Skip to main content

Azure Kubernetes Services

This Integration is part of the Azure Kubernetes Services Pack.#

Deploy and manage containerized applications with a fully managed Kubernetes service. This integration was integrated and tested with API version 2023-02-01 of AKS.

In order to connect to the AzureKubernetesServices using either Cortex XSOAR Azure App or the Self-Deployed Azure App, use one of the following methods:

  • Authorization Code Flow (Recommended).
  • Device Code Flow.
  • Azure Managed Identities
  • Client Credentials Flow.

Self-Deployed Application#

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.

  • The application must have user_impersonation permission (can be found in API permissions section of the Azure Kubernetes Services app registrations).
  • The application must allow public client flows (can be found under the Authentication section of the Azure Kubernetes Services app registrations).
  • The application must allow public client flows (found under the Authentication section of the app) for Device-code based authentications.

In case you want to use Device code flow, you must allow public client flows (can be found under the Authentication section of the app).

Authentication Using the User - Authentication Flow#

Follow these steps for a self-deployed configuration:

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article steps 1-8.
  2. choose the user_auth_flow option in the Authentication Type parameter.
  3. Enter your Client/Application ID in the Application ID parameter.
  4. Enter your Client Secret in the Client Secret parameter.
  5. Enter your Tenant ID in the Tenant ID parameter.
  6. Enter your Application redirect URI in the Application redirect URI parameter.
  7. Save the instance.
  8. Run the !azure-ks-generate-login-url command in the War Room and follow the instruction.
  9. Run the !azure-ks-auth-test command - a 'Success' message should be printed to the War Room.

Authentication Using the Device Code Flow#

Follow these steps for a self-deployed configuration:

  1. Fill in the required parameters.
  2. choose the 'Device' option in the user_auth_flow parameter.
  3. Run the !azure-ks-auth-start command.
  4. Follow the instructions that appear.
  5. Run the !azure-ks-auth-complete command.

At end of the process you'll see a message that you've logged in successfully.

Cortex XSOAR Azure App#

In order to use the Cortex XSOAR Azure application, use the default application ID (ab217a43-e09b-4f80-ae93-482fc7a3d1a3).

Client Credentials Flow Authentication#

Assign Azure roles using the Azure portal Microsoft article Note: In the Select members section, assign the application you created earlier. To configure a Microsoft integration that uses this authorization flow with a self-deployed Azure application:

  1. In the Authentication Type field, select the Client Credentials option.
  2. In the Application ID field, enter your Client/Application ID.
  3. In the Tenant ID field, enter your Tenant ID .
  4. In the Client Secret field, enter your Client Secret.
  5. Click Test to validate the URLs, token, and connection
  6. Save the instance.

Testing authentication and connectivity#

If you are using Device Code Flow or Authorization Code Flow, for testing your authentication and connectivity to the Azure Kubernetes Services service run the !azure-ks-auth-test command. If you are using Client Credentials Flow, click Test when you are configuring the instance.

Configure Azure Kubernetes Services on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Azure Kubernetes Services.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Azure CloudAzure Cloud the K8S cluster resides in. See table below.False
    app_idApplication IDFalse
    Default subscription_idSubscription ID. There are two options to set the specified value, either in the configuration or directly within the commands. However, setting values in both places will cause an override by the command value.True
    Default resource_group_nameResource Group Name. There are two options to insert the specified value, either in the configuration or directly within the commands. However, setting values in both places will cause an override by the command value.True
    azure_ad_endpointAzure AD endpoint associated with a national cloud. See note below.False
    insecureTrust any certificate (not secure)False
    proxyUse system proxy settingsFalse
    Tenant IDTenant IDFalse
    Client SecretEncryption key given by the adminFalse
    Authentication TypeThe request authentication type for the instanceFalse
    Authorization codeReceived from the authorization stepFalse
    Application redirect URIThe redirect URI entered in the Azure portalFalse
    Azure Managed Identities Client IDThe managed identities client ID for authentication. Relevant only if the integration is running on Azure VM.False
  4. Azure cloud options

    Azure CloudDescription
    WorldwideThe publicly accessible Azure Cloud
    US GCCAzure cloud for the USA Government Cloud Community (GCC)
    US GCC-HighAzure cloud for the USA Government Cloud Community High (GCC-High)
    DoDAzure cloud for the USA Department of Defense (DoD)
    GermanyAzure cloud for the German Government
    ChinaAzure cloud for the Chinese Government
    CustomCustom endpoint configuration to the Azure cloud. See note below.
    • Note: In most cases, setting Azure cloud is preferred to setting Azure AD endpoint. Only use it in cases where a custom proxy URL is required for accessing a national cloud.
  5. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-ks-auth-test#


Tests the connectivity to Azure.

