C1 provides identity governance for Azure Kubernetes Service. Integrate your Azure Kubernetes Service instance with C1 to run user access reviews (UARs) and enable just-in-time access requests.
Configuring the connector requires you to pass in credentials generated in Azure Kubernetes Service. Gather these credentials before you move on.
To create a Service Principal in Azure Kubernetes Service the user must have the following permissions:
Application.ReadWrite.All
Directory.ReadWrite.All
Roles that grant these permissions include:
Azure AD Administrator
Application Administrator
Cloud Application Administrator
To assign a role to the Service Principal, the user must have Azure resource-level permissions, typically at the subscription, resource group, or AKS resource level:
If desired, you can use an existing Service Principal. Follow these steps if you want to create a new one.
1
In Entra admin center, navigate to App registrations.
2
Click + New registration.
3
Give the application a name, such as “C1”.
4
Select the supported account type appropriate for your organization. For most internal automation, “Accounts in this organizational directory only (Single tenant)” is sufficient.
5
You do not need to set a redirect URI.
6
Click Register.
7
The new app is created. Carefully copy and save the Application (client) ID and the Directory (tenant) ID shown on the application summary page.
8
Next, we’ll generate a client secret for this app. Click Certificates & secrets.
9
Click + New client secret.
10
Give the client secret a description and set its expiration.
11
Click Add.
12
The client secret is generated. Carefully copy and save the Secret Value.
Assign Azure RBAC permissions to the Service Principal
Next, grant this Service Principal the Reader role at the subscription level so it can discover and read all your AKS cluster information.
1
In the Azure portal’s search bar, type “Subscriptions” and select the relevant Azure subscription.
2
In the left-hand menu of your Subscription, select Access control (IAM).
3
Click + Add > Add role assignment.
4
On the Role tab, search for and select the Reader role.
5
Click Next.
6
On the Members tab, ensure User, group, or service principal is selected for Assign access to.
7
Click + Select members.
8
In the Select members pane, search for and select the name of your App Registration.
9
Click Select at the bottom of the pane.
10
Click Review + assign at the bottom.
Allow time for the new role to propagate. Azure role assignments can take several minutes (typically five to 15, sometimes up to 30) to fully propagate.
Make sure your Service Principal has cluster access
The Service Principal must have access to the cluster in Azure and the proper permissions defined in the cluster.
1
In Azure, navigate to the cluster’s admin page and click Access control (IAM).
2
Locate Role assignments add a new assignment for your Service Principal. Commonly used roles are “Azure Kubernetes Service Cluster User Role” and “Azure Kubernetes Service Cluster Admin Role”.
Be aware that propagation of this assignment may take some time (up to multiple hours) depending on the size and complexity of your cluster.Done. Next, move on to the connector configuration instructions.
The Connector Administrator or Super Administrator role in C1
Access to the set of Azure Kubernetes Service credentials generated by following the instructions above
Cloud-hosted
Self-hosted
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Azure Kubernetes Service and click Add.
3
Choose how to set up the new Azure Kubernetes Service connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the Azure Kubernetes Service credentials into the relevant fields.
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
Done. Your Azure Kubernetes Service connector is now pulling access data into C1.
Follow these instructions to use the Azure Kubernetes Service connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
Step 1: Set up a new Azure Kubernetes Service connector
1
In C1, navigate to Integrations > Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new Azure Kubernetes Service connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.
If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.
# baton-aks-secrets.yamlapiVersion: v1kind: Secretmetadata: name: baton-aks-secretstype: OpaquestringData: # C1 credentials BATON_CLIENT_ID: <C1 client ID> BATON_CLIENT_SECRET: <C1 client secret> # Azure Kubernetes Service credentials BATON_SUBSCRIPTION_ID: <Azure subscription ID> BATON_RESOURCE_GROUP: <Resource group name of the cluster> BATON_CLUSTER_NAME: <Name of the cluster to sync> BATON_TENANT_ID: <The directory (tenant) ID where your service principal is registered> BATON_SP_CLIENT_ID: <The Application (client) ID of your service principal> BATON_SP_CLIENT_SECRET: <The client (Service Principal) secret>
See the connector’s README or run --help to see all available configuration flags and environment variables.
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Apps. On the Managed apps tab, locate and click the name of the application you added the Azure Kubernetes Service connector to. Azure Kubernetes Service data should be found on the Entitlements and Accounts tabs.
Done. Your Azure Kubernetes Service connector is now pulling access data into C1.
