Enable the AKS Monitoring Add-on by using Azure Policy

This article describes how to enable the Azure Kubernetes Service (AKS) Monitoring Add-on by using a custom Azure policy.

Permissions required

The AKS Monitoring Add-on requires the following roles on the managed identity used by Azure Policy:

The AKS Monitoring Add-on custom policy can be assigned at either the subscription or resource group scope. If the Log Analytics workspace and AKS cluster are in different subscriptions, the managed identity used by the policy assignment must have the required role permissions on both the subscriptions or on the Log Analytics workspace resource. Similarly, if the policy is scoped to the resource group, the managed identity should have the required role permissions on the Log Analytics workspace if the workspace isn't in the selected resource group scope.

Create and assign a policy definition by using the Azure portal

Use the Azure portal to create and assign a policy definition.

Create a policy definition

  1. Download the Azure custom policy definition to enable the AKS Monitoring Add-on.

    curl -o azurepolicy.json -L https://aka.ms/aks-enable-monitoring-custom-policy
    
  2. Go to the Azure Policy Definitions page. Create a policy definition with the following details on the Policy definition page:

    • Definition location: Select the Azure subscription where the policy definition should be stored.
    • Name: (Preview)AKS-Monitoring-Addon
    • Description: Azure custom policy to enable the Monitoring Add-on onto Azure Kubernetes clusters in a specified scope
    • Category: Select Use existing and select Kubernetes from the dropdown list.
    • Policy rule: Remove the existing sample rules and copy the contents of azurepolicy.json downloaded in step 1.

Assign a policy definition to a specified scope

Note

A managed identity will be created automatically and assigned specified roles in the policy definition.

  1. Select the policy definition (Preview) AKS Monitoring Addon that you created.
  2. Select Assign and specify a Scope of where the policy should be assigned.
  3. Select Next and provide the resource ID of the Log Analytics workspace. The resource ID should be in the format /subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>.
  4. Create a remediation task if you want to apply the policy to existing AKS clusters in the selected scope.
  5. Select Review + create to create the policy assignment.

Create and assign a policy definition by using the Azure CLI

Use the Azure CLI to create and assign a policy definition.

Create a policy definition

  1. Download the Azure custom policy definition rules and parameter files with the following commands:

    curl -o azurepolicy.rules.json -L https://aka.ms/aks-enable-monitoring-custom-policy-rules
    curl -o azurepolicy.parameters.json -L https://aka.ms/aks-enable-monitoring-custom-policy-parameters
    
  2. Create the policy definition with the following command:

    az cloud set -n <AzureCloud | AzureChinaCloud | AzureUSGovernment> # set the Azure cloud
    az login # login to cloud environment 
    az account set -s <subscriptionId>
    az policy definition create --name "(Preview)AKS-Monitoring-Addon" --display-name "(Preview)AKS-Monitoring-Addon" --mode Indexed --metadata version=1.0.0 category=Kubernetes --rules azurepolicy.rules.json --params azurepolicy.parameters.json
    

Assign a policy definition to a specified scope

Create the policy assignment with the following command:

az policy assignment create --name aks-monitoring-addon --policy "(Preview)AKS-Monitoring-Addon" --assign-identity --identity-scope /subscriptions/<subscriptionId> --role Contributor --scope /subscriptions/<subscriptionId> --location <locatio> --role Contributor --scope /subscriptions/<subscriptionId> -p "{ \"workspaceResourceId\": { \"value\":  \"/subscriptions/<subscriptionId>/resourcegroups/<resourceGroupName>/providers/microsoft.operationalinsights/workspaces/<workspaceName>\" } }"

Next steps