Container Insights defaults to managed identity authentication, which has a monitoring agent that uses the cluster's managed identity to send data to Azure Monitor. It replaced the legacy certificate-based local authentication and removed the requirement of adding a Monitoring Metrics Publisher role to the cluster.
This article describes how to migrate to managed identity authentication if you enabled Container insights using legacy authentication method and also how to enable legacy authentication if you have that requirement.
Important
If you have a cluster with legacy authentication and Log Analytics workspace keys are rotated, then monitoring data will stop flowing to the Log Analytics workspace. You must disable and then reenable the Container insights addon to get monitoring data to start flowing again with the new rotated workspace keys. You should migrate to Container insights managed identity authentication which doesn't use Log Analytics workspace keys.
Migrate to managed identity authentication
If you enabled Container insights before managed identity authentication was available, you can use the following methods to migrate your clusters.
You can migrate to Managed Identity authentication from the Monitor settings panel for your AKS cluster. From the Monitoring section, click on the Insights tab. In the Insights tab, click on the Monitor Settings option and check the box for Use managed identity
If you don't see the Use managed identity option, you are using an SPN cluster. In that case, you must use command line tools to migrate. See other tabs for migration instructions and templates.
AKS
AKS clusters must first disable monitoring and then upgrade to managed identity. Only Azure public cloud, Microsoft Azure operated by 21Vianet cloud, and Azure Government cloud are currently supported for this migration. For clusters with user-assigned identity, only Azure public cloud is supported.
Note
Minimum Azure CLI version 2.49.0 or higher.
Get the configured Log Analytics workspace resource ID:
az aks show -g <resource-group-name> -n <cluster-name> | grep -i "logAnalyticsWorkspaceResourceID"
Disable monitoring with the following command:
az aks disable-addons -a monitoring -g <resource-group-name> -n <cluster-name>
If the cluster is using a service principal, upgrade it to system managed identity with the following command:
az aks update -g <resource-group-name> -n <cluster-name> --enable-managed-identity
Enable the monitoring add-on with the managed identity authentication option by using the Log Analytics workspace resource ID obtained in step 1:
az aks enable-addons -a monitoring -g <resource-group-name> -n <cluster-name> --workspace-resource-id <workspace-resource-id>
Arc-enabled Kubernetes
Note
Managed identity authentication is not supported for Arc-enabled Kubernetes clusters with ARO.
Retrieve the Log Analytics workspace configured for Container insights extension.
az k8s-extension show --name azuremonitor-containers --cluster-name \<cluster-name\> --resource-group \<resource-group\> --cluster-type connectedClusters -n azuremonitor-containers
Enable Container insights extension with managed identity authentication option using the workspace returned in the first step.
