Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into fixPriceLink

Author: roygara

articles/azure-arc/kubernetes/azure-rbac.md

@@ -40,49 +40,147 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
 
 ## Set up Azure AD applications
 
-### Create a server application
 
+### [AzureCLI >= v2.37](#tab/AzureCLI)
+#### Create a server application
 1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `serverApplicationId`.
 
     ```azurecli
     CLUSTER_NAME="<clusterName>"
     TENANT_ID="<tenant>"
-    SERVER_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/ClientAnyUniqueSuffix" --query appId -o tsv)
+    SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
+    SERVER_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
     echo $SERVER_APP_ID
     ```
 
-1. Update the application's group membership claims:
+1. To grant "Sign in and read user profile" API permissions to the server application. Copy this JSON and save it in a file called oauth2-permissions.json: 
 
-    ```azurecli
-    az ad app update --id "${SERVER_APP_ID}" --set groupMembershipClaims=All
+    ```json
+    {
+        "oauth2PermissionScopes": [
+            {
+                "adminConsentDescription": "Sign in and read user profile",
+                "adminConsentDisplayName": "Sign in and read user profile",
+                "id": "<unique_guid>",
+                "isEnabled": true,
+                "type": "User",
+                "userConsentDescription": "Sign in and read user profile",
+                "userConsentDisplayName": "Sign in and read user profile",
+                "value": "User.Read"
+            }
+        ]
+    }
+    ```
+
+1.  Update the application's group membership claims. Run the commands in the same directory as `oauth2-permissions.json` file. RBAC for Azure Arc-enabled Kubernetes requires [`signInAudience` to be set to **AzureADMyOrg**](/azure/active-directory/develop/supported-accounts-validation):
+    
+    ```azurecli 
+        az ad app update --id "${SERVER_APP_ID}" --set groupMembershipClaims=All
+        az ad app update --id ${SERVER_APP_ID} --set  [email protected]
+        az ad app update --id ${SERVER_APP_ID} --set  signInAudience=AzureADMyOrg
+        SERVER_OBJECT_ID=$(az ad app show --id "${SERVER_APP_ID}" --query "id" -o tsv)
+        az rest --method PATCH --headers "Content-Type=application/json" --uri https://graph.microsoft.com/v1.0/applications/${SERVER_OBJECT_ID}/ --body '{"api":{"requestedAccessTokenVersion": 1}}'
     ```
 
+
 1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster. Please note that this secret is valid for 1 year by default and will need to be [rotated after that](./azure-rbac.md#refresh-the-secret-of-the-server-application). Please refer to [this](/cli/azure/ad/sp/credential?view=azure-cli-latest&preserve-view=true#az-ad-sp-credential-reset) to set a custom expiry duration.
 
     ```azurecli
-    az ad sp create --id "${SERVER_APP_ID}"
-    SERVER_APP_SECRET=$(az ad sp credential reset --name "${SERVER_APP_ID}" --credential-description "ArcSecret" --query password -o tsv)
+        az ad sp create --id "${SERVER_APP_ID}"
+        SERVER_APP_SECRET=$(az ad sp credential reset --id "${SERVER_APP_ID}"  --query password -o tsv) 
     ```
 
-1. Grant "Sign in and read user profile" API permissions to the application:
+1. Grant "Sign in and read user profile" API permissions to the application. [Additional information](/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add-examples):
 
