Import Azure AKS Cluster

Import an existing Azure AKS cluster into the platform for unified management.

Prerequisites

The Kubernetes version and parameters on the cluster must meet the Standard Kubernetes Cluster Component Version and Parameter Requirements.
TIP
- If AKS nodes cannot access the global cluster, refer to the FAQ: How to configure AKS node external IP security group rules.
The image registry must support HTTPS access and provide a valid TLS certificate authenticated by a public certification authority.

Prepare the Operating Environment

To comply with Azure AKS security standards, the following steps must be performed using Cloud Shell.

Ensure network connectivity with Azure Console.
Open the Kubernetes Services page, locate the cluster you want to import, and click to enter the cluster overview page.
Click the Connect button, which will open a floating window titled Connect to <import cluster name>. Follow the instructions to open Cloud Shell and configure the operating environment.

Obtain Cluster Information

Obtain Import Clusters Token

The KubeConfig file of public cloud clusters cannot be directly used for cluster import.

Please refer to the FAQ How to obtain cluster information? to obtain the import cluster token.

Import Cluster

In the left navigation bar, click Cluster Management > Clusters.
Click Import Cluster.

Configure the relevant parameters according to the following instructions.

Parameter	Description
Image Registry	The registry that stores platform component images required by the cluster. - Platform Default: The image registry configured when deploying the global cluster. - Private Registry: A pre-built registry that stores platform-required component images. You need to enter the Private Image Registry Address, Port, Username, and Password for accessing the image registry. - Public Registry: Use a public image registry service on the internet. Before use, you must first refer to Update Public Image Registry Cloud Credentials to obtain registry authentication permissions.
Cluster Information	Tip: Please upload a KubeConfig file, and the platform will automatically parse and fill in the information. Cluster Address: The access address of the API Server exposed by the import cluster, used by the platform to access the import cluster's API Server. CA Certificate: The CA certificate of the import cluster. Authentication Method: The authentication method of the import cluster, which requires using a Token with cluster management permissions created in the previous step for authentication.

Parameter

Description

Image Registry

The registry that stores platform component images required by the cluster. - Platform Default: The image registry configured when deploying the global cluster. - Private Registry: A pre-built registry that stores platform-required component images. You need to enter the Private Image Registry Address, Port, Username, and Password for accessing the image registry. - Public Registry: Use a public image registry service on the internet. Before use, you must first refer to Update Public Image Registry Cloud Credentials to obtain registry authentication permissions.

Cluster Information

Tip: Please upload a KubeConfig file, and the platform will automatically parse and fill in the information. Cluster Address: The access address of the API Server exposed by the import cluster, used by the platform to access the import cluster's API Server. CA Certificate: The CA certificate of the import cluster. Authentication Method: The authentication method of the import cluster, which requires using a Token with cluster management permissions created in the previous step for authentication.

Click Check Connectivity to verify network connectivity with the import cluster and automatically identify the import cluster type. The cluster type will be displayed as a badge in the upper right corner of the form.
After connectivity check passes, click Import and confirm.
TIP
- Click the Details icon on the right side of a cluster in Importing status to view the cluster's execution progress (status.conditions) in the popup Execution Progress dialog.
- After the cluster is successfully imported, you can view the cluster's key information in the cluster list. The cluster status will show as normal, and you can perform cluster-related operations.

Network Configuration

Ensure the global cluster and the imported cluster have network connectivity. See Network Configuration for Imported Clusters.

Post-Import Operations

Ingress (Inbound Rules) and Storage Initialization

After importing the cluster, if you need to use Ingress (inbound rules) and storage-related features, please refer to Azure AKS Cluster Ingress Initialization Configuration and Azure AKS Cluster Storage Initialization Configuration.

Frequently Asked Questions

How to configure AKS node external IP security group rules

Nodes only have internal IPs by default. The external IP is configured on a frontend load balancer (LB), which is used for outbound traffic by default. This LB is controlled by the AKS principal. Direct manual modification of this configuration may cause issues. You can allow traffic through Kubernetes > Properties > Infrastructure Resource Group > Network Security Group > Add Outbound/Inbound All Rules.

How to access AKS node

To view logs of system components such as Kubelet, CNI, and kernel, you need to SSH into the node first. It is recommended to use the kubectl-node-shell plugin instead of assigning public IP addresses to each node.

