       - services/status
     verbs:
       - get
       - list
       - watch
    - apiGroups: [""]
     resources:
       - limitranges
       - namespaces/status
       - pods/status
       - replicationcontrollers/status
       - resourcequotas
       - resourcequotas/status
     verbs:
       - get
       - list
       - watch
    - apiGroups: [""]
     resources: 
       - namespaces
       - nodes
     verbs:
       - get
       - list
       - watch
    - apiGroups: ["metrics.k8s.io"]
     resources:
       - pods
       - nodes
     verbs:
       - get
       - list
       - watch

Did this answer your question?