Use Azure Policy to ensure AKS clusters are enrolled with a Fleet Manager

Platform administrators can use Azure Policy to enforce consistency of fleet management for existing and new Azure Kubernetes Service clusters.

By using the built-in Azure Kubernetes Fleet Manager policies, it is possible to identify existing clusters that aren't managed by a Fleet Manager, while also ensuring that newly created clusters are automatically joined to a fleet.

Available policies

Fleet Manager's policies are part of the Kubernetes built-in policy set, with the following two policies relating to Fleet Manager.

• Azure Kubernetes Service clusters should be a member of an Azure Kubernetes Fleet Manager: Use this policy to identify any AKS clusters not managed by a Fleet Manager. It supports clusters that use either service principals or managed identities.

• Configure AKS clusters to automatically join the specified Azure Kubernetes Fleet Manager: Use this policy to ensure new AKS clusters automatically join a designated Fleet Manager. Only clusters using managed identities are supported.

It is recommended to use both policies, firstly to identify existing clusters not managed by a Fleet Manager, and then to ensure that new clusters are automatically enrolled.

Prerequisites

• If you don't have an Azure account, create a free account before you begin.

• You need a Kubernetes Fleet resource. If you don't have one, see Create an Azure Kubernetes Fleet Manager resource and join member clusters by using the Azure CLI.

• Install or upgrade Azure CLI to version 2.53.1 or later.

• You also need the fleet Azure CLI extension, which you can install by running the following command:

  az extension add --name fleet
  

  Run the az extension update command to update to the latest version of the extension released:

  az extension update --name fleet
  

Assign Autojoin Fleet Manager policy

You can apply a policy definition or initiative in the Azure portal using the following steps:

1. Navigate to the Azure Policy service in Azure portal.
2. In the left panes of the Azure Policy page, select Authoring, then Definitions.
3. From Category filter, select Kubernetes.
4. Select Apply.
5. Choose the Configure AKS clusters to automatically join the specified Azure Kubernetes Fleet Manager Policy.
6. Select Assign.
7. Set the Scope to the Management Group, Subscription, or Resource Group where new AKS clusters are deployed.
8. Select whether Policy enforcement is enabled. Enabling ensures new AKS clusters join the specified Fleet Manager.
9. Select the Parameters page and set the Fleet Manager to use.
10. Select Review + create > Create to submit the policy assignment.

Validate policy is applied to new clusters

1. Follow the steps in the Deploy an Azure Kubernetes Service (AKS) cluster using Azure CLI quickstart, selecting an Azure location covered by the previously applied policy definition.

2. Once the AKS cluster is created use the Azure CLI to verify it's a member cluster in the specified Fleet Manager by using the az fleet member list command. Substitute your AKS cluster name for aks-member-1 in the --query.

   az fleet member list \
       --resource-group ${FLEET_GROUP} \
       --fleet-name ${FLEET_NAME} \
       --query "[?contains(Name, 'aks-member-1')]" -o table
   

   If successful, your output should look similar to the following example output:

   ClusterResourceId                                                                                                          Name          ProvisioningState    ResourceGroup
   -------------------------------------------------------------------------------------------------------------------------  ------------  -------------------  ---------------
   /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<GROUP>/providers/Microsoft.ContainerService/managedClusters/aks-member-1  aks-member-1  Succeeded            <GROUP>
   

Related content

• Azure Policy built-in definitions for Azure Kubernetes Services.