Base Command#

azure-ks-auth-test

Input#

There are no input arguments for this command.

Human Readable Output#

✅ Success!

azure-ks-auth-start#


Run this command to start the authorization process and follow the instructions in the command results.

Base Command#

azure-ks-auth-start

Input#

There are no input arguments for this command.

Human Readable Output#

Authorization instructions#

1. To sign in, use a web browser to open the page:
[https://microsoft.com/devicelogin](https://microsoft.com/devicelogin)
and enter the code **XXXXXXXX** to authenticate.
2. Run the ***!azure-ks-auth-complete*** command in the War Room.

azure-ks-auth-complete#


Run this command to complete the authorization process. Should be used after running the azure-ks-auth-start command.

Base Command#

azure-ks-auth-complete

Input#

There are no input arguments for this command.

Human Readable Output#

✅ Authorization completed successfully.

azure-ks-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

Base Command#

azure-ks-auth-reset

Input#

There are no input arguments for this command.

Human Readable Output#

Authorization was reset successfully. You can now run !azure-ks-auth-start and !azure-ks-auth-complete.

azure-ks-clusters-list#


Gets a list of managed clusters in the specified subscription.

Base Command#

azure-ks-clusters-list

Input#

Argument NameDescriptionRequired
subscription_idThe subscription ID. Note: This argument will override the instance parameter ‘Default Subscription ID'.Optional

Context Output#

PathTypeDescription
AzureKS.ManagedCluster.idStringResource ID.
AzureKS.ManagedCluster.locationStringResource location.
AzureKS.ManagedCluster.nameStringResource name.
AzureKS.ManagedCluster.tagsUnknownResource tags.
AzureKS.ManagedCluster.typeStringResource type.
AzureKS.ManagedCluster.properties.provisioningStateStringThe current deployment or provisioning state, which only appears in the response.
AzureKS.ManagedCluster.properties.kubernetesVersionStringVersion of Kubernetes specified when creating the managed cluster.
AzureKS.ManagedCluster.properties.maxAgentPoolsNumberThe maximum number of agent pools for the managed cluster.
AzureKS.ManagedCluster.properties.dnsPrefixStringDNS prefix specified when creating the managed cluster.
AzureKS.ManagedCluster.properties.fqdnStringFQDN for the master pool.
AzureKS.ManagedCluster.properties.agentPoolProfiles.nameStringUnique name of the agent pool profile in the context of the subscription and resource group.
AzureKS.ManagedCluster.properties.agentPoolProfiles.countNumberNumber of agents (VMs) to host Docker containers. Allowed values must be in the range of 0 to 100 (inclusive) for user pools and in the range of 1 to 100 (inclusive) for system pools.
AzureKS.ManagedCluster.properties.agentPoolProfiles.vmSizeStringSize of agent VMs.
AzureKS.ManagedCluster.properties.agentPoolProfiles.maxPodsNumberMaximum number of pods that can run on a node.
AzureKS.ManagedCluster.properties.agentPoolProfiles.osTypeStringThe operating system type, either Linux or Windows.
AzureKS.ManagedCluster.properties.agentPoolProfiles.provisioningStateStringThe current deployment or provisioning state.
AzureKS.ManagedCluster.properties.agentPoolProfiles.orchestratorVersionStringVersion of the orchestrator specified when creating the managed cluster.
AzureKS.ManagedCluster.properties.linuxProfile.adminUsernameStringThe name of the administrator account.
AzureKS.ManagedCluster.properties.linuxProfile.ssh.publicKeys.keyDataStringCertificate public key used to authenticate with VMs through SSH.
AzureKS.ManagedCluster.properties.servicePrincipalProfile.clientIdStringThe ID for the service principal.
AzureKS.ManagedCluster.properties.nodeResourceGroupStringName of the resource group containing agent pool nodes.
AzureKS.ManagedCluster.properties.enableRBACBooleanWhether to enable Kubernetes Role-Based Access Control (RBAC).
AzureKS.ManagedCluster.properties.diskEncryptionSetIDStringResource ID of the disk encryption set to use for enabling encryption at rest.
AzureKS.ManagedCluster.properties.networkProfile.networkPluginStringNetwork plugin used for building Kubernetes network.
AzureKS.ManagedCluster.properties.networkProfile.podCidrStringA CIDR notation IP range from which to assign pod IPs when kubenet is used.
AzureKS.ManagedCluster.properties.networkProfile.serviceCidrStringA CIDR notation IP range from which to assign service cluster IPs.
AzureKS.ManagedCluster.properties.networkProfile.dnsServiceIPStringAn IP address assigned to the Kubernetes DNS service.
AzureKS.ManagedCluster.properties.networkProfile.dockerBridgeCidrStringA CIDR notation IP range assigned to the Docker bridge network.
AzureKS.ManagedCluster.properties.addonProfiles.omsagent.enabledBooleanWhether the Operations Management Suite Agent is enabled.
AzureKS.ManagedCluster.properties.addonProfiles.omsagent.config.logAnalyticsWorkspaceResourceIDStringThe resource ID of an existing Log Analytics Workspace to use for storing monitoring data.
AzureKS.ManagedCluster.properties.addonProfiles.httpApplicationRouting.enabledBooleanWhether the ingress is configured with automatic public DNS name creation.
AzureKS.ManagedCluster.properties.addonProfiles.httpApplicationRouting.config.HTTPApplicationRoutingZoneNameStringThe subscription DNS zone name.

