Microsoft quite recently announced private AKS clusters. A private AKS cluster basicly means that the API server is not exposed to public internet but rather has an internal IP. This is quite a good thing from a security perspective as it substantially decreases your clusters attack surface.
Setting up a cluster like that is very easy but unfortunately, if you are like me and already have existing clusters – you have to re-create them from scratch to make them private. At least at the time of writing this article.
The first thing you need to do then is to actually deploy your private cluster, it is as simple as this. Basicly your regular way of creating the AKS but remember to provide the switch
--enable-private-cluster You can get the credentials for your fresh cluster the regular way by simply running
az aks get-credentials but remember that the cluster is now exactly that, private so in order to access it you need to be on the internal network. Time to hit that VPN.
The other thing is the resolution of your private address. If you look in the resource group containing the nodes of your AKS cluster there is a resource there, private DNS zone. To access the cluster you need to add the IP address of the A record on it together with the DNS into your host -file.
After confirming that you’re on the internal network and that you’re able to resolve the private dns zone you can hit the API server as with any cluster. If you need to utilize a DNS server on your internal network you need to specify the forwarding through CoreDNS configuration. For example like so (where x.x.x.x is your internal DNS’s IP):
Start by creating a new agent pool on Azure DevOps. Then you need a PAT (Personal Access Token) that has at least Read & Manage on the Agent Pools. After that you need to create a Kubernetes secret from the PAT and your organization name;
kubectl create secret generic devops --from-literal=VSTS_TOKEN=<PAT> --from-literal=VSTS_ACCOUNT=<Organization name>
And then you can create a deployment from the agent images like so (remember to replace your-pool with the name of the pool you created):