Merge pull request #178474 from shashankbarsin/shasb/arc-k8s-update-4

Arc-enabled K8s - portal browse

Author: ttorble

articles/azure-arc/kubernetes/cluster-connect.md

@@ -2,7 +2,7 @@
 title: "Use Cluster Connect to connect to Azure Arc-enabled Kubernetes clusters"
 services: azure-arc
 ms.service: azure-arc
-ms.date: 04/05/2021
+ms.date: 10/31/2021
 ms.topic: article
 author: shashankbarsin
 ms.author: shasb
@@ -17,94 +17,89 @@ With Cluster Connect, you can securely connect to Azure Arc-enabled Kubernetes c
 
 A conceptual overview of this feature is available in [Cluster connect - Azure Arc-enabled Kubernetes](conceptual-cluster-connect.md) article.
 
-[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
-
 ## Prerequisites   
 
 - [Install or upgrade Azure CLI](/cli/azure/install-azure-cli) to version >= 2.16.0
 
 - Install the `connectedk8s` Azure CLI extension of version >= 1.1.0:
 
-    ```azurecli
+    ```console
     az extension add --name connectedk8s
     ```
   
     If you've already installed the `connectedk8s` extension, update the extension to the latest version:
     
-    ```azurecli
+    ```console
     az extension update --name connectedk8s
     ```
 
 - An existing Azure Arc-enabled Kubernetes connected cluster.
     - If you haven't connected a cluster yet, use our [quickstart](quickstart-connect-cluster.md).
     - [Upgrade your agents](agent-upgrade.md#manually-upgrade-agents) to version >= 1.1.0.
 
-- Enable the Cluster Connect on any Azure Arc-enabled Kubernetes cluster by running the following command on a machine where the `kubeconfig` file is pointed to the cluster of concern:
-
-    ```azurecli
-    az connectedk8s enable-features --features cluster-connect -n <clusterName> -g <resourceGroupName>
-    ```
-
 - Enable the below endpoints for outbound access in addition to the ones mentioned under [connecting a Kubernetes cluster to Azure Arc](quickstart-connect-cluster.md#meet-network-requirements):
 
     | Endpoint | Port |
     |----------------|-------|
     |`*.servicebus.windows.net` | 443 |
     |`guestnotificationservice.azure.com`, `*.guestnotificationservice.azure.com` | 443 |
 
-## Usage
+- Replace the placeholders and run the below command to set the environment variables used in this document:
 
-Two authentication options are supported with the Cluster Connect feature: 
-* Azure Active Directory (Azure AD) 
-* Service account token
+    ```console
+    CLUSTER_NAME=<cluster-name>
+    RESOURCE_GROUP=<resource-group-name>
+    ARM_ID_CLUSTER=$(az connectedk8s show -n $CLUSTER_NAME -g $RESOURCE_GROUP --query id -o tsv)
+    ```
 
-### Option 1: Azure Active Directory
 
-1. With the `kubeconfig` file pointing to the `apiserver` of your Kubernetes cluster, create a ClusterRoleBinding or RoleBinding to the Azure AD entity (service principal or user) requiring access:
+## Enable Cluster Connect feature
 
-    **For user:**
-    
-    ```console
-    kubectl create clusterrolebinding admin-user-binding --clusterrole cluster-admin --user=<testuser>@<mytenant.onmicrosoft.com>
-    ```
+You can enable the Cluster Connect on any Azure Arc-enabled Kubernetes cluster by running the following command on a machine where the `kubeconfig` file is pointed to the cluster of concern:
 
-    **For Azure AD application:**
+```console
+az connectedk8s enable-features --features cluster-connect -n $CLUSTER_NAME -g $RESOURCE_GROUP
+```
 
-    1. Get the `objectId` associated with your Azure AD application:
+## Azure Active Directory authentication option
 
-        ```azurecli
-        az ad sp show --id <id> --query objectId -o tsv
-        ```
+1. Get the `objectId` associated with your Azure AD entity:
+
+    - For Azure AD user account:
 
