Import Azure AKS Cluster
Import an existing Azure AKS cluster into the platform for unified management.
TOC
Prerequisites
-
The Kubernetes version and parameters on the cluster must meet the Standard Kubernetes Cluster Component Version and Parameter Requirements.
TIP- If AKS nodes cannot access the global cluster, refer to the FAQ: How to configure AKS node external IP security group rules.
-
The image registry must support HTTPS access and provide a valid TLS certificate authenticated by a public certification authority.
Prepare the Operating Environment
To comply with Azure AKS security standards, the following steps must be performed using Cloud Shell.
-
Ensure network connectivity with Azure Console.
-
Open the Kubernetes Services page, locate the cluster you want to import, and click to enter the cluster overview page.
-
Click the
Connectbutton, which will open a floating window titledConnect to <import cluster name>. Follow the instructions to open Cloud Shell and configure the operating environment.
Obtain Cluster Information
Obtain Import Clusters Token
The KubeConfig file of public cloud clusters cannot be directly used for cluster import.
Please refer to the FAQ How to obtain cluster information? to obtain the import cluster token.
Import Cluster
-
In the left navigation bar, click Cluster Management > Clusters.
-
Click Import Cluster.
-
Configure the relevant parameters according to the following instructions.
Parameter Description Image Registry The registry that stores platform component images required by the cluster. - Platform Default: The image registry configured when deploying the global cluster. - Private Registry: A pre-built registry that stores platform-required component images. You need to enter the Private Image Registry Address, Port, Username, and Password for accessing the image registry. - Public Registry: Use a public image registry service on the internet. Before use, you must first refer to Update Public Image Registry Cloud Credentials to obtain registry authentication permissions. Cluster Information Tip: Please upload a KubeConfig file, and the platform will automatically parse and fill in the information. Cluster Address: The access address of the API Server exposed by the import cluster, used by the platform to access the import cluster's API Server. CA Certificate: The CA certificate of the import cluster. Authentication Method: The authentication method of the import cluster, which requires using a Token with cluster management permissions created in the previous step for authentication. -
Click Check Connectivity to verify network connectivity with the import cluster and automatically identify the import cluster type. The cluster type will be displayed as a badge in the upper right corner of the form.
-
After connectivity check passes, click Import and confirm.
TIP- Click the Details icon on the right side of a cluster in Importing status to view the cluster's execution progress (status.conditions) in the popup Execution Progress dialog.
- After the cluster is successfully imported, you can view the cluster's key information in the cluster list. The cluster status will show as normal, and you can perform cluster-related operations.
Network Configuration
Ensure the global cluster and the imported cluster have network connectivity. See Network Configuration for Imported Clusters.
Post-Import Operations
Ingress (Inbound Rules) and Storage Initialization
After importing the cluster, if you need to use Ingress (inbound rules) and storage-related features, please refer to Azure AKS Cluster Ingress Initialization Configuration and Azure AKS Cluster Storage Initialization Configuration.
Frequently Asked Questions
How to configure AKS node external IP security group rules
Nodes only have internal IPs by default. The external IP is configured on a frontend load balancer (LB), which is used for outbound traffic by default. This LB is controlled by the AKS principal. Direct manual modification of this configuration may cause issues. You can allow traffic through Kubernetes > Properties > Infrastructure Resource Group > Network Security Group > Add Outbound/Inbound All Rules.
How to access AKS node
To view logs of system components such as Kubelet, CNI, and kernel, you need to SSH into the node first. It is recommended to use the kubectl-node-shell plugin instead of assigning public IP addresses to each node.
Option 1: Using kubectl node-shell
Option 2: Using debug
This example requires kubectl version 1.25 or later, which includes the GA kubectl debug command.
Azure ALB using internal load balancer
Refer to Official Link
Azure ALB using external load balancer
Deploy a highly available ALB with the access address configured as the external LB.
If it has been deployed in advance, you can use the following command to modify it.
The add node button is grayed out after importing the cluster. How to add nodes?
Adding nodes through the platform interface is not supported. Please contact the cluster provider to add nodes.
What certificates are supported by the certificate management feature for imported clusters?
-
Kubernetes Certificates: All imported clusters only support viewing APIServer certificate information in the platform certificate management interface. Other Kubernetes certificates cannot be viewed and automatic rotation is not supported.
-
Platform Component Certificates: All imported clusters can view platform component certificate information in the platform certificate management interface and support automatic rotation.
What other features are not supported for imported AKS clusters?
-
Audit data retrieval is not supported.
-
ETCD, Scheduler, and Controller Manager related monitoring information is not supported. APIServer partial monitoring charts are supported.
-
Cluster certificate-related information other than Kubernetes APIServer certificates cannot be retrieved.