Microsoft Azure Kubernetes Service (AKS) clusters allow multiple authentication and authorization requests to the Kubernetes API, including integrations with Azure Active Directory (AD).

If you have enabled Azure AD authentication via Kubernetes RBAC or Azure RBAC, you can onboard those AKS clusters on ZPC using a bash script. To learn more, see Onboarding an Azure Kubernetes Service Cluster.

If you have not enabled Azure AD integration for an AKS cluster, ZPC can use a certificate and a secret key to authenticate with the AKS cluster and collect configuration metadata. When you select clusters to onboard, ZPC generates a bash script and a secret key. You need to run the bash script on your Kubernetes clusters and submit the secret key when the bash script is running. The script:

1. Creates a cluster role and role binding with the service principal used for onboarding the Microsoft Azure account.
2. Allowlists the ZPC IP addresses if your Kubernetes cluster has authorized IP ranges enabled.
3. Sends a verification certificate to ZPC.

To onboard an AKS cluster with local authentication:

1. In the ZPC Admin Portal, go to Administration > Cloud Accounts.
2. Click the Accounts tab.
3. Click the Actions icon, then select the Add Kubernetes Cluster option for a Microsoft Azure account.

See image.

4. On the Cluster Selection page, you can view and search for the following AKS cluster details available in the selected Microsoft Azure account:
   • Cluster Name: Name of the AKS cluster.
   • Region: Region of the AKS cluster.
   • Kubernetes Version: Current Kubernetes version running on the cluster.
   • Status: Onboarding status of the cluster (Success, Pending, or Failure).
   • Private Cluster: Whether the cluster is public or private.
   • Kubelet Collection: Use the toggle to control whether Kubelet configuration metadata needs to be collected or not.
5. Select clusters you want to onboard, then click Next.

See image.

6. On the Cluster Access page, click Download the bash script.
7. Click Regenerate to update the Zscaler secret key, then click Copy.

Make sure you copy and save the secret key. You need to submit this secret key for subsequent AKS clusters onboarding. Regenerating a key has no impact on already onboarded clusters.

8. Click Log in to AZURE cloud console and execute the bash script and input secret key.
9. After the script is deployed, in the ZPC Admin Portal, click Finish.