# Azure Kubernetes Services (AKS) Deployment Example

This how-to guide is an example Azure Kubernetes deployment. This is not the only way to deploy a Kubernetes cluster.

Security
Follow your organization's security requirements for Kubernetes clusters.

Application Administrator
Ensure the Azure tenant has a User with the Application Administrator role on the tenant and the Owner role on the subscription that the Model Scanner will be deployed to.

## Setup Summary

The following Azure resources are used in this example deployment.

- Azure Blob Storage
- Service Principal
- Azure Managed Kubernetes Service (AKS)


## Azure Blob Storage

1. Authenticate the Azure CLI to your Azure tenant.

```
az login
```
You may need to log in with an Azure tenant ID. Running az login may result in a message with a list of available tenants. Use the following command: `az login --tenant %TENANT_ID%`. Replace `$TENANT_ID%` with the ID of the tenant you want to use.
2. A web browser opens, and you need to verify your log in. After logging in, you may need to select a subscription to use.
3. Configure the Azure CLI to use the Subscription ID that the Model Scanner will be deployed to. The subscription ID can be found in the output of the az login command. Replace `<subscriptionId>` with the Subscription ID you want to use.

```
az account set --subscription <subscriptionId>
```
Record the Subscription ID used here as it will be used later.
4. Find the Azure Resource Group. Note: This should be a resource group the model scanner should be deployed to, you will provide the group name in the next step.

```
az group list
```
5. Create an Azure Storage Account. Replace `<hl-modelscannerstorage>` with a name for the Storage Account. Replace `<selected-rg>` with the name of the Resource Group you want to use.

```
az storage account create --name hlmodelscannerstorage --resource-group <selected-rg> --location eastus --sku Standard_LRS

#usage example below
az storage account create --name hlmodelscannerstorage --resource-group hl-modelscanner-rg --location eastus --sku Standard_LRS
```
The Azure Storage Account name must be unique for Azure, not just your organization. The name must be between 3 to 24 characters in length, using numbers and lower-case letters only.
6. Create an Azure Container. Use the Storage Account name from the previous step.

```
az storage container create --account-name hlmodelscannerstorage --name hl-modelscanner-artifacts
```
7. (Optional) Create a Virtual Network.
If you have an existing virtual network that you would like to use, then you can skip this step.

```
az network vnet create --resource-group <selected-rg> --name hl-modelscanner-net --address-prefixes <cidr-range>
az network vnet subnet create --resource-group <selected-rg> --vnet-name hl-modelscanner-net --name hl-modelscanner-subnet --address-prefix <cidr-range>
```


## Service Principal

1. Create a Service Principal (SP).

```
az ad sp create-for-rbac --skip-assignment --name hl-modelscanner-sp
```
This command will output JSON containing the appId, password, and tenant. You will need this information to populate environment variables when you install the Model Scanner.
2. Assign the following roles to the Service Principal: Storage Blob Data Owner, Azure Storage Data Contributor, Azure Storage Blob Data Reader . See Azure built-in roles for more information.
Replace `<appId>` with the appId from the previous step. Replace `<subscriptionId>` with your Azure Subscription ID.

```
az role assignment create --assignee <appId> --role "Storage Blob Data Contributor" --scope "/subscriptions/<subscriptionId>"
```
3. If you are using an AKS Cluster with RBAC AAD, run the following command. See Azure built-in RBAC role for more information.
Replace `<appId>` with the appId from the previous step. Replace `<aks cluster id>` with the cluster ID.

```
az role assignment create --assignee <appId> --role "Azure Kubernetes Service RBAC Contributor" --scope <aks cluster id>
```
You need an AKS Cluster ID to perform this step. If necessary, create an AKS Cluster, then return to this step.


## Azure Managed Kubernetes Service (AKS)

1. Create an AKS Cluster, if one doesn’t exist.
Replace `<aks-clusters-rg>` with the name of the Resource Group you want to use.

```
az aks create --resource-group <aks-clusters-rg> --name hl-modelscanner --node-count 2 --generate-ssh-keys
```
2. Fetch the kubeconfig for the AKS cluster.
Replace `<aks-clusters-rg>` with the name of the Resource Group used to create the cluster.

```
az aks get-credentials --resource-group <aks-clusters-rg> --name <aks-cluster-name>
```
This command updates your kubeconfig file to work with the AKS Cluster.