Install Veirox Connect on Azure Kubernetes Service (AKS)
Applies to: AKS with managed identities, AKS with Azure RBAC, AKS Automatic.
Kubernetes: 1.26+.
Prerequisites
- AKS cluster reachable:
az aks get-credentials -g <rg> -n <cluster>. helm3.9+.- If pulling from a private Azure Container Registry (ACR): the
AKS cluster's kubelet identity needsAcrPullon the registry
(az aks update --attach-acr <acr>).
Install
kubectl create namespace veirox kubectl -n veirox create secret generic veirox-connector-token \ --from-literal=token=veirox_enr_... helm install veirox-connector \ oci://ghcr.io/msrashed2018/charts/veirox-connector \ --namespace veirox \ --set backendUrl=https://www.veirox.com \ --set rbacPreset=readOnly
Workload Identity
Replaces AAD Pod Identity (deprecated in 2024). Don't wire up
the old one.
If the -cloud image tier is used and you need az CLI to authenticate
as an Azure AD managed identity (e.g., to read a Key Vault secret):
1. Enable Workload Identity on the cluster
RG=my-rg CLUSTER=my-aks az aks update -g "$RG" -n "$CLUSTER" \ --enable-oidc-issuer --enable-workload-identity OIDC_ISSUER=$(az aks show -g "$RG" -n "$CLUSTER" --query "oidcIssuerProfile.issuerUrl" -o tsv)
2. Create a user-assigned managed identity
az identity create -g "$RG" -n veirox-connector-aks CLIENT_ID=$(az identity show -g "$RG" -n veirox-connector-aks --query clientId -o tsv)
3. Federate the identity to the k8s SA
az identity federated-credential create \ --name veirox-connector-federation \ --identity-name veirox-connector-aks \ --resource-group "$RG" \ --issuer "$OIDC_ISSUER" \ --subject system:serviceaccount:veirox:veirox-connector \ --audiences api://AzureADTokenExchange
4. Grant the identity the Azure RBAC roles you need
az role assignment create --assignee "$CLIENT_ID" \ --role "Reader" \ --scope "/subscriptions/<SUB_ID>/resourceGroups/<RG>"
5. Annotate the Helm-created SA
# my-values.yaml
image:
tag: 0.2.0-cloud
serviceAccount:
create: true
annotations:
azure.workload.identity/client-id: <CLIENT_ID>
podLabels:
azure.workload.identity/use: "true"
The chart doesn't currently expose
podLabelsas a top-level value
— if you hit that, use--set-json 'podLabels={"azure.workload.identity/use":"true"}'
or fork the chart to add the label in_helpers.tpl.
helm upgrade veirox-connector oci://ghcr.io/msrashed2018/charts/veirox-connector \ -n veirox -f my-values.yaml
Verify:
kubectl -n veirox exec deploy/veirox-connector -- az account show
Pulling from ACR
If you mirror the Veirox image into ACR (required in airgapped or
regulated environments):
Option A — AKS attaches the ACR (recommended)
az aks update -g "$RG" -n "$CLUSTER" --attach-acr <ACR_NAME>
Then point the chart at your ACR:
helm install veirox-connector oci://ghcr.io/msrashed2018/charts/veirox-connector \ -n veirox \ --set image.repository=<ACR_NAME>.azurecr.io/msrashed/veirox-connector \ ...
Option B — Per-pod imagePullSecret
kubectl -n veirox create secret docker-registry acr-pull \ --docker-server=<ACR>.azurecr.io \ --docker-username=$(az acr credential show -n <ACR> --query username -o tsv) \ --docker-password=$(az acr credential show -n <ACR> --query passwords[0].value -o tsv) # my-values.yaml # image: # pullSecrets: [acr-pull]
Azure Policy exemptions
If the AKS cluster has Azure Policy / OPA Gatekeeper enforcing the
Azure Kubernetes Service cluster pod security restricted standards
initiative, the Veirox chart satisfies it. If you see admission
denials:
- Identify the failing policy:
bash kubectl get events -n veirox --field-selector type=Warning --sort-by='.lastTimestamp' - If the constraint is
azurepolicy-k8s-readonly-root-filesystem,
azurepolicy-k8s-run-as-non-root, or similar — the chart already
complies. The denial means a webhook upstream is mutating the spec. - As a last resort, exempt the
veiroxnamespace from the
initiative via Azure Portal → Policy → Assignments → (pick) →
Exclusions.
Private cluster (private API + Private Link)
Same as EKS: cluster API privacy has zero impact on the agent (it
dials outbound, not inbound). What matters is pod egress to
veirox.com:
- Via Azure Firewall with an application rule for
veirox.com:443, or - Via Private Link (only viable if your Veirox backend offers a
Private Link service endpoint).
Verify the install
- Pod
Ready=trueinveiroxnamespace. - Connector row appears at
<veirox>/console/settings/connectorswith
type=k8s_pod,online=true. - Run the verification checklist.
Uninstall
helm uninstall veirox-connector -n veirox kubectl delete namespace veirox kubectl get clusterrole,clusterrolebinding | grep veirox || echo "clean" # Optional: delete identity + federation az identity federated-credential delete \ --name veirox-connector-federation \ --identity-name veirox-connector-aks \ --resource-group "$RG" --yes az identity delete -g "$RG" -n veirox-connector-aks