Option 1: Using kubectl node-shell

Official Link

Option 2: Using debug

Official Link

NOTE

This example requires kubectl version 1.25 or later, which includes the GA kubectl debug command.

kubectl debug node/aks-newadd-41368356-vmss000002 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
chroot /host

Azure ALB using internal load balancer

Refer to Official Link

apiVersion: v1
kind: Service
metadata:
  name: internal-app
  namespace: cpaas-system
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  ports:
  - name: http-port
    port: 80
    protocol: TCP
  - name: https-port
    port: 443
    protocol: TCP
  selector:
    service.cpaas.io/name: deployment-aks-alb
    service_name: alb2-aks-alb

Azure ALB using external load balancer

Deploy a highly available ALB with the access address configured as the external LB.

apiVersion: v1
kind: Service
metadata:
  name: azure-alb
  namespace: cpaas-system
spec:
  type: LoadBalancer
  ports:
  - name: http-port
    port: 80
    protocol: TCP
  - name: https-port
    port: 443
    protocol: TCP
  - name: prom-port
    port: 11780
    protocol: TCP
  - name: prom2-port
    port: 11781
    protocol: TCP
  - name: prom3-port
    port: 15012
    protocol: TCP
  selector:
    service_name: alb2-cpaas-system

If it has been deployed in advance, you can use the following command to modify it.

kubectl edit helmrequest -n cpaas-system uat-cluster-aks-alb

The add node button is grayed out after importing the cluster. How to add nodes?

Adding nodes through the platform interface is not supported. Please contact the cluster provider to add nodes.

What certificates are supported by the certificate management feature for imported clusters?

Kubernetes Certificates: All imported clusters only support viewing APIServer certificate information in the platform certificate management interface. Other Kubernetes certificates cannot be viewed and automatic rotation is not supported.
Platform Component Certificates: All imported clusters can view platform component certificate information in the platform certificate management interface and support automatic rotation.

What other features are not supported for imported AKS clusters?

Audit data retrieval is not supported.
ETCD, Scheduler, and Controller Manager related monitoring information is not supported. APIServer partial monitoring charts are supported.
Cluster certificate-related information other than Kubernetes APIServer certificates cannot be retrieved.

View full docs as PDF

Import Azure AKS Cluster

Import an existing Azure AKS cluster into the platform for unified management.

Prerequisites

The Kubernetes version and parameters on the cluster must meet the Standard Kubernetes Cluster Component Version and Parameter Requirements.
TIP
- If AKS nodes cannot access the global cluster, refer to the FAQ: How to configure AKS node external IP security group rules.
The image registry must support HTTPS access and provide a valid TLS certificate authenticated by a public certification authority.

Prepare the Operating Environment

To comply with Azure AKS security standards, the following steps must be performed using Cloud Shell.

Ensure network connectivity with Azure Console.
Open the Kubernetes Services page, locate the cluster you want to import, and click to enter the cluster overview page.
Click the Connect button, which will open a floating window titled Connect to <import cluster name>. Follow the instructions to open Cloud Shell and configure the operating environment.

Obtain Cluster Information

Obtain Import Clusters Token

The KubeConfig file of public cloud clusters cannot be directly used for cluster import.

Please refer to the FAQ How to obtain cluster information? to obtain the import cluster token.

Import Cluster

In the left navigation bar, click Cluster Management > Clusters.
Click Import Cluster.

Configure the relevant parameters according to the following instructions.

Parameter	Description
Image Registry	The registry that stores platform component images required by the cluster. - Platform Default: The image registry configured when deploying the global cluster. - Private Registry: A pre-built registry that stores platform-required component images. You need to enter the Private Image Registry Address, Port, Username, and Password for accessing the image registry. - Public Registry: Use a public image registry service on the internet. Before use, you must first refer to Update Public Image Registry Cloud Credentials to obtain registry authentication permissions.
Cluster Information	Tip: Please upload a KubeConfig file, and the platform will automatically parse and fill in the information. Cluster Address: The access address of the API Server exposed by the import cluster, used by the platform to access the import cluster's API Server. CA Certificate: The CA certificate of the import cluster. Authentication Method: The authentication method of the import cluster, which requires using a Token with cluster management permissions created in the previous step for authentication.

