将 Azure Active Directory 与 Azure Kubernetes Service 集成Integrate Azure Active Directory with Azure Kubernetes Service

可将 Azure Kubernetes 服务 (AKS) 配置为使用 Azure Active Directory (Azure AD) 进行用户身份验证。Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (Azure AD) for user authentication. 在此配置中,你可以使用自己的 Azure AD 身份验证令牌登录到 AKS 群集。In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.

群集管理员可以根据用户标识或目录组成员身份来配置 Kubernetes 基于角色的访问控制 (RBAC)。Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership.

本文介绍如何执行以下操作:This article explains how to:

  • 部署 AKS 和 Azure AD 的必备组件。Deploy the prerequisites for AKS and Azure AD.
  • 部署支持 Azure AD 的群集。Deploy an Azure AD-enabled cluster.
  • 使用 Azure 门户在 AKS 群集中创建基本 RBAC 角色。Create a basic RBAC role in the AKS cluster by using the Azure portal.

也可以使用 Azure CLI 完成这些步骤。You can also complete these steps by using the Azure CLI.

备注

只有在创建新的支持 RBAC 的群集时,才能启用 Azure AD。Azure AD can only be enabled when you create a new RBAC-enabled cluster. 不能在现有 AKS 群集上启用 Azure AD。You can't enable Azure AD on an existing AKS cluster.

身份验证详细信息Authentication details

向装有 OpenID Connect 的 AKS 群集提供 Azure AD 身份验证。Azure AD authentication is provided to AKS clusters that have OpenID Connect. OpenID Connect 是构建在 OAuth 2.0 协议顶层的标识层。OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol.

有关 OpenID Connect 的详细信息,请参阅使用 OpenID Connect 和 Azure AD 授权访问 Web 应用程序For more information about OpenID Connect, see Authorize access to web applications using OpenID Connect and Azure AD.

在 Kubernetes 群集内部,使用 Webhook 令牌身份验证来验证身份验证令牌。Inside a Kubernetes cluster, webhook token authentication is used to authentication tokens. Webhook 令牌身份验证作为 AKS 群集的一部分进行配置和管理。Webhook token authentication is configured and managed as part of the AKS cluster.

有关 Webhook 令牌身份验证的详细信息,请参阅 Kubernetes 文档中的 Webhook 令牌身份验证部分。For more information about webhook token authentication, see the Webhook Token Authentication section in Kubernetes Documentation.

若要为 AKS 群集提供 Azure AD 身份验证,需创建两个 Azure AD 应用程序。To provide Azure AD authentication for an AKS cluster, two Azure AD applications are created. 第一个应用程序是提供用户身份验证的服务器组件。The first application is a server component that provides user authentication. 第二个应用程序是 CLI 提示身份验证时使用的客户端组件。The second application is a client component that's used when you're prompted by the CLI for authentication. 此客户端应用程序使用服务器应用程序通过客户端提供的凭据进行实际的身份验证。This client application uses the server application for the actual authentication of the credentials provided by the client.

备注

若要配置 Azure AD 以进行 AKS 身份验证,需配置两个 Azure AD 应用程序。When you configure Azure AD for AKS authentication, two Azure AD applications are configured. 为每个应用程序委托权限的步骤必须由 Azure 租户管理员完成。The steps to delegate permissions for each application must be completed by an Azure tenant administrator.

创建服务器应用程序Create the server application

应用第一个 Azure AD 应用程序来获取用户的 Azure AD 组成员身份。The first Azure AD application is applied to get a user's Azure AD group membership. 若要在 Azure 门户中创建此应用程序:To create this application in the Azure portal:

  1. 选择“Azure Active Directory” > “应用注册” > “新建注册”。 Select Azure Active Directory > App registrations > New registration.

    a.a. 为应用程序命名,例如 AKSAzureADServerGive the application a name, such as AKSAzureADServer.

    b.b. 对于“支持的帐户类型”设置,请选择“仅限此组织目录中的帐户”。 For Supported account types, select Accounts in this organizational directory only.

    c.c. 对于“重定向 URI”类型,请选择“Web”,然后输入任何 URI 格式的值,例如 https://aksazureadserverChoose Web for the Redirect URI type, and then enter any URI-formatted value, such as https://aksazureadserver.

    d.d. 完成后,选择“注册”。Select Register when you're finished.