Command Example#

!azure-ks-clusters-list

Context Example#

{
"AzureKS": {
"ManagedCluster": {
"id": "/subscriptions/00000000/resourcegroups/aks-integration/providers/Microsoft.ContainerService/managedClusters/aks-integration",
"identity": {
"principalId": "000000000000000000",
"tenantId": "000000000000000",
"type": "SystemAssigned"
},
"location": "westus",
"name": "aks-integration",
"properties": {
"addonProfiles": {
"azurepolicy": {
"config": null,
"enabled": false
},
"httpApplicationRouting": {
"config": {
"HTTPApplicationRoutingZoneName": "a6ec8d.westus.aksapp.io"
},
"enabled": true,
"identity": {
"clientId": "0000000",
"objectId": "000000",
"resourceId": "/subscriptions/00000000/resourcegroups/MC_aks-integration_aks-integration_westus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/httpapplicationrouting-aks-integration"
}
},
"omsagent": {
"config": {
"logAnalyticsWorkspaceResourceID": "/subscriptions/00000000/resourceGroups/DefaultResourceGroup-WUS/providers/Microsoft.OperationalInsights/workspaces/tesrt"
},
"enabled": false
}
},
"agentPoolProfiles": [
{
"count": 1,
"currentOrchestratorVersion": "1.21.7",
"enableAutoScaling": true,
"enableFIPS": false,
"enableNodePublicIP": false,
"kubeletDiskType": "OS",
"maxCount": 5,
"maxPods": 110,
"minCount": 1,
"mode": "System",
"name": "agentpool",
"nodeImageVersion": "AKSUbuntu-1804gen2containerd-2021.12.07",
"orchestratorVersion": "1.21.7",
"osDiskSizeGB": 128,
"osDiskType": "Managed",
"osSKU": "Ubuntu",
"osType": "Linux",
"powerState": {
"code": "Running"
},
"provisioningState": "Succeeded",
"tags": {
"type": "aks-slb-managed-outbound-ip"
},
"type": "VirtualMachineScaleSets",
"vmSize": "Standard_DS2_v2"
}
],
"azurePortalFQDN": "aks-integration-dns.portal.hcp.westus.azmk8s.io",
"currentKubernetesVersion": "1.21.7",
"dnsPrefix": "aks-integration-dns",
"enableRBAC": true,
"fqdn": "aks-integration-dns.hcp.westus.azmk8s.io",
"identityProfile": {
"kubeletidentity": {
"clientId": "000000000000",
"objectId": "0000000000",
"resourceId": "/subscriptions/00000000/resourcegroups/MC_aks-integration_aks-integration_westus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-integration-agentpool"
}
},
"kubernetesVersion": "1.21.7",
"maxAgentPools": 100,
"networkProfile": {
"dnsServiceIP": "8.8.8.8",
"dockerBridgeCidr": "8.8.8.8/8",
"loadBalancerProfile": {
"effectiveOutboundIPs": [
{
"id": "/subscriptions/00000000/resourceGroups/MC_aks-integration_aks-integration_westus/providers/Microsoft.Network/publicIPAddresses/81661302-1ebc-450b"
}
],
"managedOutboundIPs": {
"count": 1
}
},
"loadBalancerSku": "Standard",
"networkPlugin": "kubenet",
"outboundType": "loadBalancer",
"podCidr": "8.8.8.8",
"serviceCidr": "8.8.8./8"
},
"nodeResourceGroup": "MC_aks-integration_aks-integration_westus",
"oidcIssuerProfile": {
"enabled": false
},
"powerState": {
"code": "Running"
},
"provisioningState": "Succeeded",
"securityProfile": {},
"servicePrincipalProfile": {
"clientId": "msi"
},
"storageProfile": {
"diskCSIDriver": {
"enabled": true
},
"fileCSIDriver": {
"enabled": true
},
"snapshotController": {
"enabled": true
}
},
"workloadAutoScalerProfile": {}
},
"sku": {
"name": "Base",
"tier": "Free"
},
"tags": {
"type": "aks-slb-managed-outbound-ip"
},
"type": "Microsoft.ContainerService/ManagedClusters"
}
}
}