     ```azurecli
-    az ad app permission add --id "${SERVER_APP_ID}" --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
-    az ad app permission grant --id "${SERVER_APP_ID}" --api 00000003-0000-0000-c000-000000000000
+        az ad app permission add --id "${SERVER_APP_ID}" --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
+        az ad app permission grant --id "${SERVER_APP_ID}" --api 00000003-0000-0000-c000-000000000000 --scope User.Read
+    ```
+
+    > [!NOTE]
+    > An Azure tenant administrator has to run this step.
+    > 
+    > For usage of this feature in production, we recommend that you  create a different server application for every cluster.  
+
+#### Create a client application
+
+1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `clientApplicationId`.
+
+    ```azurecli
+        CLIENT_UNIQUE_SUFFIX="<identifier_suffix>" 
+        CLIENT_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Client" --is-fallback-public-client --public-client-redirect-uris "api://${TENANT_ID}/${CLIENT_UNIQUE_SUFFIX}" --query appId -o tsv)
+        echo $CLIENT_APP_ID 
+    ```
+
+
+2. Create a service principal for this client application:
+
+    ```azurecli
+    az ad sp create --id "${CLIENT_APP_ID}"
+    ```
+
+3. Get the `oAuthPermissionId` value for the server application:
+
+    ```azurecli
+        az ad app show --id "${SERVER_APP_ID}" --query "api.oauth2PermissionScopes[0].id" -o tsv
+    ```
+
+4. Grant the required permissions for the client application. RBAC for Azure Arc-enabled Kubernetes requires [`signInAudience` to be set to **AzureADMyOrg**](/azure/active-directory/develop/supported-accounts-validation):
+
+    ```azurecli
+        az ad app permission add --id "${CLIENT_APP_ID}" --api "${SERVER_APP_ID}" --api-permissions <oAuthPermissionId>=Scope
+        RESOURCE_APP_ID=$(az ad app show --id "${CLIENT_APP_ID}"  --query "requiredResourceAccess[0].resourceAppId" -o tsv)
+        az ad app permission grant --id "${CLIENT_APP_ID}" --api "${RESOURCE_APP_ID}" --scope User.Read
+        az ad app update --id ${CLIENT_APP_ID} --set  signInAudience=AzureADMyOrg
+        CLIENT_OBJECT_ID=$(az ad app show --id "${CLIENT_APP_ID}" --query "id" -o tsv)
+        az rest --method PATCH --headers "Content-Type=application/json" --uri https://graph.microsoft.com/v1.0/applications/${CLIENT_OBJECT_ID}/ --body '{"api":{"requestedAccessTokenVersion": 1}}'
+    ```
+
+
+### [AzureCLI < v2.37](#tab/AzureCLI236)
+#### Create a server application
+1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `serverApplicationId`.
+
+    ```azurecli
+    CLUSTER_NAME="<clusterName>"
+    TENANT_ID="<tenant>"
+    SERVER_UNIQUE_SUFFIX="<identifier_suffix>"
+    SERVER_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Server" --identifier-uris "api://${TENANT_ID}/${SERVER_UNIQUE_SUFFIX}" --query appId -o tsv)
+    echo $SERVER_APP_ID
+    ```
+
+1.  Update the application's group membership claims:
+    ```azurecli 
+        az ad app update --id "${SERVER_APP_ID}" --set groupMembershipClaims=All
+    ``` 
+
+1. Create a service principal and get its `password` field value. This value is required later as `serverApplicationSecret` when you're enabling this feature on the cluster. This secret is valid for one year by default and will need to be [rotated after that](./azure-rbac.md#refresh-the-secret-of-the-server-application). You can also [set a custom expiration duration](/cli/azure/ad/sp/credential?view=azure-cli-latest&preserve-view=true#az-ad-sp-credential-reset).
+
+    ```azurecli
+        az ad sp create --id "${SERVER_APP_ID}"
+        SERVER_APP_SECRET=$(az ad sp credential reset --name "${SERVER_APP_ID}" --credential-description "ArcSecret" --query password -o tsv)
+    ```
+
+1. Grant "Sign in and read user profile" API permissions to the application. [Additional information](/cli/azure/ad/app/permission?view=azure-cli-latest#az-ad-app-permission-add-examples):
+
+    ```azurecli     
+        az ad app permission add --id "${SERVER_APP_ID}" --api 00000003-0000-0000-c000-000000000000 --api-permissions e1fe6dd8-ba31-4d61-89e7-88639da4683d=Scope
+        az ad app permission grant --id "${SERVER_APP_ID}" --api 00000003-0000-0000-c000-000000000000 
     ```
 
     > [!NOTE]
     > An Azure tenant administrator has to run this step.
     > 
     > For usage of this feature in production, we recommend that you  create a different server application for every cluster.
 
