使用 Azure 容器注册表从 Azure Kubernetes 服务进行身份验证Authenticate with Azure Container Registry from Azure Kubernetes Service

结合使用 Azure 容器注册表 (ACR) 和 Azure Kubernetes 服务 (AKS) 时,需要建立身份验证机制。When you're using Azure Container Registry (ACR) with Azure Kubernetes Service (AKS), an authentication mechanism needs to be established. 此操作通过向 ACR 授予所需权限的方式实现,是 CLI 和门户体验的一部分。This operation is implemented as part of the CLI and Portal experience by granting the required permissions to your ACR. 本文提供了在这两个 Azure 服务之间配置身份验证的示例。This article provides examples for configuring authentication between these two Azure services.

可以使用 Azure CLI 通过几个简单的命令设置 AKS 与 ACR 的集成。You can set up the AKS to ACR integration in a few simple commands with the Azure CLI. 此集成会将 AcrPull 角色分配给关联到 AKS 群集的服务主体。This integration assigns the AcrPull role to the service principal associated to the AKS Cluster.

准备阶段Before you begin

这些示例需要:These examples require:

  • Azure 订阅上的所有者Azure 帐户管理员角色Owner or Azure account administrator role on the Azure subscription
  • Azure CLI 2.7.0 版或更高版本Azure CLI version 2.7.0 or later

为了避免需要“所有者”或“Azure 帐户管理员”角色,可以手动配置服务主体或使用现有服务主体从 AKS 进行 ACR 身份验证。To avoid needing an Owner or Azure account administrator role, you can configure a service principal manually or use an existing service principal to authenticate ACR from AKS. 有关详细信息,请参阅使用服务主体进行 ACR 身份验证使用请求密码从 Kubernetes 进行身份验证For more information, see ACR authentication with service principals or Authenticate from Kubernetes with a pull secret.

通过 ACR 集成创建新的 AKS 群集Create a new AKS cluster with ACR integration

可以在一开始创建 AKS 群集时设置 AKS 与 ACR 的集成。You can set up AKS and ACR integration during the initial creation of your AKS cluster. 若要允许 AKS 群集与 ACR 交互,请使用 Azure Active Directory 服务主体To allow an AKS cluster to interact with ACR, an Azure Active Directory service principal is used. 以下 CLI 命令允许你在订阅中授权现有 ACR,并为服务主体配置适当的 ACRPull 角色。The following CLI command allows you to authorize an existing ACR in your subscription and configures the appropriate ACRPull role for the service principal. 为下面的参数提供有效值。Supply valid values for your parameters below.

备注

在 Azure China 中使用 Azure CLI 2.0 之前,请首先运行 az cloud set -n AzureChinaCloud 更改云环境。Before you can use Azure CLI 2.0 in Azure China, please run az cloud set -n AzureChinaCloud first to change the cloud environment. 如果要切换回全局 Azure,请再次运行 az cloud set -n AzureCloudIf you want to switch back to Global Azure, run az cloud set -n AzureCloud again.

# set this to the name of your Azure Container Registry.  It must be globally unique
MYACR=myContainerRegistry

# Run the following line to create an Azure Container Registry if you do not already have one
az acr create -n $MYACR -g myContainerRegistryResourceGroup --sku basic

# Create an AKS cluster with ACR integration
az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr $MYACR

或者,可以使用 ACR 资源 ID 指定 ACR 名称,其格式如下:Alternatively, you can specify the ACR name using an ACR resource ID, which has the following format:

/subscriptions/\<subscription-id\>/resourceGroups/\<resource-group-name\>/providers/Microsoft.ContainerRegistry/registries/\<name\>

备注

如果所用 ACR 与 AKS 群集位于不同的订阅中,则在从 AKS 群集进行附加或分离时,请使用 ACR 资源 ID。If you are using an ACR that is located in a different subscription from your AKS cluster, use the ACR resource ID when attaching or detaching from an AKS cluster.

az aks create -n myAKSCluster -g myResourceGroup --generate-ssh-keys --attach-acr /subscriptions/<subscription-id>/resourceGroups/myContainerRegistryResourceGroup/providers/Microsoft.ContainerRegistry/registries/myContainerRegistry

此步骤可能需要几分钟才能完成。This step may take several minutes to complete.

为现有的 AKS 群集配置 ACR 集成Configure ACR integration for existing AKS clusters

通过为 acr-nameacr-resource-id 提供有效值,将现有 ACR 与现有 AKS 群集集成,如下所示。Integrate an existing ACR with existing AKS clusters by supplying valid values for acr-name or acr-resource-id as below.

az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

或者,or,

az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-resource-id>

还可以使用以下命令删除 ACR 与 AKS 群集之间的集成You can also remove the integration between an ACR and an AKS cluster with the following

az aks update -n myAKSCluster -g myResourceGroup --detach-acr <acr-name>

or

az aks update -n myAKSCluster -g myResourceGroup --detach-acr <acr-resource-id>

使用 ACR 和 AKSWorking with ACR & AKS

将映像导入 ACRImport an image into your ACR

通过运行以下命令,将映像从 Docker Hub 导入到 ACR:Import an image from docker hub into your ACR by running the following:

az acr import  -n <acr-name> --source dockerhub.azk8s.cn/library/nginx:latest --image nginx:v1

将示例映像从 ACR 部署到 AKSDeploy the sample image from ACR to AKS

确保你具有正确的 AKS 凭据Ensure you have the proper AKS credentials

az aks get-credentials -g myResourceGroup -n myAKSCluster

创建名为 acr-nginx.yaml 的文件,其中包含以下内容。Create a file called acr-nginx.yaml that contains the following. 请将 acr-name 替换为注册表的资源名称。Substitute the resource name of your registry for acr-name. 示例:myContainerRegistry。Example: myContainerRegistry.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx0-deployment
  labels:
    app: nginx0-deployment
spec:
  replicas: 2
  selector:
    matchLabels:
      app: nginx0
  template:
    metadata:
      labels:
        app: nginx0
    spec:
      containers:
      - name: nginx
        image: <acr-name>.azurecr.cn/nginx:v1
        ports:
        - containerPort: 80

接下来,在 AKS 群集中运行此部署:Next, run this deployment in your AKS cluster:

kubectl apply -f acr-nginx.yaml

可以通过运行以下命令来监视部署:You can monitor the deployment by running:

kubectl get pods

应有两个正在运行的 pod。You should have two running pods.

NAME                                 READY   STATUS    RESTARTS   AGE
nginx0-deployment-669dfc4d4b-x74kr   1/1     Running   0          20s
nginx0-deployment-669dfc4d4b-xdpd6   1/1     Running   0          20s

故障排除Troubleshooting