Human Readable Output#

AKS Clusters List#

NameStatusLocationTagsKubernetes versionAPI server addressNetwork type (plugin)
aks-integrationSucceededwestustype: aks-slb-managed-outbound-ip1.21.7aks-integration-dns.hcp.westus.azmk8s.iokubenet

azure-ks-cluster-addon-update#


Updates a managed cluster with the specified configuration.

Base Command#

azure-ks-cluster-addon-update

Input#

Argument NameDescriptionRequired
subscription_idThe subscription ID. Note: This argument will override the instance parameter ‘Default Subscription ID'.Optional
resource_group_nameThe resource group name. Note: This argument will override the instance parameter ‘Default Resource Group Name'.Optional
resource_nameThe name of the managed cluster resource. Can be retrieved using the azure-ks-clusters-list command.Required
locationResource location. Can be retrieved using the azure-ks-clusters-list command. Possible values are: australiacentral, australiacentral2, australiaeast, australiasoutheast, brazilse, brazilsouth, canadacentral, canadaeast, centralfrance, centralindia, centralus, centraluseuap, eastasia, eastus, eastus2, eastus2euap, germanyn, germanywc, japaneast, japanwest, koreacentral, koreasouth, northcentralus, northeurope, norwaye, norwayw, southafricanorth, southafricawest, southcentralus, southeastasia, southfrance, southindia, switzerlandn, switzerlandw, uaecentral, uaenorth, uknorth, uksouth, uksouth2, ukwest, westcentralus, westeurope, westindia, westus, westus2.Required
http_application_routing_enabledWhether to configure ingress with automatic public DNS name creation. Possible values are: true, false.Optional
monitoring_agent_enabledWhether to turn on Log Analytics monitoring. If enabled and monitoring_resource_id is not specified, will use the current configured workspace resource ID. Possible values: "true" and "false". Possible values are: true, false.Optional
monitoring_resource_nameThe name of an existing Log Analytics workspace to use for storing monitoring data. Can be retrieved in the Log Analytics workspace from the Azure portal.Optional

Context Output#

There is no context output for this command.

Command Example#

!azure-ks-cluster-addon-update resource_name=aks-integration location=westus http_application_routing_enabled=true

Human Readable Output#

The request to update the managed cluster was sent successfully.

azure-ks-generate-login-url#


Generate the login url used for Authorization code flow.

Base Command#

azure-ks-generate-login-url

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

azure-ks-generate-login-url

Human Readable Output#

Authorization instructions#

  1. Click the login URL to sign in and grant Cortex XSOAR permissions for your Azure Service Management. You will be automatically redirected to a link with the following structure: REDIRECT_URI?code=AUTH_CODE&session_state=SESSION_STATE
  2. Copy the AUTH_CODE (without the code= prefix, and the session_state parameter) and paste it in your instance configuration under the Authorization code parameter.

azure-ks-resource-group-list#


Gets all resource groups for a subscription.

Base Command#

azure-ks-resource-group-list

Input#

Argument NameDescriptionRequired
subscription_idThe subscription ID, optional. Note: This argument will override the instance parameter ‘Defalut Subscription ID'.Optional
limitLimit on the number of resource groups to return. Default is 50. Default is 50.Optional
tagA single tag in the form of '{"Tag Name":"Tag Value"}' to filter the list by.Optional