-### Create a client application
+#### Create a client application
 
 1. Create a new Azure AD application and get its `appId` value. This value is used in later steps as `clientApplicationId`.
 
     ```azurecli
-    CLIENT_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Client" --native-app --reply-urls "api://${TENANT_ID}/ServerAnyUniqueSuffix" --query appId -o tsv)
-    echo $CLIENT_APP_ID
+        CLIENT_UNIQUE_SUFFIX="<identifier_suffix>" 
+        CLIENT_APP_ID=$(az ad app create --display-name "${CLUSTER_NAME}Client" --native-app --reply-urls "api://${TENANT_ID}/${CLIENT_UNIQUE_SUFFIX}" --query appId -o tsv)
+        echo $CLIENT_APP_ID
     ```
 
 2. Create a service principal for this client application:
@@ -94,15 +192,16 @@ A conceptual overview of this feature is available in the [Azure RBAC on Azure A
 3. Get the `oAuthPermissionId` value for the server application:
 
     ```azurecli
-    az ad app show --id "${SERVER_APP_ID}" --query "oauth2Permissions[0].id" -o tsv
+        az ad app show --id "${SERVER_APP_ID}" --query "oauth2Permissions[0].id" -o tsv
     ```
 
 4. Grant the required permissions for the client application:
 
     ```azurecli
-    az ad app permission add --id "${CLIENT_APP_ID}" --api "${SERVER_APP_ID}" --api-permissions <oAuthPermissionId>=Scope
-    az ad app permission grant --id "${CLIENT_APP_ID}" --api "${SERVER_APP_ID}"
+        az ad app permission add --id "${CLIENT_APP_ID}" --api "${SERVER_APP_ID}" --api-permissions <oAuthPermissionId>=Scope
+        az ad app permission grant --id "${CLIENT_APP_ID}" --api "${SERVER_APP_ID}"
     ```
+---
 
 ## Create a role assignment for the server application
 
@@ -160,6 +259,12 @@ az connectedk8s enable-features -n <clusterName> -g <resourceGroupName> --featur
 
     1. The `azure-arc-guard-manifests` secret in the `kube-system` namespace contains two files `guard-authn-webhook.yaml` and `guard-authz-webhook.yaml`. Copy these files to the `/etc/guard` directory of the node.
 
+        ```console
+        sudo mkdir -p /etc/guard
+        kubectl get secrets azure-arc-guard-manifests -n kube-system -o json | jq '.data."guard-authn-webhook.yaml"' | base64 -d > /etc/guard/guard-authn-webhook.yaml
+        kubectl get secrets azure-arc-guard-manifests -n kube-system -o json | jq '.data."guard-authz-webhook.yaml"' | base64 -d > /etc/guard/guard-authz-webhook.yaml
+        ```
+
     1. Open the `apiserver` manifest in edit mode:
         