  2. 选择“清单”,将 groupMembershipClaims: 值编辑为 AllSelect Manifest, and then edit the groupMembershipClaims: value as All. 完成更新后,选择“保存”。When you're finished with the updates, select Save.

    将组成员身份更新为“所有”

  3. 在 Azure AD 应用程序的左窗格中,选择“证书和机密”。In the left pane of the Azure AD application, select Certificates & secrets.

    a.a. 选择“+ 新建客户端机密”。Select + New client secret.

    b.b. 添加密钥说明,例如“AKS Azure AD 服务器”。Add a key description, such as AKS Azure AD server. 选择过期时间,然后选择“添加”。Choose an expiration time, and then select Add.

    c.c. 记下密钥值,因为以后不再会显示此值。Note the key value, which is displayed only at this time. 部署支持 Azure AD 的 AKS 群集时,此值称为“服务器应用程序机密”。When you deploy an Azure AD-enabled AKS cluster, this value is called the server application secret.

  4. 在 Azure AD 应用程序的左窗格中,依次选择“API 权限”、“+ 添加权限”。 In the left pane of the Azure AD application, select API permissions, and then select + Add a permission.

    a.a. 在“Microsoft API”下选择“Microsoft Graph”。 Under Microsoft APIs, select Microsoft Graph.

    b.b. 选择“委托的权限”,然后勾选“目录”>“Directory.Read.All (读取目录数据)”。 Select Delegated permissions, and then select the check box next to Directory > Directory.Read.All (Read directory data).

    c.c. 如果“用户”>“User.Read (登录并读取用户个人资料)”的默认委托权限不存在,请勾选该权限。If a default delegated permission for User > User.Read (Sign in and read user profile) doesn't exist, select the check box next to it.

    d.d. 选择“应用程序权限”,然后勾选“目录”>“Directory.Read.All (读取目录数据)”。 Select Application permissions, and then select the check box next to Directory > Directory.Read.All (Read directory data).

    设置 Graph 权限

    e.e. 选择“添加权限”以保存更新。Select Add permissions to save the updates.

    f.f. 在“授予许可”下,选择“授予管理员许可”。 Under Grant consent, select Grant admin consent. 如果正在使用的当前帐户未作为租户管理员列出,此按钮将不可用。This button won't be available the current account being used is not listed as a tenant admin.

    成功授予权限后,门户中会显示以下通知:When permissions are successfully granted, the following notification is displayed in the portal:

    权限授予成功的通知

  5. 在 Azure AD 应用程序的左窗格中,依次选择“公开 API”、“+ 添加范围”。 In the left pane of the Azure AD application, select Expose an API, and then select + Add a scope.

    a.a. 输入范围名称管理员许可显示名称管理员许可说明,例如 AKSAzureADServerEnter a Scope name, an Admin consent display name, and then an Admin consent description such as AKSAzureADServer.

    b.b. 确保“状态”设置为“已启用” 。Make sure State is set to Enabled.

    将服务器应用作为 API 公开,以便与其他服务配合使用

    c.c. 选择“添加作用域”。Select Add scope.

  6. 返回到应用程序的“概述”页,并记下“应用程序(客户端) ID”。 Return to the application Overview page and note the Application (client) ID. 部署支持 Azure AD 的 AKS 群集时,此值称为“服务器应用程序 ID”。When you deploy an Azure AD-enabled AKS cluster, this value is called the server application ID.

