Install Veirox Connect on Azure Kubernetes Service (AKS)

Applies to: AKS with managed identities, AKS with Azure RBAC, AKS Automatic.
Kubernetes: 1.26+.


Prerequisites

  • AKS cluster reachable: az aks get-credentials -g <rg> -n <cluster>.
  • helm 3.9+.
  • If pulling from a private Azure Container Registry (ACR): the
    AKS cluster's kubelet identity needs AcrPull on the registry
    (az aks update --attach-acr <acr>).

Install

kubectl create namespace veirox

kubectl -n veirox create secret generic veirox-connector-token \
  --from-literal=token=veirox_enr_...

helm install veirox-connector \
  oci://ghcr.io/msrashed2018/charts/veirox-connector \
  --namespace veirox \
  --set backendUrl=https://www.veirox.com \
  --set rbacPreset=readOnly

Workload Identity

Replaces AAD Pod Identity (deprecated in 2024). Don't wire up
the old one.

If the -cloud image tier is used and you need az CLI to authenticate
as an Azure AD managed identity (e.g., to read a Key Vault secret):

1. Enable Workload Identity on the cluster

RG=my-rg
CLUSTER=my-aks

az aks update -g "$RG" -n "$CLUSTER" \
  --enable-oidc-issuer --enable-workload-identity

OIDC_ISSUER=$(az aks show -g "$RG" -n "$CLUSTER" --query "oidcIssuerProfile.issuerUrl" -o tsv)

2. Create a user-assigned managed identity

az identity create -g "$RG" -n veirox-connector-aks
CLIENT_ID=$(az identity show -g "$RG" -n veirox-connector-aks --query clientId -o tsv)

3. Federate the identity to the k8s SA

az identity federated-credential create \
  --name veirox-connector-federation \
  --identity-name veirox-connector-aks \
  --resource-group "$RG" \
  --issuer "$OIDC_ISSUER" \
  --subject system:serviceaccount:veirox:veirox-connector \
  --audiences api://AzureADTokenExchange

4. Grant the identity the Azure RBAC roles you need

az role assignment create --assignee "$CLIENT_ID" \
  --role "Reader" \
  --scope "/subscriptions/<SUB_ID>/resourceGroups/<RG>"

5. Annotate the Helm-created SA

# my-values.yaml
image:
  tag: 0.2.0-cloud
serviceAccount:
  create: true
  annotations:
    azure.workload.identity/client-id: <CLIENT_ID>
podLabels:
  azure.workload.identity/use: "true"

The chart doesn't currently expose podLabels as a top-level value
— if you hit that, use --set-json 'podLabels={"azure.workload.identity/use":"true"}'
or fork the chart to add the label in _helpers.tpl.

helm upgrade veirox-connector oci://ghcr.io/msrashed2018/charts/veirox-connector \
  -n veirox -f my-values.yaml

Verify:

kubectl -n veirox exec deploy/veirox-connector -- az account show

Pulling from ACR

If you mirror the Veirox image into ACR (required in airgapped or
regulated environments):

az aks update -g "$RG" -n "$CLUSTER" --attach-acr <ACR_NAME>

Then point the chart at your ACR:

helm install veirox-connector oci://ghcr.io/msrashed2018/charts/veirox-connector \
  -n veirox \
  --set image.repository=<ACR_NAME>.azurecr.io/msrashed/veirox-connector \
  ...

Option B — Per-pod imagePullSecret

kubectl -n veirox create secret docker-registry acr-pull \
  --docker-server=<ACR>.azurecr.io \
  --docker-username=$(az acr credential show -n <ACR> --query username -o tsv) \
  --docker-password=$(az acr credential show -n <ACR> --query passwords[0].value -o tsv)

# my-values.yaml
# image:
#   pullSecrets: [acr-pull]

Azure Policy exemptions

If the AKS cluster has Azure Policy / OPA Gatekeeper enforcing the
Azure Kubernetes Service cluster pod security restricted standards
initiative, the Veirox chart satisfies it. If you see admission
denials:

  1. Identify the failing policy:
    bash kubectl get events -n veirox --field-selector type=Warning --sort-by='.lastTimestamp'
  2. If the constraint is azurepolicy-k8s-readonly-root-filesystem,
    azurepolicy-k8s-run-as-non-root, or similar — the chart already
    complies. The denial means a webhook upstream is mutating the spec.
  3. As a last resort, exempt the veirox namespace from the
    initiative via Azure Portal → Policy → Assignments → (pick) →
    Exclusions.

Same as EKS: cluster API privacy has zero impact on the agent (it
dials outbound, not inbound). What matters is pod egress to
veirox.com
:

  • Via Azure Firewall with an application rule for
    veirox.com:443, or
  • Via Private Link (only viable if your Veirox backend offers a
    Private Link service endpoint).

Verify the install

  1. Pod Ready=true in veirox namespace.
  2. Connector row appears at <veirox>/console/settings/connectors with
    type=k8s_pod, online=true.
  3. Run the verification checklist.

Uninstall

helm uninstall veirox-connector -n veirox
kubectl delete namespace veirox
kubectl get clusterrole,clusterrolebinding | grep veirox || echo "clean"

# Optional: delete identity + federation
az identity federated-credential delete \
  --name veirox-connector-federation \
  --identity-name veirox-connector-aks \
  --resource-group "$RG" --yes
az identity delete -g "$RG" -n veirox-connector-aks