         ```console

articles/azure-arc/kubernetes/diagnose-connection-issues.md

@@ -0,0 +1,135 @@
+---
+title: "Diagnose connection issues for Azure Arc-enabled Kubernetes clusters"
+ms.date: 11/04/2022
+ms.topic: how-to
+description: "Learn how to resolve common issues when connecting Kubernetes clusters to Azure Arc."
+
+---
+
+# Diagnose connection issues for Azure Arc-enabled Kubernetes clusters
+
+If you are experiencing issues connecting a cluster to Azure Arc, it's probably due to one of the issues listed here. We provide two flowcharts with guided help: one if you're [not using a proxy server](#connections-without-a-proxy), and one that applies if your network connection [uses a proxy server](#connections-with-a-proxy-server).
+
+> [!TIP]
+> The steps in this flowchart apply whether you're using Azure CLI or Azure PowerShell to [connect your cluster](quickstart-connect-cluster.md). However, some of the steps require the use of Azure CLI. If you haven't already [installed Azure CLI](/cli/azure/install-azure-cli), be sure to do so before you begin.
+
+## Connections without a proxy
+
+Review this flowchart in order to diagnose your issue when attempting to connect a cluster to Azure Arc without a proxy server. More details about each step are provided below.
+
+:::image type="content" source="media/diagnose-connection-issues/no-proxy-flowchart.png" alt-text="Flowchart showing a visual representation of checking for connection issues when not using a proxy.":::
+
+### Does the Azure identity have sufficient permissions?
+
+Review the [prerequisites for connecting a cluster](quickstart-connect-cluster.md?tabs=azure-cli#prerequisites) and make sure that the identity you're using to connect the cluster has the necessary permissions.
+
+### Is Azure CLI version above 2.30.0?
+
+Make sure you [have the latest version installed](/cli/azure/install-azure-cli).
+
+If you connected your cluster by using Azure PowerShell, make sure you are running [Azure PowerShell version 6.6.0 or later](/powershell/azure/install-az-ps).
+
+### Is the `connectedk8s` extension the latest version?
+
+Update the Azure CLI `connectedk8s` extension to the latest version by running this command:
+
+```azurecli
+az extension update --name connectedk8s
+```
+
+If you haven't installed the extension yet, you can do so by running the following command:
+
+```azurecli
+az extension add --name connectedk8s
+```
+
+### Is kubeconfig pointing to the right cluster?
+
+Run `kubectl config get-contexts` to confirm the target context name. Then set the default context to the right cluster by running `kubectl config use-context <target-cluster-name>`.
+
+
+### Are all required resource providers registered?
+
+Be sure that the Microsoft.Kubernetes, Microsoft.KubernetesConfiguration, and Microsoft.ExtendedLocation resource providers are [registered](quickstart-connect-cluster.md#register-providers-for-azure-arc-enabled-kubernetes).
+
+### Are all network requirements met?
+
+Review the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) and ensure that no required endpoints are blocked.
+
+### Are all pods in the `azure-arc` namespace running?
+
+If everything is working correctly, your pods should all be in the `Running` state. Run `kubectl get pods -n azure-arc` to confirm whether any pod's state is not `Running`.
+
+### Still having problems?
+
+The steps above will resolve many common connection issues, but if you're still unable to connect successfully, generate a troubleshooting log file and then [open a support request](/azure/azure-portal/supportability/how-to-create-azure-support-request) so we can investigate the problem further.
+
+To generate the troubleshooting log file, run the following command:
+
+```azurecli
+az connectedk8s troubleshoot -g <myResourceGroup> -n <myK8sCluster>
+```
+
+When you [create your support request](/azure/azure-portal/supportability/how-to-create-azure-support-request), in the **Additional details** section, use the **File upload** option to upload the generated log file.
+
+## Connections with a proxy server
+
+If you are using a proxy server on at least one machine, complete the first five steps of the non-proxy flowchart (through resource provider registration) for basic troubleshooting steps. Then, if you are still encountering issues, review the next flowchart for additional troubleshooting steps. More details about each step are provided below.
+
+:::image type="content" source="media/diagnose-connection-issues/proxy-flowchart.png" alt-text="Flowchart showing a visual representation of checking for connection issues when using a proxy." :::
+
+### Is the machine executing commands behind a proxy server?
+
+Be sure you have set all of the necessary environment variables. For more information, see [Connect using an outbound proxy server](quickstart-connect-cluster.md#connect-using-an-outbound-proxy-server).
+
+### Does the proxy server only accept trusted certificates?
+
+Be sure to include the certificate file path by including `--proxy-cert <path-to-cert-file>` when running the `az connectedk8s connect` command.
+
+```azurecli
+az connectedk8s connect --name <cluster-name> --resource-group <resource-group> --proxy-cert <path-to-cert-file>
+```
+
+### Is the proxy server able to reach required network endpoints?
+
+Review the [network requirements](quickstart-connect-cluster.md#meet-network-requirements) and ensure that no required endpoints are blocked.
+
+### Is the proxy server only using HTTP?
+
+If your proxy server only uses HTTP, you can use `proxy-http` for both parameters.
+
+If your proxy server is set up with both HTTP and HTTPS, run the `az connectedk8s connect` command with the `--proxy-https` and `--proxy-http` parameters specified. Be sure you are using `--proxy-http` for the HTTP proxy and `--proxy-https` for the HTTPS proxy.
+
+```azurecli
+az connectedk8s connect --name <cluster-name> --resource-group <resource-group> --proxy-https https://<proxy-server-ip-address>:<port> --proxy-http http://<proxy-server-ip-address>:<port>  
+```
+
+### Does the proxy server require skip ranges for service-to-service communication?
+
+If you require skip ranges, use `--proxy-skip-range <excludedIP>,<excludedCIDR>` in your `az connectedk8s connect` command.
+
+```azurecli
+az connectedk8s connect --name <cluster-name> --resource-group <resource-group> --proxy-https https://<proxy-server-ip-address>:<port> --proxy-http http://<proxy-server-ip-address>:<port> --proxy-skip-range <excludedIP>,<excludedCIDR>
+```
+
+### Are all pods in the `azure-arc` namespace running?
+
+If everything is working correctly, your pods should all be in the `Running` state. Run `kubectl get pods -n azure-arc` to confirm whether any pod's state is not `Running`.
+
+### Still having problems?
+
+The steps above will resolve many common connection issues, but if you're still unable to connect successfully, generate a troubleshooting log file and then [open a support request](/azure/azure-portal/supportability/how-to-create-azure-support-request) so we can investigate the problem further.
+
+To generate the troubleshooting log file, run the following command:
+
+```azurecli
+az connectedk8s troubleshoot -g <myResourceGroup> -n <myK8sCluster>
+```
+
+When you [create your support request](/azure/azure-portal/supportability/how-to-create-azure-support-request), in the **Additional details** section, use the **File upload** option to upload the generated log file.
+
+
+## Next steps
+
+- View more [troubleshooting tips for using Azure Arc-enabled Kubernetes](troubleshooting.md).
+- Review the process to [connect an existing Kubernetes cluster to Azure Arc](quickstart-connect-cluster.md).