Parameter

Description

Image Registry

Cluster Information

Click Check Connectivity to verify network connectivity with the import cluster and automatically identify the import cluster type. The cluster type will be displayed as a badge in the upper right corner of the form.
After connectivity check passes, click Import and confirm.
TIP
- Click the Details icon on the right side of a cluster in Importing status to view the cluster's execution progress (status.conditions) in the popup Execution Progress dialog.
- After the cluster is successfully imported, you can view the cluster's key information in the cluster list. The cluster status will show as normal, and you can perform cluster-related operations.

Network Configuration

Ensure the global cluster and the imported cluster have network connectivity. See Network Configuration for Imported Clusters.

Post-Import Operations

Ingress (Inbound Rules) and Storage Initialization

Frequently Asked Questions

How to configure AKS node external IP security group rules

How to access AKS node

Option 1: Using kubectl node-shell

Official Link

Option 2: Using debug

Official Link

NOTE

This example requires kubectl version 1.25 or later, which includes the GA kubectl debug command.

kubectl debug node/aks-newadd-41368356-vmss000002 -it --image=mcr.microsoft.com/dotnet/runtime-deps:6.0
chroot /host

Azure ALB using internal load balancer

Refer to Official Link

apiVersion: v1
kind: Service
metadata:
  name: internal-app
  namespace: cpaas-system
  annotations:
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"
spec:
  type: LoadBalancer
  ports:
  - name: http-port
    port: 80
    protocol: TCP
  - name: https-port
    port: 443
    protocol: TCP
  selector:
    service.cpaas.io/name: deployment-aks-alb
    service_name: alb2-aks-alb

Azure ALB using external load balancer

Deploy a highly available ALB with the access address configured as the external LB.

apiVersion: v1
kind: Service
metadata:
  name: azure-alb
  namespace: cpaas-system
spec:
  type: LoadBalancer
  ports:
  - name: http-port
    port: 80
    protocol: TCP
  - name: https-port
    port: 443
    protocol: TCP
  - name: prom-port
    port: 11780
    protocol: TCP
  - name: prom2-port
    port: 11781
    protocol: TCP
  - name: prom3-port
    port: 15012
    protocol: TCP
  selector:
    service_name: alb2-cpaas-system

If it has been deployed in advance, you can use the following command to modify it.

kubectl edit helmrequest -n cpaas-system uat-cluster-aks-alb

The add node button is grayed out after importing the cluster. How to add nodes?

Adding nodes through the platform interface is not supported. Please contact the cluster provider to add nodes.

What certificates are supported by the certificate management feature for imported clusters?

Kubernetes Certificates: All imported clusters only support viewing APIServer certificate information in the platform certificate management interface. Other Kubernetes certificates cannot be viewed and automatic rotation is not supported.
Platform Component Certificates: All imported clusters can view platform component certificate information in the platform certificate management interface and support automatic rotation.

What other features are not supported for imported AKS clusters?

Audit data retrieval is not supported.
ETCD, Scheduler, and Controller Manager related monitoring information is not supported. APIServer partial monitoring charts are supported.
Cluster certificate-related information other than Kubernetes APIServer certificates cannot be retrieved.

Node Management

Managed Clusters

Import Clusters

Public Cloud Cluster Initialization

Network Initialization

Storage Initialization

How to

How to

Backup Management

Recovery Management

Architecture

Concepts

Guides

How To

Trouble Shooting

Concepts

Guides

How To

Troubleshooting

Install

Concepts

Guides

How To

Disaster Recovery

Concepts

Guides

How To

Guides

Compliance

Install

API Refiner

User

Guides

Group

Guides

Role

Guides

IDP

Guides

Troubleshooting

User Policy

Guides

Overview

Images

Guides

How To

Virtual Machine

Guides

How To

Troubleshooting

Network

Guides

How To

Storage

Guides

Backup and Recovery

Guides

Concepts

Concepts

Guides

Namespaces

Pre-Application-Creation Preparation

Creating Applications

Post-Application-Creation Configuration

Operation and Maintenance

Application Observability

Workloads

Pod

Container

How To

Install

How To

Install

Guides

How To

Concepts

Guides

Argo CD Concept

Alauda Container Platform GitOps Concepts

Creating GitOps Application