Skip to main content

Azure Kubernetes Services

This Integration is part of the Azure Kubernetes Services Pack.#

Deploy and manage containerized applications with a fully managed Kubernetes service. This integration was integrated and tested with API version 2021-09-01 of AKS.

Authorization#

In both options below, the device authorization grant flow is used.

In order to connect to the Azure Kubernetes Services using either Cortex XSOAR Azure App or the Self-Deployed Azure App:

  1. Fill in the required parameters.
  2. Run the !azure-ks-auth-start command.
  3. Follow the instructions that appear.
  4. Run the !azure-ks-auth-complete command.

At end of the process you'll see a message that you've logged in successfully.

Cortex XSOAR Azure App#

In order to use the Cortex XSOAR Azure application, use the default application ID (ab217a43-e09b-4f80-ae93-482fc7a3d1a3).

You only need to fill in your subscription ID and resource group name. For more details, follow Azure Integrations Parameters.

Self-Deployed Azure App#

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.

  • The application must have user_impersonation permission (can be found in API permissions section of the Azure Kubernetes Services app registrations).
  • The application must allow public client flows (can be found under the Authentication section of the Azure Kubernetes Services app registrations).

Configure Azure Kubernetes Services on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Azure Kubernetes Services.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    app_idApplication IDTrue
    subscription_idSubscription IDTrue
    resource_group_nameResource Group NameTrue
    azure_ad_endpointAzure AD endpoint associated with a national cloudFalse
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-ks-auth-test#


Tests the connectivity to Azure.

Base Command#

azure-ks-auth-test

Input#

There are no input arguments for this command.

Human Readable Output#

โœ… Success!

azure-ks-auth-start#


Run this command to start the authorization process and follow the instructions in the command results.

Base Command#

azure-ks-auth-start

Input#

There are no input arguments for this command.

Human Readable Output#

Authorization instructions#

1. To sign in, use a web browser to open the page:
[https://microsoft.com/devicelogin](https://microsoft.com/devicelogin)
and enter the code **XXXXXXXX** to authenticate.
2. Run the ***!azure-ks-auth-complete*** command in the War Room.

azure-ks-auth-complete#


Run this command to complete the authorization process. Should be used after running the azure-ks-auth-start command.

Base Command#

azure-ks-auth-complete

Input#

There are no input arguments for this command.

Human Readable Output#

โœ… Authorization completed successfully.

azure-ks-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

Base Command#

azure-ks-auth-reset

Input#

There are no input arguments for this command.

Human Readable Output#

Authorization was reset successfully. You can now run !azure-ks-auth-start and !azure-ks-auth-complete.

azure-ks-clusters-list#


Gets a list of managed clusters in the specified subscription.

Base Command#

azure-ks-clusters-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
AzureKS.ManagedCluster.idStringResource ID.
AzureKS.ManagedCluster.locationStringResource location.
AzureKS.ManagedCluster.nameStringResource name.
AzureKS.ManagedCluster.tagsUnknownResource tags.
AzureKS.ManagedCluster.typeStringResource type.
AzureKS.ManagedCluster.properties.provisioningStateStringThe current deployment or provisioning state, which only appears in the response.
AzureKS.ManagedCluster.properties.kubernetesVersionStringVersion of Kubernetes specified when creating the managed cluster.
AzureKS.ManagedCluster.properties.maxAgentPoolsNumberThe maximum number of agent pools for the managed cluster.
AzureKS.ManagedCluster.properties.dnsPrefixStringDNS prefix specified when creating the managed cluster.
AzureKS.ManagedCluster.properties.fqdnStringFQDN for the master pool.
AzureKS.ManagedCluster.properties.agentPoolProfiles.nameStringUnique name of the agent pool profile in the context of the subscription and resource group.
AzureKS.ManagedCluster.properties.agentPoolProfiles.countNumberNumber of agents (VMs) to host Docker containers. Allowed values must be in the range of 0 to 100 (inclusive) for user pools and in the range of 1 to 100 (inclusive) for system pools.
AzureKS.ManagedCluster.properties.agentPoolProfiles.vmSizeStringSize of agent VMs.
AzureKS.ManagedCluster.properties.agentPoolProfiles.maxPodsNumberMaximum number of pods that can run on a node.
AzureKS.ManagedCluster.properties.agentPoolProfiles.osTypeStringThe operating system type, either Linux or Windows.
AzureKS.ManagedCluster.properties.agentPoolProfiles.provisioningStateStringThe current deployment or provisioning state.
AzureKS.ManagedCluster.properties.agentPoolProfiles.orchestratorVersionStringVersion of orchestrator specified when creating the managed cluster.
AzureKS.ManagedCluster.properties.linuxProfile.adminUsernameStringThe name of the administrator account.
AzureKS.ManagedCluster.properties.linuxProfile.ssh.publicKeys.keyDataStringCertificate public key used to authenticate with VMs through SSH.
AzureKS.ManagedCluster.properties.servicePrincipalProfile.clientIdStringThe ID for the service principal.
AzureKS.ManagedCluster.properties.nodeResourceGroupStringName of the resource group containing agent pool nodes.
AzureKS.ManagedCluster.properties.enableRBACBooleanWhether to enable Kubernetes Role-Based Access Control.
AzureKS.ManagedCluster.properties.diskEncryptionSetIDStringResource ID of the disk encryption set to use for enabling encryption at rest.
AzureKS.ManagedCluster.properties.networkProfile.networkPluginStringNetwork plugin used for building Kubernetes network.
AzureKS.ManagedCluster.properties.networkProfile.podCidrStringA CIDR notation IP range from which to assign pod IPs when kubenet is used.
AzureKS.ManagedCluster.properties.networkProfile.serviceCidrStringA CIDR notation IP range from which to assign service cluster IPs.
AzureKS.ManagedCluster.properties.networkProfile.dnsServiceIPStringAn IP address assigned to the Kubernetes DNS service.
AzureKS.ManagedCluster.properties.networkProfile.dockerBridgeCidrStringA CIDR notation IP range assigned to the Docker bridge network.
AzureKS.ManagedCluster.properties.addonProfiles.omsagent.enabledBooleanWhether the Operations Management Suite Agent is enabled.
AzureKS.ManagedCluster.properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceIDStringThe resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
AzureKS.ManagedCluster.properties.addonProfiles.httpApplicationRouting.enabledBooleanWhether the ingress is configured with automatic public DNS name creation.
AzureKS.ManagedCluster.properties.addonProfiles.httpApplicationRouting.config.HTTPApplicationRoutingZoneNameStringThe subscription DNS zone name.