articles/azure-arc/kubernetes/media/diagnose-connection-issues/no-proxy-flowchart.png

@@ -2,7 +2,7 @@
 title: "Quickstart: Connect an existing Kubernetes cluster to Azure Arc"
 description: In this quickstart, you learn how to connect an Azure Arc-enabled Kubernetes cluster.
 ms.topic: quickstart
-ms.date: 10/12/2022
+ms.date: 11/04/2022
 ms.custom: template-quickstart, mode-other, devx-track-azurecli, devx-track-azurepowershell
 ms.devlang: azurecli
 ---
@@ -362,6 +362,9 @@ eastus   AzureArcTest1 microsoft.kubernetes/connectedclusters
 > [!NOTE]
 > After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes, etc.) to surface on the overview page of the Azure Arc-enabled Kubernetes resource in Azure portal.
 
+> [!TIP]
+> For help troubleshooting problems while connecting your cluster, see [Diagnose connection issues for Azure Arc-enabled Kubernetes clusters](diagnose-connection-issues.md).
+
 ## View Azure Arc agents for Kubernetes
 
 Azure Arc-enabled Kubernetes deploys a few agents into the `azure-arc` namespace.

articles/azure-arc/kubernetes/media/diagnose-connection-issues/proxy-flowchart.png

@@ -113,6 +113,8 @@
         href: ../../machine-learning/how-to-attach-kubernetes-anywhere.md?toc=/azure/azure-arc/kubernetes/toc.json&bc=/azure/azure-arc/kubernetes/breadcrumb/toc.json
   - name: Move between regions
     href: move-regions.md
+  - name: Diagnose connection issues
+    href: diagnose-connection-issues.md
   - name: Troubleshooting
     href: troubleshooting.md
 - name: Reference