Enabling Openshift ARO cluster in Azure-ARC

slsbla 11 Reputation points
2022-12-05T16:42:18.637+00:00

Hello,
I have enabled an ARO cluster into Azure ARC for monitoring purposes only.
I have noticed that we should bind an Azure service account to the ARO cluster-admin Role in order to generate the Bearer Token as described in:
https://learn.microsoft.com/en-gb/azure/azure-arc/kubernetes/cluster-connect?tabs=azure-cli#service-account-token-authentication-option

Is there a way (a different RBAC) to only expose monitoring/insights in ARC? its looks like I'm going to expose every feature of the ARO Cluster in ARC, and that will imply a new security audit and Controle management for our platform

Azure Red Hat OpenShift
Azure Red Hat OpenShift
An Azure service that provides a flexible, self-service deployment of fully managed OpenShift clusters.
69 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
320 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. slsbla 11 Reputation points
    2022-12-06T18:59:46.217+00:00

    I Think I figure it out.
    Once we onboard the Cluster in AZURE-ARC, either we bind the service Account to a cluster admin role, or we only install the monitoring extension (as an example ) 

    `enter code here`az k8s-extension create --name azuremonitor-containers --cluster-name <cluster-name> --resource-group <resource-group> --cluster-type connectedClusters --extension-type Microsoft.AzureMonitor.Containers --configuration-settings logAnalyticsWorkspaceResourceID=$WorkspaceId

    Can I get a confirmation ,please.