Feature Overview

Kubernetes Cluster Onboarding for Azure is an agent-based capability within CoreStack's FinOps module that connects your Azure Kubernetes Service (AKS) cluster to CoreStack, enabling workload-level cost visibility and governance. It is most relevant when your organisation runs containerised workloads on AKS and needs accurate, namespace- and pod-level cost breakdowns without manual data extraction.

This feature is most valuable to Cloud Administrators and FinOps Practitioners who need to bring AKS spend into the same governance framework as the rest of their Azure estate. It does not provide real-time cluster monitoring or infrastructure alerting — its purpose is cost ingestion and FinOps reporting.

📘
Note: The CoreStack Kubernetes Agent must be deployed inside your AKS cluster by the CoreStack Technical Support Team. Download the YAML file during onboarding and raise a support request to complete the deployment before proceeding to the final step.

How It Works

When you onboard an AKS cluster, a CoreStack Kubernetes Agent is deployed inside the cluster using a YAML file downloaded from the CoreStack platform and applied with kubectl. The agent connects to Prometheus — which must already be running in your environment — to retrieve node, pod, and container utilisation metrics. At regular intervals, the agent uploads these metrics to an Azure Blob Storage container (either CoreStack's shared S3 bucket or your own), where CoreStack retrieves and processes the data. The processed data is surfaced as cost and utilisation insights on the CoreStack FinOps Dashboard. Cost data reflects completed ingestion cycles and is not real-time.

Prerequisites

Before you begin, ensure the following are in place:

Prerequisite	Requirement
Role	You have the appropriate role, with access to the Azure subscription associated with the AKS cluster.
Azure subscription onboarded	The Azure subscription associated with the cluster must be onboarded in CoreStack before AKS cluster onboarding can proceed. Complete cloud account onboarding first if not already done.
Azure AKS cluster	A functioning AKS cluster is available and accessible within the onboarded subscription.
Prometheus	Prometheus v2.x or higher is running in the cluster. Only one instance per cluster is required. The endpoint must be reachable from within the cluster.
kube-state-metrics	Version v2.9.0 or later (v2.10.x preferred) is deployed in the cluster.
cAdvisor	No separate installation required — bundled with the Kubelet on Kubernetes v1.20 or higher.
Network access	Outbound connectivity from the AKS cluster to storage endpoints is enabled. The CoreStack agent cluster and Prometheus endpoint are mutually whitelisted.
Storage decision	Decide whether to use Platform Managed Storage (CoreStack's shared S3 bucket) or User Specific Storage (your own Azure Blob Storage). If using User Specific Storage, have credentials ready for your chosen authentication method.
Temporary disk space	The /tmp directory is writable and has sufficient free space. Logs are automatically purged above 500 MB.
Cluster details	Have the Cluster ID, Cluster Type, Cloud Provider (Azure), and Region available.
Cost weightage (optional)	Define CPU, Memory, and GPU weightage percentages — total must equal 100%.

Onboarding an Azure AKS Cluster

Navigate to Governance > Account Governance > Container Services.

The Container Services page lists all clusters currently connected to CoreStack. Follow the steps below to onboard a new Azure AKS cluster.

Step 1 - Initiate Cluster Onboarding

Click Onboard Cluster in the top-right corner of the Container Services page.

On the screen that appears, click Onboard to enter the onboarding wizard and select Azure AKS as the cluster type.

👍
Tip: Alternatively, on the Container Platform Accounts page, locate a cluster with a pending onboarding status and click Onboard in the Onboarding Status column for that cluster.

Step 2 - Select Cloud Account and Cluster

In the Cloud Account drop-down list, select your Azure subscription and click Ok.

📘
Note: If your Azure subscription has not yet been onboarded to CoreStack, the following message appears: "Your Azure subscription is not onboarded with the product. Please onboard your cloud account first to continue." Complete cloud account onboarding before proceeding.

In the Cluster list, select the AKS cluster to onboard and click Ok.

The Cluster ID and Cluster Type fields populate automatically. Review these to confirm the correct cluster is selected.

Click Next.

Step 3 - Activate FinOps

In the Select and Manage Products step, confirm that FinOps is listed under Active Product(s) and that the drop-down to the left of FinOps is set to Active.

Click Next.

Step 4 - Configure Storage Access

In the Storage Access step, select a storage type from the Select Storage Access Type field. Choose one of the three twooptions below and follow the corresponding instructions.