Command Example#

!azure-ks-clusters-list

Context Example#

{
"AzureKS": {
"ManagedCluster": {
"id": "/subscriptions/subid1/providers/Microsoft.ContainerService/managedClusters",
"location": "location1",
"name": "clustername1",
"tags": {
"archv2": "",
"tier": "production"
},
"type": "Microsoft.ContainerService/ManagedClusters",
"properties": {
"provisioningState": "Succeeded",
"kubernetesVersion": "1.9.6",
"maxAgentPools": 1,
"dnsPrefix": "dnsprefix1",
"fqdn": "dnsprefix1-abcd1234.hcp.eastus.azmk8s.io",
"agentPoolProfiles": [
{
"name": "nodepool1",
"count": 3,
"vmSize": "Standard_DS1_v2",
"maxPods": 110,
"osType": "Linux",
"provisioningState": "Succeeded",
"orchestratorVersion": "1.9.6"
}
],
"linuxProfile": {
"adminUsername": "azureuser",
"ssh": {
"publicKeys": [
{
"keyData": "keydata"
}
]
}
},
"servicePrincipalProfile": {
"clientId": "clientid"
},
"nodeResourceGroup": "MC_rg1_clustername1_location1",
"enableRBAC": false,
"diskEncryptionSetID": "/subscriptions/subid1/resourceGroups/rg1/providers/Microsoft.Compute/diskEncryptionSets/des",
"networkProfile": {
"networkPlugin": "kubenet",
"podCidr": "10.244.0.0/16",
"serviceCidr": "10.0.0.0/16",
"dnsServiceIP": "10.0.0.10",
"dockerBridgeCidr": "172.17.0.1/16"
},
"addonProfiles": {
"omsagent": {
"enabled": false,
"config": {
"logAnalyticsWorkspaceResourceID": "workspace"
}
},
"httpApplicationRouting": {
"enabled": true,
"config": {
"HTTPApplicationRoutingZoneName": "zone"
}
}
}
}
}
}
}

Human Readable Output#

AKS Clusters List#

NameStatusLocationTagsKubernetes versionAPI server addressNetwork type (plugin)
clustername1Succeededlocation1tier: production1.9.6dnsprefix1-abcd1234.hcp.eastus.azmk8s.iokubenet

azure-ks-cluster-addon-update#


Updates a managed cluster with the specified configuration.

Base Command#

azure-ks-cluster-addon-update

Input#

Argument NameDescriptionRequired
resource_nameThe name of the managed cluster resource. Can be retrieved using the azure-ks-clusters-list command.Required
locationResource location. Possible values are: australiacentral, australiacentral2, australiaeast, australiasoutheast, brazilse, brazilsouth, canadacentral, canadaeast, centralfrance, centralindia, centralus, centraluseuap, eastasia, eastus, eastus2, eastus2euap, germanyn, germanywc, japaneast, japanwest, koreacentral, koreasouth, northcentralus, northeurope, norwaye, norwayw, southafricanorth, southafricawest, southcentralus, southeastasia, southfrance, southindia, switzerlandn, switzerlandw, uaecentral, uaenorth, uknorth, uksouth, uksouth2, ukwest, westcentralus, westeurope, westindia, westus, westus2.Required
http_application_routing_enabledWhether to configure ingress with automatic public DNS name creation. Possible values are: true, false.Optional
monitoring_agent_enabledWhether to turn on Log Analytics monitoring. If enabled and monitoring_resource_id is not specified, will use the current configured workspace resource ID. Possible values are: true, false.Optional
monitoring_resource_nameThe name of an existing Log Analytics Workspace to use for storing monitoring data. Can be retrieved in the Log Analytics workspace from the Azure portal.Optional

Context Output#

There is no context output for this command.

Command Example#

!azure-ks-cluster-addon-update resource_name=aks-integration location=westus http_application_routing_enabled=true

Human Readable Output#

The request to update the managed cluster was sent successfully.