    获取应用程序 ID

创建客户端应用程序Create the client application

使用 Kubernetes CLI (kubectl) 登录时,将使用第二个 Azure AD 应用程序。The second Azure AD application is used when you sign in with the Kubernetes CLI (kubectl).

  1. 选择“Azure Active Directory” > “应用注册” > “新建注册”。 Select Azure Active Directory > App registrations > New registration.

    a.a. 为应用程序命名,例如 AKSAzureADClientGive the application a name, such as AKSAzureADClient.

    b.b. 对于“支持的帐户类型”设置,请选择“仅限此组织目录中的帐户”。 For Supported account types, select Accounts in this organizational directory only.

    c.c. 对于“重定向 URI”类型,请选择“Web”,然后输入任何 URI 格式的值,例如 https://aksazureadclientSelect Web for the Redirect URI type, and then enter any URI-formatted value such as https://aksazureadclient.

     <!--MOONCAKE CUSTOMIZED-->
    
     >[!NOTE]
     >If you are creating a new RBAC-enabled cluster to support Azure Monitor for containers, add the following two additional redirect URLs to this list as **Web** application types. The first base URL value should be `https://afd.hosting.azureportal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html` and the second base URL value should be `https://monitoring.hosting.azureportal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html`.
     >
    
     <!--CORRECT ON https://afd.hosting.azureportal.chinaloudapi.cn-->
     <!--MOONCAKE CUSTOMIZED-->
     <!--DUPLICATED ON REFERENCE https://afd.hosting.azureportal.chinaloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html ON AZURE CHINA CLOUD-->
     <!--Not Available on [How to setup the Live Data (preview) feature](../azure-monitor/insights/container-insights-livedata-setup.md)-->
     <!--Not Available on [Configure AD integrated authentication](../azure-monitor/insights/container-insights-livedata-setup.md#configure-ad-integrated-authentication)-->
    

    d.d. 完成后,选择“注册”。Select Register when you're finished.

  2. 在 Azure AD 应用程序的左窗格中,依次选择“API 权限”、“+ 添加权限”。 In the left pane of the Azure AD application, select API permissions, and then select + Add a permission.

    a.a. 选择“我的 API”,然后选择在上一步创建的 Azure AD 服务器应用程序,例如 AKSAzureADServerSelect My APIs, and then choose your Azure AD server application created in the previous step, such as AKSAzureADServer.

    b.b. 选择“委托的权限”,然后勾选你的 Azure AD 服务器应用。Select Delegated permissions, and then select the check box next to your Azure AD server app.

    配置应用程序权限

    c.c. 选择“添加权限”。Select Add permissions.

    d.d. 在“授予许可”下,选择“授予管理员许可”。 Under Grant consent, select Grant admin consent. 如果当前帐户不是租户管理员,则此按钮不可用。授予权限后,门户中会显示以下通知:This button isn't available if the current account isn't a tenant admin. When permissions are granted, the following notification is displayed in the portal:

    权限授予成功的通知

  3. 在 Azure AD 应用程序的左窗格中,选择“身份验证”。In the left pane of the Azure AD application, select Authentication.

    • 在“默认客户端类型”下,对于“将客户端视为公共客户端”,选择“是”。Under Default client type, select Yes to Treat the client as a public client.
  4. 在 Azure AD 应用程序的左窗格中,记下应用程序 ID。In the left pane of the Azure AD application, note the application ID. 部署支持 Azure AD 的 AKS 群集时,此值称为“客户端应用程序 ID”。When you deploy an Azure AD-enabled AKS cluster, this value is called the client application ID.

    获取应用程序 ID

获取租户 IDGet the tenant ID

接下来,获取 Azure 租户的 ID。Next, get the ID of your Azure tenant. 创建 AKS 群集时,要使用此值。This value is used when you create the AKS cluster.

在 Azure 门户中,选择“Azure Active Directory” > “属性”并记下“目录 ID”。 From the Azure portal, select Azure Active Directory > Properties and note the Directory ID. 创建支持 Azure AD 的 AKS 群集时,此值称为“租户 ID”。When you create an Azure AD-enabled AKS cluster, this value is called the tenant ID.