Option 1: Platform Managed Storage

Select Platform managed storage to store metrics in CoreStack's shared S3 bucket. CoreStack automatically handles storage provisioning, data retrieval, and processing — no Azure storage resources or credentials are required on your end. Choose this option if you do not have specific data residency requirements and want the simplest setup.

Click Next to proceed.

Option 2: User Specific Storage — Cloud Account Onboarded with Product

Select User specific storage. Choose this option if you need metrics stored in your own Azure Blob Storage container — for example, to meet data residency or compliance requirements, or to retain direct access to the raw metrics data. You will need your Azure storage account details and appropriate permissions ready before proceeding. Depending on whether the Azure account that owns the storage is onboarded in CoreStack, use one of the following methods:

Option 2a: Cloud Account Onboarded with Product

Use this option if the Azure subscription that owns the storage is already onboarded in CoreStack.

Select the Cloud Account Onboarded with Product checkbox

Enter the following details:

Select Cloud Account: Select the Azure subscription from the drop-down list.
Storage Account: Enter or select the Azure Storage Account name.
Container Name: Enter the name of the Blob Storage container where metrics will be stored.
File/Blob Path: Enter the file path within the container.

Click Save & Validate. A confirmation message indicates successful validation. Click Next to proceed.

Option2b: Azure Application

Use this option if the Azure subscription that owns the storage is** not **onboarded in CoreStack. In the Select Authentication Protocol field, select Azure Application.

Enter the following details:

Tenant ID: Enter the Tenant ID.
Application ID: Enter the Application ID.
Application Secret: Enter the Application Secret.
Storage Account: Enter the Storage Account name.
Blob Container Name: Enter the name of the Azure Blob container (lowercase, alphanumeric and hyphens, 3–63 characters).
File Path: Enter the file path.

❗️
Warning: The service principal must have the Storage Blob Data Owner role assigned at the data plane level on the container in the Azure portal. Subscription-level owner permissions, even if inherited, are not sufficient. Ensure this permission is explicitly set on the container before clicking Save & Validate.

Click Save & Validate. A confirmation message indicates successful validation. Click Next to proceed.

Step 5 - Configure Basic Settings and Deploy the Agent

In the Prometheus Endpoint field, enter the full URL of the Prometheus endpoint running in the AKS cluster. The endpoint must be accessible from within the cluster by the K8s agent.

If Prometheus certification is required, select the Prometheus certification is required for accessing Prometheus endpoint checkbox and enter the values in the Certificate Path and Certificate fields that appear.

The Deployment Method is set to Kubernetes Deployment by default and does not need to be changed.

In the Install Kubernetes Agent section, click Download YAML to download the agent configuration file specific to this AKS cluster.

📘
Note: Share the downloaded YAML file with the CoreStack Technical Support Team to complete the agent deployment. The agent is deployed using:
kubectl create -f kube-agent-<cluster-id>.yaml
The agent cannot be self-deployed.

After the agent has been deployed by the Technical Support Team, select the I have installed the Kubernetes Agent checkbox.

Click Next.

Step 6 - Configure Advance Settings

In the Advance Settings step, enter the following:

Cluster Description: Enter a description for the cluster.
Cost Resolution Frequency: Select how frequently cost data is calculated. Options: 15 Min, 30 Min (default), or 1 Hour.

In the Cost Weightage section, enter percentage values for CPU Weight (%) (default 60%), Memory Weight (%) (default 20%), and GPU Weight (%) (default 20%). The total must equal 100%.

Step 7 - Complete Onboarding

Click Finish to complete the onboarding of your Azure AKS cluster.

The newly onboarded cluster appears on the Container Platform Accounts page with its onboarding status updated.

Managing Onboarded AKS Clusters

After onboarding, all clusters are listed on the Container Platform Accounts page. The summary cards at the top show counts for Active and Governed, Not Onboarded, Deactivated, and Invalid Credential accounts. To take action on a cluster, click the ⋯ (ellipsis) under the Actions column

Edit Configuration

Click the ⋯ and select Edit Configuration. The edit wizard opens with the same steps as the onboarding wizard. All fields The Cluster Details section is read-only and cannot be modified. All other sections are editable: you can update the FinOps product settings, reconfigure storage access and re-validate credentials, re-download the agent YAML if required, and adjust advance settings. Click Next through each step, then click Finish to save.

