AKS Cluster Discovery Configuration DetailsThis KB is valid prior to Discovery and patterns store app version is "1.18.0 - August 2024" version. Pre requisities: Azure CLI should install in Mid server instanceAzure CLI should configure with Azure Service Principal account credentials which credentials have permission to access AKS Cluster. For more information, refer Sign in with Azure CLI We can authenticate, authorize, secure, and control access to Kubernetes clusters in a variety of ways: Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need.With Azure Kubernetes Service (AKS), can further enhance the security and permissions structure using Azure Active Directory and Azure RBAC. Azure Active Directory and Azure RBAC or Azure Active Directory and Kubernetes RBAC. 1. Authorization using Kubernetes RBAC only Azure credentials user should cluster role binding with Kubernetes cluster cluster role(ex. cluster-read-only-role) with All Read permissions Sample Cluster role creation: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cluster-read-only-role rules: - apiGroups: ["*"] resources: ["*"] verbs: ["get","watch","list"] - nonResourceURLs: - /metrics verbs: - get For more information, refer Using Kubernetes RBAC authorization 2. Authorization using both kubernetes RBAC and Azure RBAC In addition to the Cluster role binding (Mentioned above in Step#1- Authorization using Kubernetes RBAC only) and Azure Kubernetes Service RBAC Reader. Reference - https://learn.microsoft.com/en-us/azure/aks/concepts-identity#azure-rbac-for-kubernetes-authorization 3. Authorization using Azure Active Directory and Azure RBAC or Azure Active Directory and Kubernetes RBAC. For the AKS cluster version >1.24 and authentication will be set as Azure Active Directory and Azure RBAC or Azure Active Directory and Kubernetes RBAC. Please refer following document to Enable Azure managed identity authentication for Kubernetes clusters. https://learn.microsoft.com/en-us/azure/aks/enable-authentication-microsoft-entra-id Internally Kubernetes pattern executes command "az aks get-credentials" to generate a bearer token for the kubernetes API calls like namespaces, PODs, services and other cluster resources. command 1: 'az aks get-credentials --name '+name+' --overwrite-existing --resource-group '+resGrp+' --file -' The "az aks get-credentials" command lets you get the access credentials for an AKS cluster and merges them into the kubeconfig file. Note: The above command requires the 'Azure Kubernetes Service Cluster Admin' role for clusters with Azure Active Directory integration. Please refer https://learn.microsoft.com/en-us/cli/azure/aks?view=azure-cli-latest#az-aks-get-credentials Following command will be executed when command 1 failed to generate bearer token. command 2: az account get-access-token --resource 6dae42f8-4368-4678-94ff-3960e28e3630 Note: 6dae42f8-4368-4678-94ff-3960e28e3630 is Azure Kubernetes Service AAD Server applicationID. Notes: Refer KB1080155 -For more information about Automatic server less schedule creator for Kubernetes discovery.