#Import Azure AKS Cluster

Import an existing Azure AKS cluster into the platform for unified management.

#Prerequisites

• The Kubernetes version and parameters on the cluster must meet the Standard Kubernetes Cluster Component Version and Parameter Requirements.

  TIP

  • If AKS nodes cannot access the global cluster, refer to the FAQ: How to configure AKS node external IP security group rules.

• The image registry must support HTTPS access and provide a valid TLS certificate authenticated by a public certification authority.

#Prepare the Operating Environment

To comply with Azure AKS security standards, the following steps must be performed using Cloud Shell.

1. Ensure network connectivity with Azure Console.

2. Open the Kubernetes Services page, locate the cluster you want to import, and click to enter the cluster overview page.

3. Click the Connect button, which will open a floating window titled Connect to <import cluster name>. Follow the instructions to open Cloud Shell and configure the operating environment.

#Obtain Cluster Information

#Obtain Import Clusters Token

The KubeConfig file of public cloud clusters cannot be directly used for cluster import.

Please refer to the FAQ How to obtain cluster information? to obtain the import cluster token.

#Import Cluster

1. In the left navigation bar, click Cluster Management > Clusters.

2. Click Import Cluster.

3. Configure the relevant parameters according to the following instructions.

   Parameter	Description
   Image Registry	The registry that stores platform component images required by the cluster. - Platform Default: The image registry configured when deploying the global cluster. - Private Registry: A pre-built registry that stores platform-required component images. You need to enter the Private Image Registry Address, Port, Username, and Password for accessing the image registry. - Public Registry: Use a public image registry service on the internet. Before use, you must first refer to Update Public Image Registry Cloud Credentials to obtain registry authentication permissions.
   Cluster Information	Tip: Please upload a KubeConfig file, and the platform will automatically parse and fill in the information. Cluster Address: The access address of the API Server exposed by the import cluster, used by the platform to access the import cluster's API Server. CA Certificate: The CA certificate of the import cluster. Authentication Method: The authentication method of the import cluster, which requires using a Token with cluster management permissions created in the previous step for authentication.

4. Click Check Connectivity to verify network connectivity with the import cluster and automatically identify the import cluster type. The cluster type will be displayed as a badge in the upper right corner of the form.

5. After connectivity check passes, click Import and confirm.

   TIP

   • Click the Details icon on the right side of a cluster in Importing status to view the cluster's execution progress (status.conditions) in the popup Execution Progress dialog.
   • After the cluster is successfully imported, you can view the cluster's key information in the cluster list. The cluster status will show as normal, and you can perform cluster-related operations.

#Network Configuration

Ensure the global cluster and the imported cluster have network connectivity. See Network Configuration for Imported Clusters.

#Post-Import Operations

#Ingress (Inbound Rules) and Storage Initialization

After importing the cluster, if you need to use Ingress (inbound rules) and storage-related features, please refer to Azure AKS Cluster Ingress Initialization Configuration and Azure AKS Cluster Storage Initialization Configuration.

#Frequently Asked Questions

#How to configure AKS node external IP security group rules

Nodes only have internal IPs by default. The external IP is configured on a frontend load balancer (LB), which is used for outbound traffic by default. This LB is controlled by the AKS principal. Direct manual modification of this configuration may cause issues. You can allow traffic through Kubernetes > Properties > Infrastructure Resource Group > Network Security Group > Add Outbound/Inbound All Rules.

#How to access AKS node

To view logs of system components such as Kubelet, CNI, and kernel, you need to SSH into the node first. It is recommended to use the kubectl-node-shell plugin instead of assigning public IP addresses to each node.

Option 1: Using kubectl node-shell

Official Link

Option 2: Using debug

Official Link

kubectl debug node/aks-newadd-41368356-vmss000002 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
chroot /host

#Azure ALB using internal load balancer

Refer to Official Link

apiVersion: v1
kind: Service
metadata:
  name: internal-app
  namespace: cpaas-system
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  ports:
  - name: http-port
    port: 80
    protocol: TCP
  - name: https-port
    port: 443
    protocol: TCP
  selector:
    service.cpaas.io/name: deployment-aks-alb
    service_name: alb2-aks-alb

#Azure ALB using external load balancer

Deploy a highly available ALB with the access address configured as the external LB.

apiVersion: v1
kind: Service
metadata:
  name: azure-alb
  namespace: cpaas-system
spec:
  type: LoadBalancer
  ports:
  - name: http-port
    port: 80
    protocol: TCP
  - name: https-port
    port: 443
    protocol: TCP
  - name: prom-port
    port: 11780
    protocol: TCP
  - name: prom2-port
    port: 11781
    protocol: TCP
  - name: prom3-port
    port: 15012
    protocol: TCP
  selector:
    service_name: alb2-cpaas-system

If it has been deployed in advance, you can use the following command to modify it.

kubectl edit helmrequest -n cpaas-system uat-cluster-aks-alb

#The add node button is grayed out after importing the cluster. How to add nodes?

Adding nodes through the platform interface is not supported. Please contact the cluster provider to add nodes.

#What certificates are supported by the certificate management feature for imported clusters?

1. Kubernetes Certificates: All imported clusters only support viewing APIServer certificate information in the platform certificate management interface. Other Kubernetes certificates cannot be viewed and automatic rotation is not supported.

2. Platform Component Certificates: All imported clusters can view platform component certificate information in the platform certificate management interface and support automatic rotation.

#What other features are not supported for imported AKS clusters?

• Audit data retrieval is not supported.

• ETCD, Scheduler, and Controller Manager related monitoring information is not supported. APIServer partial monitoring charts are supported.

• Cluster certificate-related information other than Kubernetes APIServer certificates cannot be retrieved.