Context Output#

PathTypeDescription
AzureKS.ResourceGroup.idStringThe unique identifier of the Azure Kubernetes resource group.
AzureKS.ResourceGroup.nameStringThe name of the Azure Kubernetes resource group.
AzureKS.ResourceGroup.typeStringThe type of the Azure Kubernetes resource group.
AzureKS.ResourceGroup.locationStringThe location of the Azure Kubernetes resource group.
AzureKS.ResourceGroup.properties.provisioningStateStringThe provisioning state of the Azure Kubernetes resource group.
AzureKS.ResourceGroup.tags.OwnerStringThe owner tag of the Azure Kubernetes resource group.
AzureKS.ResourceGroup.tagsUnknownThe tags associated with the Azure Kubernetes resource group.
AzureKS.ResourceGroup.tags.NameStringThe name tag of the Azure Kubernetes resource group.
AzureKS.ResourceGroup.managedByStringThe entity that manages the Azure Kubernetes resource group.
AzureKS.ResourceGroup.tags.aks-managed-cluster-nameStringThe AKS managed cluster name tag associated with the Azure Kubernetes resource group.
AzureKS.ResourceGroup.tags.aks-managed-cluster-rgStringThe AKS managed cluster resource group tag associated with the Azure Kubernetes resource group.
AzureKS.ResourceGroup.tags.typeStringThe type tag associated with the Azure Kubernetes resource group.

Command example#

!azure-ks-resource-group-list

Context Example#

{
"AzureKS": {
"ResourceGroup": [
{
"id": "/subscriptions/00000000/resourceGroups/cloud-shell-storage-eastus",
"location": "eastus",
"name": "cloud-shell-storage-eastus",
"properties": {
"provisioningState": "Succeeded"
},
"type": "Microsoft.Resources/resourceGroups"
},
{
"id": "/subscriptions/00000000/resourceGroups/demi",
"location": "centralus",
"name": "demi",
"properties": {
"provisioningState": "Succeeded"
},
"tags": {
"Owner": "Demi"
},
"type": "Microsoft.Resources/resourceGroups"
},
]
}
}

Human Readable Output#

Resource Groups List#

NameLocationTags
cloud-shell-storage-eastuseastus
demicentralusOwner: Demi
compute-integrationeastus

azure-ks-subscriptions-list#


Gets all subscriptions for a tenant.

Base Command#

azure-ks-subscriptions-list

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
AzureKS.Subscription.idStringThe unique identifier of the Azure Kubernetes subscription.
AzureKS.Subscription.authorizationSourceStringThe source of authorization for the Azure Kubernetes subscription.
AzureKS.Subscription.managedByTenantsUnknownThe tenants that have access to manage the Azure Kubernetes subscription.
AzureKS.Subscription.subscriptionIdStringThe ID of the Azure Kubernetes subscription.
AzureKS.Subscription.tenantIdStringThe ID of the tenant associated with the Azure Kubernetes subscription.
AzureKS.Subscription.displayNameStringThe display name of the Azure Kubernetes subscription.
AzureKS.Subscription.stateStringThe current state of the Azure Kubernetes subscription.
AzureKS.Subscription.subscriptionPolicies.locationPlacementIdStringThe ID of the location placement policy for the Azure Kubernetes subscription.
AzureKS.Subscription.subscriptionPolicies.quotaIdStringThe ID of the quota policy for the Azure Kubernetes subscription.
AzureKS.Subscription.subscriptionPolicies.spendingLimitStringThe spending limit policy for the Azure Kubernetes subscription.
AzureKS.Subscription.count.typeStringThe type of the Azure Kubernetes subscription count.
AzureKS.Subscription.count.valueNumberThe value of the Azure Kubernetes subscription count.

Command example#

!azure-ks-subscriptions-list

Context Example#

{
"AzureKS": {
"Subscription": [
{
"authorizationSource": "RoleBased",
"displayName": "Access to Azure Active Directory",
"id": "/subscriptions/057b1785-fd7",
"managedByTenants": [],
"state": "Enabled",
"subscriptionId": "057b1785-fd7",
"subscriptionPolicies": {
"locationPlacementId": "Public_2014-09-01",
"quotaId": "AAD_2015-09-01",
"spendingLimit": "On"
},
"tenantId": "ebac1a16-81bf"
},
{
"authorizationSource": "RoleBased",
"displayName": "Pay-As-You-Go",
"id": "/subscriptions/0f907ea4-",
"managedByTenants": [],
"state": "Enabled",
"subscriptionId": "0f907ea4-",
"subscriptionPolicies": {
"locationPlacementId": "Public_2014-09-01",
"quotaId": "PayAsYouGo_2014-09-01",
"spendingLimit": "Off"
},
"tenantId": "ebac1a16"
}
]
}
}

Human Readable Output#

Azure Kubernetes Subscriptions list#

subscriptionIdtenantIddisplayNamestate
057b1785-fd7b-4ca3-ebac1a16-81bf-449b-Access to Azure Active DirectoryEnabled
0f907ea4-bc8b-4c11-ebac1a16-81bf-449b-Pay-As-You-GoEnabled