-    1. Create a ClusterRoleBinding or RoleBinding to the Azure AD entity (service principal or user) that needs to access this cluster:
-       
         ```console
-        kubectl create clusterrolebinding admin-user-binding --clusterrole cluster-admin --user=<objectId>
+        AAD_ENTITY_OBJECT_ID=$(az ad signed-in-user show --query objectId -o tsv)
         ```
 
-1. After logging into Azure CLI using the Azure AD entity of interest, get the Cluster Connect `kubeconfig` needed to communicate with the cluster from anywhere (from even outside the firewall surrounding the cluster):
+    - For Azure AD application:
 
-    ```azurecli
-    az connectedk8s proxy -n <cluster-name> -g <resource-group-name>
-    ```
+        ```console
+        AAD_ENTITY_OBJECT_ID=$(az ad sp show --id <id> --query objectId -o tsv)
+        ```
 
-1. Use `kubectl` to send requests to the cluster:
+1. Authorize the AAD entity with appropriate permissions:
 
-    ```console
-    kubectl get pods
-    ```
+    - If you are using Kubernetes native ClusterRoleBinding or RoleBinding for authorization checks on the cluster, with the `kubeconfig` file pointing to the `apiserver` of your cluster for direct access, you can create one mapped to the Azure AD entity (service principal or user) that needs to access this cluster. Example:
     
-    You should now see a response from the cluster containing the list of all pods under the `default` namespace.
+        ```console
+        kubectl create clusterrolebinding admin-user-binding --clusterrole cluster-admin --user=$AAD_ENTITY_OBJECT_ID
+        ```
 
-### Option 2: Service Account Bearer Token
+    - If you are using Azure RBAC for authorization checks on the cluster, you can create an Azure role assignment mapped to the Azure AD entity. Example:
+
+        ```console
+        az role assignment create --role "Azure Arc Kubernetes Viewer" --assignee $AAD_ENTITY_OBJECT_ID --scope $ARM_ID_CLUSTER
+        ```
+
+## Service account token authentication option
 
 1. With the `kubeconfig` file pointing to the `apiserver` of your Kubernetes cluster, create a service account in any namespace (following command creates it in the default namespace):
 
     ```console
     kubectl create serviceaccount admin-user
     ```
 
-1. Create ClusterRoleBinding or RoleBinding to grant this [service account the appropriate permissions on the cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding):
+1. Create ClusterRoleBinding or RoleBinding to grant this [service account the appropriate permissions on the cluster](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#kubectl-create-rolebinding). Example:
 
     ```console
     kubectl create clusterrolebinding admin-user-binding --clusterrole cluster-admin --serviceaccount default:admin-user
@@ -120,18 +115,28 @@ Two authentication options are supported with the Cluster Connect feature:
     TOKEN=$(kubectl get secret ${SECRET_NAME} -o jsonpath='{$.data.token}' | base64 -d | sed $'s/$/\\\n/g')
     ```
 
-1. Get the Cluster Connect `kubeconfig` needed to communicate with the cluster from anywhere (from even outside the firewall surrounding the cluster):
+## Access your cluster
 
