Azure Arc allows you to connect your Kubernetes cluster to Azure. Connecting a cluster to Azure has many benefits including, Deploying applications, Monitoring, Threat detection and cluster Management.

This series is broken into 3 parts:

Note

To connect a Kubernetes cluster to Azure Arc today, at least one of the nodes needs to be Linux/Amd64.

Connecting the Cluster to Azure

Part 2 will demonstrate how to connect the previously created cluster to Azure Arc and will involve installing the Azure CLI and Kubernetes extensions, connecting the cluster, and creating a service token to allow Azure management.

Install Azure CLI

Within the WSL2 Linux container, we will install the Azure CLI and the required extensions that will be used to connect the cluster to Azure Arc.

  1. Install the pip package manager:
$ sudo apt install python3-pip
  1. Install the Azure CLI:
$ curl -sL https://aka.ms/InstallAzureCLIDeb | bash
  1. Login to Azure:
$ az login
  1. Install the K8s extensions:
$ az extension add --name connectedk8s
$ az extension add --name k8sconfiguration
  1. Register the Azure Kubernetes providers:
$ az provider register -n Microsoft.Kubernetes
$ az provider register -n Microsoft.KubernetesConfiguration
  1. Monitor the registration to complete, this can take up to 10 minutes:
$ az provider show -n Microsoft.Kubernetes -o table
$ az provider show -n Microsoft.KubernetesConfiguration -o table

Connect the Cluster to Azure

This will install the Azure CLI and the required extensions into the WSL2 Linux container which will then be used to connect the cluster to Azure Arc.

  1. Copy the config file to the .kube user directory:
$ mkdir ~/.kube
$ sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
$ sudo chown $USER ~/.kube/config
  1. Connect the cluster to Azure, this takes around 5 minutes:
$ az connectedk8s connect --name RPI-K3S --resource-group Arc
  1. View the Azure Arc agents and make sure they are all running:
$ sudo k3s kubectl get deployments,pods -n azure-arc

NAME                                            READY  UP-TO-DATE  AVAILABLE  AGE
deployment.apps/flux-logs-agent                 1/1    1           1          4m53s
deployment.apps/extension-manager               1/1    1           1          4m53s
deployment.apps/metrics-agent                   1/1    1           1          4m53s
deployment.apps/clusteridentityoperator         1/1    1           1          4m53s
deployment.apps/resource-sync-agent             1/1    1           1          4m53s
deployment.apps/controller-manager              1/1    1           1          4m53s
deployment.apps/cluster-metadata-operator       1/1    1           1          4m53s
deployment.apps/clusterconnect-agent            1/1    1           1          4m53s
deployment.apps/config-agent                    1/1    1           1          4m53s
deployment.apps/kube-aad-proxy                  1/1    1           1          4m53s

NAME                                            READY  STATUS   RESTARTS  AGE
pod/flux-logs-agent-68bc745586-8567v            1/1    Running  0         4m53s
pod/extension-manager-85f4754fbf-7lpbz          2/2    Running  0         4m53s
pod/metrics-agent-7d6844cd4c-t9f6l              2/2    Running  0         4m53s
pod/clusteridentityoperator-8df89fd55-dtvlw     2/2    Running  0         4m53s
pod/resource-sync-agent-5d755f9d6f-gqdwz        2/2    Running  0         4m53s
pod/controller-manager-7fcbd6585d-stqpz         2/2    Running  0         4m53s
pod/cluster-metadata-operator-855c68dcf8-zqft6  2/2    Running  0         4m53s
pod/clusterconnect-agent-77496f7c5c-n8g9g       3/3    Running  0         4m53s
pod/config-agent-76d496c6cd-dz4pf               2/2    Running  0         4m53s
pod/kube-aad-proxy-7d5f558f6d-9gcjv             2/2    Running  0         4m53s

At this point, the Azure Arc resource “RPI-K3S” will now be present in the Azure Portal.

Enable Cluster Connect

Creating a service token allows secure connection to an Azure Arc-enabled cluster without requiring an inbound port to be enabled on the firewall. Without the token, you will most likely be prompted to sign in when viewing the Azure resource.

  1. Create service account called arc-user:
$ sudo k3s kubectl create serviceaccount arc-user
  1. Grant appropriate permissions on the cluster:
$ sudo k3s kubectl create clusterrolebinding arc-user-binding --clusterrole cluster-admin --serviceaccount default:arc-user
  1. Create service account token for the new account:
sudo k3s kubectl apply -f - <<EOF 
apiVersion: v1
kind: Secret
metadata:
  name: arc-user-secret
  annotations:
    kubernetes.io/service-account.name: arc-user
type: kubernetes.io/service-account-token
EOF
  1. Get the newly created token:
$ sudo k3s kubectl get secret arc-user-secret -o jsonpath='{$.data.token}' | base64 -d | sed $'s/$/\\n/g'
  1. Go to the “RPI-K3S” resource in the Azure Portal. Choose the Kubernetes resources | Workloads to view the workloads for the cluster. You will be prompted to enter a Service account bearer token. Enter the token generated above.
  1. You can now view the workloads and other details of the Azure Arc enabled cluster!

Cleaning Up

If you decide that you no longer want to have the cluster connected to Azure Arc, execute the following commands on the WSL2 instance to remove the connection and delete the Azure resource.

$ az connectedk8s delete --name RPI --resource-group Arc
$ sudo k3s kubectl -n azure-arc delete pods,svc --all

Next Steps

Stay tuned for Part 3 – Deploying a workload to the Kubernetes cluster via Azure Arc.