From 9c0bd8dd43f8169d3c024f6225d973ca615674ad Mon Sep 17 00:00:00 2001 From: DOliana Date: Thu, 20 May 2021 20:53:50 +0200 Subject: [PATCH] Update azure.md updated version of external-dns, added notes for MSI permissions and which roles can be used, fixed mounting of config-file-secret --- docs/tutorials/azure.md | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/docs/tutorials/azure.md b/docs/tutorials/azure.md index 102699bfc..947a657b4 100644 --- a/docs/tutorials/azure.md +++ b/docs/tutorials/azure.md @@ -61,7 +61,7 @@ The `resourceGroup` is the Resource Group created in a previous step. The `aadClientID` and `aaClientSecret` are associated with the Service Principal, that you need to create next. ### Creating service principal -A Service Principal with a minimum access level of `contributor` to the DNS zone(s) and `reader` to the resource group containing the Azure DNS zone(s) is necessary for ExternalDNS to be able to edit DNS records. However, other more permissive access levels will work too (e.g. `contributor` to the resource group or the whole subscription). +A Service Principal with a minimum access level of `DNS Zone Contributor` or `Contributor` to the DNS zone(s) and `Reader` to the resource group containing the Azure DNS zone(s) is necessary for ExternalDNS to be able to edit DNS records. However, other more permissive access levels will work too (e.g. `Contributor` to the resource group or the whole subscription). This is an Azure CLI example on how to query the Azure API for the information required for the Resource Group and DNS zone you would have already created in previous steps. @@ -136,7 +136,7 @@ $ kubectl create secret generic azure-config-file --from-file=/local/path/to/azu ### Azure Managed Service Identity (MSI) -If [Azure Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview) is enabled for virtual machines, then there is no need to create separate service principal. +If [Azure Managed Service Identity (MSI)](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview) is enabled for virtual machines, then there is no need to create separate service principal. Note that when granting access the kubeletidentity must be used, not the MSI used for the cluster (it usually has a name in the format -). The contents of `azure.json` should be similar to this: @@ -191,7 +191,7 @@ spec: spec: containers: - name: external-dns - image: k8s.gcr.io/external-dns/external-dns:v0.7.6 + image: k8s.gcr.io/external-dns/external-dns:v0.8.0 args: - --source=service - --source=ingress @@ -206,6 +206,9 @@ spec: - name: azure-config-file secret: secretName: azure-config-file + items: + - key: externaldns-config.json + path: azure.json ``` ### Manifest (for clusters with RBAC enabled, cluster access) @@ -261,7 +264,7 @@ spec: serviceAccountName: external-dns containers: - name: external-dns - image: k8s.gcr.io/external-dns/external-dns:v0.7.6 + image: k8s.gcr.io/external-dns/external-dns:v0.8.0 args: - --source=service - --source=ingress @@ -276,6 +279,9 @@ spec: - name: azure-config-file secret: secretName: azure-config-file + items: + - key: externaldns-config.json + path: azure.json ``` ### Manifest (for clusters with RBAC enabled, namespace access) @@ -331,7 +337,7 @@ spec: serviceAccountName: external-dns containers: - name: external-dns - image: k8s.gcr.io/external-dns/external-dns:v0.7.6 + image: k8s.gcr.io/external-dns/external-dns:v0.8.0 args: - --source=service - --source=ingress @@ -346,6 +352,9 @@ spec: - name: azure-config-file secret: secretName: azure-config-file + items: + - key: externaldns-config.json + path: azure.json ``` Create the deployment for ExternalDNS: