Skip to main content
Version: latest

Create and Manage Azure IaaS Cluster

Palette supports creating and managing Kubernetes clusters deployed to an Azure account. This section guides you on how to create an IaaS Kubernetes cluster in Azure that Palette manages.

Limitations

  • Autoscaling is not supported for Azure IaaS clusters.

  • If the fullyPrivateAddressing parameter is set to true, the control plane and worker nodes in your cluster must still have outbound access to the internet, including the Microsoft Container Registry, to download updates, patches, and the necessary container images.

  • Once the fullyPrivateAddressing parameter is set for your cluster, you cannot change its value. Changing the parameter value will result in errors until you return the value to its original configuration.

Prerequisites

  • Access to an Azure cloud account.

  • Palette integration with Azure account. Review Register and Manage Azure Cloud Account for guidance.

  • A Secure Shell (SSH) key pre-configured in your Azure environment. Refer to the SSH Keys guide for more information about creating and managing SSH keys in Palette.

  • An infrastructure cluster profile for Azure. Review Create an Infrastructure Profile for guidance.

  • To use custom storage accounts or containers, you must create them before you create your cluster. All custom storage accounts and containers will be listed on the Cluster config page during the cluster creation process. For information about use cases for custom storage, review Azure Storage.

    If you need help creating a custom storage account or container, check out the Create a Storage Account guide or the Manage Blob Containers.

  • If you do not provide your own Virtual Network (VNet), Palette creates one for you with compute, network, and storage resources in Azure when it provisions Kubernetes clusters. To use a VNet that Palette creates, ensure there is sufficient capacity in the preferred Azure region to create the following resources:

    • Virtual CPU (vCPU)
    • VNet
    • Static Public IP addresses
    • Virtual Network Interfaces
    • Load Balancers
    • Virtual Hard Disk (VHD)
    • Managed Disks
    • Virtual Network Address Translation (NAT) Gateway

  • To enable the fullyPrivateAddressing parameter and use a Private API Server load balancer, you need a self-hosted Private Cloud Gateway (PCG) deployed in Azure. Ensure the Azure cloud account selected is connected to a PCG. For more information on deploying PCGs, refer to Private Cloud Gateway. To learn how to connect a PCG to an Azure cloud account, refer to the Register and Manage Azure Cloud Account guide.

  • A Private DNS Zone is required to use the Private API Server load balancer. You also need to ensure the vNETs used for the cluster supports Private DNS resolving. To learn more about Private DNS Zones, refer to Private DNS Zones.

  • If you want to enable Azure Disk Encryption on your cluster, ensure you have created a Key Vault and Disk Encryption Set. Your cluster profile must also be configured to use the Palette eXtended Kubernetes (PXK) pack, and have the Use Azure Disk Encryption preset enabled.

    Review Azure Disk Encryption for guidance.

Deploy an Azure Cluster

Use the following steps to deploy an Azure cluster.

  1. Log in to Palette.

  2. Ensure you are in the correct project scope.

  3. From the left Main Menu, select Clusters and click Add New Cluster.

  4. In Public Clouds, under Infrastructure Provider, select Azure IaaS.

  5. In the bottom-right corner, click Start Azure IaaS Configuration.

  6. Fill out the following basic information and click Next.

    FieldDescription
    Cluster NameA custom name for the cluster.
    DescriptionUse the description to provide context about the cluster.
    TagsAssign any desired cluster tags. Tags on a cluster are propagated to the Virtual Machines (VMs) deployed to the target environments. Example: region:us-west.
    Cloud AccountIf you already added your Azure account in Palette, select it from the drop-down Menu. Otherwise, click Add New Account and add your Azure account information.

  7. Select the Azure cluster profile you created and click Next. Palette displays the cluster profile layers.

  8. Review the profile layers and customize parameters as desired in the YAML files that display when you select a layer.

  9. To ensure that clusters with static placement remain fully private, with no public IPs created for the control plane and worker nodes, add the following configuration to your Kubernetes layer.

    cloud:
      azure:
        fullyPrivateAddressing: true

    If you set the fullyPrivateAddressing property to false or leave it blank, Palette will create outbound load balancers for the control plane and worker nodes and assign public IPs to them.

    Consider the following limitations:

    • If the fullyPrivateAddressing parameter is set to true, the control plane and worker nodes in your cluster must still have outbound access to the internet, including the Microsoft Container Registry, to download updates, patches, and the necessary container images.

    • Once the fullyPrivateAddressing parameter is set for your cluster, you cannot change its value. Changing the parameter value will result in errors until you return the value to its original configuration.

    Toggle the Private API Server LB option to enable the use of a Private API Server load balancer and specify the Private DNS Zone name you want to use. Select the desired IP Allocation Method. You can choose between Static and Dynamic IP allocation methods. If you select Static, you must provide a valid IP address.

  10. To configure custom OpenID Connect (OIDC) for Azure clusters, refer to our Configure OIDC Identity Provider guide for information on how to update the Kubernetes layer.

    warning

    All the OIDC options require you to map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to Create Role Bindings.

  11. Click Next to continue.

  12. Provide the cluster configuration information listed in the following table. If you are utilizing your own VNet, ensure you also provide information listed in the Static Placement Settings table. If you have custom storage accounts or containers available, you can attach them to the cluster. To learn more about attaching custom storage to a cluster, check out Azure storage.

    warning

    If you enable the Disable Properties setting when registering an Azure cloud account, Palette cannot create network resources on your behalf. In this case, when creating clusters, you must manually specify their virtual network subnets and security groups.

    ParameterDescription
    SubscriptionUse the drop-down Menu to select the subscription that will be used to access Azure services.
    RegionUse the drop-down Menu to choose the Azure region where you would like to provision the cluster.
    Resource GroupSelect the name of the resource group that contains the Azure resources you will be accessing.
    Storage AccountOptionally, if you have a custom storage account available, you can use the drop-down Menu to select the storage account name. For information about use cases for custom storage, review Azure Storage.
    Storage ContainerOptionally, if you will be using a custom storage container, use the drop-down Menu to select it. For information about use cases for custom storage, review Azure Storage.
    SSH KeyThe public SSH key for connecting to the nodes. SSH key pairs must be pre-configured in your Azure environment. The key you select is inserted into the provisioned VMs. For more information, review Microsoft's Supported SSH key formats.
    Static PlacementBy default, Palette uses dynamic placement. This creates a new VNet for clusters with two subnets in different Availability Zones (AZs). Palette places resources in these clusters, manages the resources, and deletes them when the corresponding cluster is deleted.

    If you want to place resources into a pre-existing VNet, enable the Static Placement option, and fill out the input values listed in the Static Placement table below.

    Select Static Placement for clusters where you want to use your network proxy configurations. To learn more about proxy configurations, check out Proxy Configuration.

    Static Placement Settings

    Each subnet allows you to specify the CIDR range and a security group.

    ParameterDescription
    Network Resource GroupThe logical container for grouping related Azure resources.
    Virtual NetworkSelect the VNet.
    CIDR BlockSelect the IP address CIDR range.
    Security Group NameSelect the security group name.
    Control Plane SubnetSelect the control plane subnet.
    Worker SubnetSelect the worker network.

  13. Click Next to continue.

  14. Provide the following node pool and cloud configuration information. To learn more about node pools, review the Node Pool guide.

    info

    By default, a control plane pool and one worker node pool are configured. You can add new worker pools to customize certain worker nodes for specialized workloads. For example, the default worker pool can be configured with the Standard_D2_v2 instance types for general-purpose workloads, and another worker pool with instance type Standard_NC12s_v3 can be configured for Graphics Processing Unit (GPU) workloads.

    Control Plane Pool Configuration Settings

    ParameterDescription
    Node pool nameA descriptive name for the node pool.
    Number of nodes in the poolSpecify the number of nodes in the control plane pool.
    Allow worker capabilitySelect this option to allow workloads to be provisioned on control plane nodes.
    Additional LabelsYou can add optional labels to nodes in key-value format. To learn more, review Node Labels. Example: environment:production.
    TaintsYou can apply optional taint labels to a node pool during cluster creation or edit taint labels on an existing cluster. Review the Node Pool management page and Taints and Tolerations page to learn more. Toggle the Taint button to create a taint label. When tainting is enabled, you need to provide a custom key-value pair. Use the drop-down Menu to choose one of the following Effect options:
    NoSchedule - Pods are not scheduled onto nodes with this taint.
    PreferNoSchedule - Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.
    NoExecute - Existing pods on nodes with this taint are evicted.