View Configuration

Click the ⋯ and select View Configuration. The Details tab opens, showing the cluster's Basic Details, Storage Access, Deployment, and Advance Settings — all read-only. Select the FinOps tab to review cost processing details.

Deactivate

Click the ⋯ and select Deactivate. In the confirmation dialog, click Yes to suspend the cluster without deleting it. The cluster remains visible with a status of Deactivated and can be reactivated at any time.

Delete

Click the ⋯ and select Delete. In the confirmation dialog, click Yes to permanently remove the cluster from CoreStack

❗️
Warning: Deleting a cluster removes it and all associated configuration from CoreStack. This action cannot be undone.

Frequently Asked Questions

Q: My Azure subscription is not appearing in the Cloud Account drop-down. What should I do?

The Azure subscription must be onboarded to CoreStack before AKS clusters within it become available for onboarding. Navigate to cloud account management in CoreStack and complete Azure subscription onboarding first, then return to Container Services to onboard your AKS cluster.

Q: Which User Specific Storage authentication method is recommended for Azure?

Service Principal is recommended for production environments as it provides granular, identity-based access control aligned with Azure RBAC and avoids the use of long-lived storage account keys. Use Cloud Account Onboarded with Product if the Azure subscription is already onboarded with the relevant product in CoreStack.

Q: Can I change the storage type or authentication method after onboarding?

Yes. Click the ⋯ under Actions for the cluster and select Edit Configuration. Navigate to the Storage Access step, update your settings, and click Save & Validate before proceeding to Finish.

Q: The Cluster drop-down is empty — why can't I see my AKS cluster?

The Azure subscription associated with the cluster must be onboarded to CoreStack before the cluster appears in the drop-down. Verify the subscription is onboarded and that you have selected the correct account in the Cloud Account drop-down.

Q: How long does it take for cost data to appear in the FinOps Dashboard?

Cost data appears after the first successful ingestion cycle. The frequency depends on the Cost Resolution Frequency set in Advance Settings. The initial data load may take longer than subsequent cycles.

Q: Can I onboard multiple AKS clusters from the same Azure subscription?

Yes. Each cluster is onboarded independently and receives its own agent deployment and service account. Repeat the onboarding process for each cluster.

Troubleshooting

No cost data appears in the FinOps Dashboard after onboarding

Cause:

The Kubernetes Agent has not completed a successful ingestion cycle. Most commonly caused by network connectivity issues between the agent and Prometheus, or between the agent and the Azure Blob Storage endpoint.

Solution:

Confirm the Prometheus endpoint entered during onboarding is correct and reachable from within the cluster.
Confirm outbound connectivity from the cluster to the Azure Blob Storage endpoint is not blocked by a Network Security Group (NSG), Azure Firewall rule, or Private Endpoint policy.
Verify the /tmp directory is writable and has available disk space.
Check the Agent Status column on the Container Platform Accounts page. If not Active, raise a request with the CoreStack Technical Support Team to inspect agent logs.

📘
Note: If the issue persists, contact CoreStack support with: Cluster ID, Azure Region, Agent Status, and any error messages from the agent logs in /tmp.

Storage validation fails with User Specific Storage

Cause:

Credentials do not have sufficient permissions to access the specified Azure Blob Storage container, or the container or account details are incorrect.

Solution:

Confirm the Azure Blob Storage container exists in the correct storage account.
For Service Principal: verify Tenant ID, Client ID, and Client Secret are correct. Confirm the service principal has the Storage Blob Data Owner role assigned at the data plane level on the container in the Azure portal — subscription-level permissions, even if inherited, are not sufficient.
Confirm the Container Name and File/Blob Path are correct.
Click Save & Validate again after correcting the details.

📘
Note: if validation continues to fail, contact CoreStack support with: Cluster ID, storage type, authentication method, and the exact error message displayed.

Agent Status shows as inactive after deployment

Cause:

The agent cannot communicate with the CoreStack management endpoint or the Prometheus endpoint, or the YAML configuration values are incorrect.

Solution:

Confirm the agent YAML was downloaded after completing the onboarding wizard — YAML files generated before saving may contain outdated values.
Verify the Prometheus endpoint is reachable from the namespace where the agent is deployed.
Confirm the kubectl create -f kube-agent-<cluster-id>.yaml command completed without errors.
Contact the CoreStack Technical Support Team with the Cluster ID, agent pod logs, and a description of the network configuration.