Tutorial - Helm Deployment

This is a step-by-step tutorial for deploying the Azure Container Host in Azure Kubernetes Service (AKS) with the provided helm chart and deployment script. This tutorial makes use of the Azure CLI and helm. Make sure that both are installed and you are logged in to your subscription.

1. Create a Resource Group

This will hold all of the Azure resources created in this tutorial. You could use an existing resource group too.

az group create --name c7n-helm-tutorial --location westus2

2. Create a Storage Account

This storage account will hold all of the blobs and queues used by the container host. You could also use an existing resource here or multiple storage accounts.

We will also create two blob containers. One will host the uploaded policies, and the other will store the custodian output files of running policies.

az storage account create --resource-group c7n-helm-tutorial --name c7nstorage

account_key=$(az storage account keys list --account-name c7nstorage --query "[0].value" --output tsv)
az storage container create --account-name c7nstorage --account-key $account_key --name c7n-helm-policies
az storage container create --account-name c7nstorage --account-key $account_key --name c7n-helm-logs

3. Create a Service Principal

This Service Principal will be used as the identity for the container host. You could also use an existing Service Principal. Remember to save the password to use as the client secret.

az ad sp create-for-rbac --name c7n-helm

This Service Principal will need the proper permissions to interact with the storage account and any other azure resources that the Azure Container Host interacts with. This includes the resources that policies will run against.

The simplest way to grant these permissions is to make the identity a Contributor on the target subscription and a Storage Blob Data Contributor and Storage Queue Data Contributor on the storage account created above.

az role assignment create --assignee <Service Principal Client Id> \
    --role "Contributor" --scope <Target Subscription Resource Id>

az role assignment create --assignee <Service Principal Client Id> \
    --role "Storage Blob Data Contributor" --scope <Storage Account Resource Id>

az role assignment create --assignee <Service Principal Client Id> \
    --role "Storage Queue Data Contributor" --scope <Storage Account Resource Id>

4. Create an Application Insights Instance

We will create an Application Insights instance to gather logs and telemetry generated by the running container host.

# You may need to add the application-insights extension
az extension add -n application-insights

az monitor app-insights component create --resource-group c7n-helm-tutorial --app c7n-helm-insights --location westus2

5. Create an AKS Cluster and Install Tiller

This AKS cluster will be used to host the pods running the Container Host. Tiller will also need to be installed with the proper service account. The provided node count and vm size will create a small cluster and should be adjusted to fit your needs outside this tutorial.

az aks create --resource-group c7n-helm-tutorial --name c7n-helm \
    --node-count 1 --node-vm-size Standard_B2s \
    --service-principal <Service Principal ID> --client-secret <Client Secret>

az aks get-credentials --resource-group c7n-helm-tutorial --name c7n-helm

Once the cluster has been created, we can initialize helm and tiller. First, create the Service Account and Cluster Roler Binding for Tiller

# rbac-config.yaml
apiVersion: v1
kind: ServiceAccount
  name: tiller
  namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: tiller
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system
kubectl apply -f rbac-config.yaml

helm init --service-account tiller

6. Deploy the Helm Chart

Now we are ready to deploy the helm chart and the container host. Create a file with the helm configuration values for our container host. See the Container Host Documentation for information on filling out the environment variables.

# helm-values.yaml

  AZURE_TENANT_ID: "<Azure Tenant ID>"
  AZURE_CLIENT_ID: "<Azure Client ID>"
  AZURE_CONTAINER_POLICY_URI: "<Azure Policy Container URI>"
  AZURE_CONTAINER_METRICS: "azure://<App Insights Instrumentation Key>"
  AZURE_CONTAINER_LOG_GROUP: "azure://<App Insights Instrumentation Key>"
  AZURE_CONTAINER_OUTPUT_DIR: "<Azure Logs Container URI>"

  - name: '<Subscription Name>'
      AZURE_SUBSCRIPTION_ID: "<Subscription ID>"

Then deploy the chart with the following command. The client secret should come from creating the Service Principal and must be provided in a base64 encoded format.

helm upgrade --install --debug --force --wait \
    --namespace cloud-custodian --values helm-values.yaml \
    --set defaultSecretEnvironment.AZURE_CLIENT_SECRET=<Base 64 Azure Client Secret> \
    helm-tutorial tools/ops/azure/container-host/chart

To verify that the pod is running:

# Check if pod status is "Running"
kubectl get pods --namespace cloud-custodian

# Watch the logs for the pod
kubectl logs <Pod Name> --namespace cloud-custodian --follow

7. Upload a Custodian Policy

Finally, create a custodian policy called find-c7nstorage.yaml. This policy will just find the storage account we made earlier. We’ll set the mode to run every minute for easier testing.

- name: find-c7nstorage
  resource: azure.storage
    type: container-periodic
    schedule: "* * * * *"  # Run every minute as an example
  - type: value
    key: name
    op: eq
    value: c7nstorage

Upload this file to the policy storage container. Within a few minutes, the container host should pick it up and begin executing it.

az storage blob upload --account-name c7nstorage --account-key $account_key \
    --container-name c7n-helm-policies --file find-c7nstorage.yaml --name find-c7nstorage.yaml