    Cloud Configuration Settings for Control Plane Pool

    ParameterDescription
    Instance TypeSelect the instance type to use for all nodes in the node pool.
    Managed diskChoose a storage option. For more information, refer to Microsoft's Storage Account Overview reference. For information about Solid State Drive (SSD) disks, refer to Standard SSD Disks for Azure Virtual Machine Workloads reference
    Disk sizeYou can choose disk size based on your requirements. The default size is 60.

    You can select Remove at right to remove the worker node if all you want is the control plane node.

    Worker Pool Configuration Settings

    ParameterDescription
    Node pool nameA descriptive name for the node pool.
    Number of nodes in the poolSpecify the number of nodes in the worker pool.
    Node repave intervalOptionally, you can specify the preferred time interval for Palette to perform a rolling upgrade on nodes when it detects a change in the Kubeadm configuration file.
    Rolling updateThese options allow you to control the sequence of operations during a node pool update. Choose the Expand first option to add new nodes with updated configurations to the node pool before the existing nodes are removed. Choose Contract first to remove existing nodes from the node pool before the new nodes with updated configurations are added.
    Additional LabelsYou can add optional labels to nodes in key-value format. For more information about applying labels, review Node Labels. Example: environment:production.
    TaintsYou can apply optional taint labels to a node pool during cluster creation or edit taint labels on an existing cluster. To learn more, review the Node Pool management page and Taints and Tolerations page. Toggle the Taint button to create a taint label. When tainting is enabled, you need to provide a custom key-value pair. Use the drop-down Menu to choose one of the following Effect options:
    NoSchedule - Pods are not scheduled onto nodes with this taint.
    PreferNoSchedule - Kubernetes attempts to avoid scheduling pods onto nodes with this taint, but scheduling is not prohibited.
    NoExecute - Existing pods on nodes with this taint are evicted.

    Cloud Configuration Settings for Worker Pool

    You can copy cloud configuration settings from the control plane pool, but be aware that the instance type might not get copied if it does not have accessible availability zones.

    ParameterDescription
    Instance TypeSelect the instance type to use for all nodes in the node pool.
    Managed diskChoose a storage option. For more information, refer to Microsoft's Storage Account Overview reference. For information about Solid State Drive (SSD) disks, refer to Standard SSD Disks for Azure Virtual Machine Workloads reference.
    Disk sizeYou can choose disk size based on your requirements. The default size is 60.
    Availability zonesThe Availability Zones from which to select available servers for deployment. If you select multiple zones, Palette will deploy servers evenly across them as long as sufficient servers are available to do so.

  15. Click Next to continue.

  16. Specify your preferred OS Patching Schedule.

  17. Enable any scan options you want Palette to perform, and select a scan schedule. Palette provides support for Kubernetes configuration security, penetration testing, and conformance testing.

  18. Schedule any backups you want Palette to perform. Review Backup and Restore for more information.

  19. Role-Based Access Control (RBAC) configuration is required when you configure custom OIDC. You must map a set of users or groups to a Kubernetes RBAC role. To learn how to map a Kubernetes role to users and groups, refer to Create Role Bindings. Refer to Use RBAC with OIDC for an example.

  20. Click Validate and review the cluster configuration and settings summary.

  21. Click Finish Configuration to deploy the cluster. Provisioning Azure clusters can take several minutes.

The cluster details page contains the status and details of the deployment. Use this page to track the deployment progress.

To learn how to remove a cluster and what to do if a force delete is necessary so you do not incur unexpected costs, refer to Cluster Removal.

Validate

You can validate your cluster is up and in Running state.

  1. Log in to Palette.

  2. Ensure you are in the correct project scope.

  3. From the left Main Menu, select Clusters. The Clusters page displays a list of all available clusters that Palette manages.

  4. Select the cluster you deployed to review its details page. Ensure the Cluster Status field contains the value Running.

Resources