-    ```azurecli
-    az connectedk8s proxy -n <cluster-name> -g <resource-group-name> --token $TOKEN
-    ```
+1. Set up the Cluster Connect based kubeconfig needed to access your cluster based on the authentication option used:
+
+    - If using Azure Active Directory authentication option, after logging into Azure CLI using the Azure AD entity of interest, get the Cluster Connect `kubeconfig` needed to communicate with the cluster from anywhere (from even outside the firewall surrounding the cluster):
+
+        ```console
+        az connectedk8s proxy -n $CLUSTER_NAME -g $RESOURCE_GROUP
+        ```
+
+    - If using the service account authentication option, get the Cluster Connect `kubeconfig` needed to communicate with the cluster from anywhere:
+
+        ```console
+        az connectedk8s proxy -n $CLUSTER_NAME -g $RESOURCE_GROUP --token $TOKEN
+        ```
 
 1. Use `kubectl` to send requests to the cluster:
 
     ```console
     kubectl get pods
     ```
-
+    
     You should now see a response from the cluster containing the list of all pods under the `default` namespace.
 
 ## Known limitations

articles/azure-arc/kubernetes/kubernetes-resource-view.md

@@ -0,0 +1,51 @@
+---
+title: Access Kubernetes resources from Azure portal
+services: azure-arc
+ms.service: azure-arc
+ms.date: 10/31/2021
+ms.topic: article
+author: shashankbarsin
+ms.author: shasb
+description: Learn how to interact with Kubernetes resources to manage an Azure Arc-enabled Kubernetes cluster from the Azure portal.
+---
+
+# Access Kubernetes resources from Azure portal
+
+The Azure portal includes a Kubernetes resource view for easy access to the Kubernetes resources in your Azure Arc-enabled Kubernetes cluster. Viewing Kubernetes resources from the Azure portal reduces context switching between the Azure portal and the `kubectl` command-line tool, streamlining the experience for viewing and editing your Kubernetes resources. The resource viewer currently includes multiple resource types, such as deployments, pods, and replica sets.
+
+[!INCLUDE [preview features note](./includes/preview/preview-callout.md)]
+
+## Prerequisites
+
+- An existing Kubernetes cluster [connected](quickstart-connect-cluster.md) to Azure as an Azure Arc-enabled Kubernetes resource.
+
+- [Cluster Connect feature has to be enabled](cluster-connect.md#enable-cluster-connect-feature) on the Azure Arc-enabled Kubernetes cluster.
+
+- [Service account token](cluster-connect.md#service-account-token-authentication-option) for authentication to the cluster.
+
+## View Kubernetes resources
+
+To see the Kubernetes resources, navigate to your AKS cluster in the Azure portal. The navigation pane on the left is used to access your resources. The resources include:
+
+- **Namespaces** displays the namespaces of your cluster. The filter at the top of the namespace list provides a quick way to filter and display your namespace resources.
+- **Workloads** shows information about deployments, pods, replica sets, stateful sets, daemon sets, jobs, and cron jobs deployed to your cluster.
+- **Services and ingresses** shows all of your cluster's service and ingress resources.
+- **Storage** shows your Azure storage classes and persistent volume information.
+- **Configuration** shows your cluster's config maps and secrets.
+
+[ ![Kubernetes workloads information displayed in the Azure portal](media/kubernetes-resource-view/workloads.png) ](media/kubernetes-resource-view/workloads.png#lightbox)
+
+## Edit YAML
+
+The Kubernetes resource view also includes a YAML editor. A built-in YAML editor means you can update Kubernetes objects from within the portal and apply changes immediately.
+
+After editing the YAML, changes are applied by selecting **Review + save**, confirming the changes, and then saving again.
+
+[ ![YAML editor for Kubernetes objects displayed in the Azure portal](media/kubernetes-resource-view/yaml-editor.png) ](media/kubernetes-resource-view/yaml-editor.png#lightbox)
+
+>[!WARNING]
+> Performing direct production changes via UI or CLI is not recommended and you should consider using [Configurations (GitOps)](tutorial-use-gitops-connected-cluster.md) for production environments. The Azure portal Kubernetes management capabilities and the YAML editor are built for learning and flighting new deployments in a development and testing setting.
+
+## Next steps
+
+Azure Monitor for containers provides more in-depth information about nodes and containers of the cluster when compared to the logical view of the Kubernetes resources available with Kubernetes resources view described in this article. Learn how to [deploy Azure Monitor for containers](../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json) on your cluster.

articles/azure-arc/kubernetes/media/kubernetes-resource-view/workloads.png

@@ -58,12 +58,14 @@
       href: ../../azure-monitor/containers/container-insights-enable-arc-enabled-clusters.md?toc=/azure/azure-arc/kubernetes/toc.json
     - name: Enforce threat protection using Azure Defender
       href: ../../security-center/defender-for-kubernetes-azure-arc.md?toc=/azure/azure-arc/kubernetes/toc.json
-    - name: Admission control policy definitions using Azure Policy
+    - name: In-cluster policy enforcements using Azure Policy
       href: ../../governance/policy/concepts/policy-for-kubernetes.md?toc=/azure/azure-arc/kubernetes/toc.json
     - name: Deploy Azure Arc-enabled Open Service Mesh
       href: tutorial-arc-enabled-open-service-mesh.md
     - name: Securely connect to cluster from anywhere
       href: cluster-connect.md
+    - name: Azure portal Kubernetes resource view
+      href: kubernetes-resource-view.md
     - name: Use Azure AD RBAC for authorization checks
       href: azure-rbac.md
     - name: Create custom locations