获取 Azure 租户 ID

部署 AKS 群集Deploy the AKS cluster

使用 az group create 命令为 AKS 群集创建资源组。Use the az group create command to create a resource group for the AKS cluster.

az group create --name myResourceGroup --location chinaeast2

使用 az aks create 命令部署 AKS 群集。Use the az aks create command to deploy the AKS cluster. 接下来,替换以下示例命令中的值。Next, replace the values in the following sample command. 请使用创建 Azure AD 应用程序时收集的服务器应用 ID、应用机密、客户端应用 ID 和租户 ID 的值。Use the values collected when you created the Azure AD applications for the server app ID, app secret, client app ID, and tenant ID.

az aks create \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --generate-ssh-keys \
  --aad-server-app-id b1536b67-29ab-4b63-b60f-9444d0c15df1 \
  --aad-server-app-secret wHYomLe2i1mHR2B3/d4sFrooHwADZccKwfoQwK2QHg= \
  --aad-client-app-id 8aaf8bd5-1bdd-4822-99ad-02bfaa63eea7 \
  --aad-tenant-id 72f988bf-0000-0000-0000-2d7cd011db47

创建 AKS 群集需要几分钟时间。An AKS cluster takes a few minutes to create.

创建 RBAC 绑定Create an RBAC binding

备注

群集角色绑定名称区分大小写。The cluster role binding name is case sensitive.

在对 AKS 群集使用 Azure Active Directory 帐户之前,必须创建角色绑定或群集角色绑定。Before you use an Azure Active Directory account with an AKS cluster, you must create role-binding or cluster role-binding. 角色定义要授予的权限,绑定将这些权限应用于目标用户。Roles define the permissions to grant, and bindings apply them to desired users. 这些分配可应用于特定命名空间或整个群集。These assignments can be applied to a given namespace, or across the entire cluster. 有关详细信息,请参阅使用 RBAC 授权For more information, see Using RBAC authorization.

首先,使用管理员访问权限,结合 --admin 参数运行 az aks get-credentials 命令登录到群集。First, use the az aks get-credentials command with the --admin argument to sign in to the cluster with admin access.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin

接下来,为需要向其授予 AKS 群集访问权限的 Azure AD 帐户创建群集角色绑定。Next, create ClusterRoleBinding for an Azure AD account that you want to grant access to the AKS cluster. 以下示例向该帐户授予对群集中所有命名空间的完全访问权限:The following example gives the account full access to all namespaces in the cluster:

  • 如果为其授予 RBAC 绑定的用户在同一个 Azure AD 租户中,请根据用户主体名称 (UPN) 分配权限。If the user you grant the RBAC binding for is in the same Azure AD tenant, assign permissions based on the user principal name (UPN). 转到为群集角色绑定创建 YAML 清单的步骤。Move on to the step to create the YAML manifest for ClusterRoleBinding.

  • 如果该用户位于不同的 Azure AD 租户中,请查询并改用 objectId 属性。If the user is in a different Azure AD tenant, query for and use the objectId property instead. 根据需要使用 az ad user show 命令获取所需用户帐户的 objectId。If needed, get the objectId of the required user account by using the az ad user show command. 提供所需帐户的用户主体名称 (UPN):Provide the user principal name (UPN) of the required account:

    az ad user show --upn-or-object-id user@contoso.com --query objectId -o tsv
    

创建一个文件(例如 rbac-aad-user.yaml),然后粘贴以下内容。Create a file, such as rbac-aad-user.yaml, and then paste the following contents. 在最后一行中,请将 userPrincipalName_or_objectId 替换为 UPN 或对象 ID,On the last line, replace userPrincipalName_or_objectId with the UPN or object ID. 具体取决于该用户是否为同一 Azure AD 租户。The choice depends on whether the user is the same Azure AD tenant or not.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: contoso-cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: userPrincipalName_or_objectId

使用 kubectl apply 命令应用绑定,如以下示例所示:Apply the binding by using the kubectl apply command as shown in the following example:

kubectl apply -f rbac-aad-user.yaml

此外,可为 Azure AD 组的所有成员创建角色绑定。A role binding can also be created for all members of an Azure AD group. 使用组对象 ID 指定 Azure AD 组,如以下示例所示。Azure AD groups are specified by using the group object ID, as shown in the following example.

创建一个文件(例如 rbac-aad-group.yaml),然后粘贴以下内容。Create a file, such as rbac-aad-group.yaml, and then paste the following contents. 将组对象 ID 更新为 Azure AD 租户中的某个组对象 ID:Update the group object ID with one from your Azure AD tenant:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: contoso-cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: "894656e1-39f8-4bfe-b16a-510f61af6f41"

使用 kubectl apply 命令应用绑定,如以下示例所示:Apply the binding by using the kubectl apply command as shown in the following example:

kubectl apply -f rbac-aad-group.yaml

有关使用 RBAC 保护 Kubernetes 群集的详细信息,请参阅使用 RBAC 授权For more information on securing a Kubernetes cluster with RBAC, see Using RBAC Authorization.

使用 Azure AD 访问群集Access the cluster with Azure AD

使用 az aks get-credentials 命令提取非管理员用户的上下文。Pull the context for the non-admin user by using the az aks get-credentials command.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

运行 kubectl 命令后,系统会提示你使用 Azure 进行身份验证。After you run the kubectl command, you'll be prompted to authenticate by using Azure. 请遵照屏幕上的说明完成该过程,如以下示例中所示:Follow the on-screen instructions to finish the process, as shown in the following example:

$ kubectl get nodes

To sign in, use a web browser to open https://aka.ms/deviceloginchina. Next, enter the code BUJHWDGNL to authenticate.

NAME                       STATUS    ROLES     AGE       VERSION
aks-nodepool1-79590246-0   Ready     agent     1h        v1.13.5
aks-nodepool1-79590246-1   Ready     agent     1h        v1.13.5
aks-nodepool1-79590246-2   Ready     agent     1h        v1.13.5

完成此过程后,身份验证令牌将会缓存。When the process is finished, the authentication token is cached. 仅当令牌已过期或者重新创建了 Kubernetes 配置文件时,系统才会再次提示登录。You're only prompted to sign in again when the token expires, or the Kubernetes config file is re-created.

如果在成功登录后看到授权错误消息,请检查是否符合以下条件:If you see an authorization error message after you successfully sign in, check the following criteria:

error: You must be logged in to the server (Unauthorized)
  • 你定义了适当的对象 ID 或 UPN,具体取决于用户帐户是否在同一 Azure AD 租户中。You defined the appropriate object ID or UPN, depending on if the user account is in the same Azure AD tenant or not.
  • 用户不是 200 多个组的成员。The user isn't a member of more than 200 groups.
  • 服务器应用程序注册中定义的机密与使用 --aad-server-app-secret 配置的值相匹配。The secret defined in the application registration for server matches the value configured by using --aad-server-app-secret.

后续步骤Next steps

若要使用 Azure AD 用户和组来控制对群集资源的访问,请参阅在 AKS 中使用基于角色的访问控制和 Azure AD 标识来控制对群集资源的访问To use Azure AD users and groups to control access to cluster resources, see Control access to cluster resources using role-based access control and Azure AD identities in AKS.

有关如何保护 Kubernetes 群集的详细信息,请参阅 AKS 的访问和标识选项For more information about how to secure Kubernetes clusters, see Access and identity options for AKS.

有关标识和资源控制的详细信息,请参阅有关 AKS 中的身份验证和授权的最佳做法To learn more about identity and resource control, see Best practices for authentication and authorization in AKS.