Azure Kubernetes 服务 (AKS) 的访问和标识选项Access and identity options for Azure Kubernetes Service (AKS)

可通过不同的方式来对 Kubernetes 群集进行身份验证、控制访问权限/授权和实施保护。There are different ways to authenticate, control access/authorize and secure Kubernetes clusters. 使用 Kubernetes 基于角色的访问控制 (RBAC),可以仅向用户、组和服务帐户授予对所需资源的访问权限。Using Kubernetes role-based access control (RBAC), you can grant users, groups, and service accounts access to only the resources they need. 借助 Azure Kubernetes 服务 (AKS),可以通过使用 Azure Active Directory 和 Azure RBAC 进一步增强安全性和权限结构。With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure by using Azure Active Directory and Azure RBAC. 这些方法有助于保护群集访问,并仅向开发者和操作员提供所需的最低权限。These approaches help you secure your cluster access and provide only the minimum required permissions to developers and operators.

本文介绍了可帮助在 AKS 中进行身份验证和分配权限的核心概念:This article introduces the core concepts that help you authenticate and assign permissions in AKS:

Kubernetes 基于角色的访问控制 (RBAC)Kubernetes role-based access control (RBAC)

为了精确地筛选用户可执行的操作,Kubernetes 采用基于角色的访问控制 (RBAC)。To provide granular filtering of the actions that users can do, Kubernetes uses role-based access control (RBAC). 使用此控制机制,可以向用户或用户组分配执行各种操作的权限,例如创建或修改资源,或者查看正在运行的应用程序工作负载的日志。This control mechanism lets you assign users, or groups of users, permission to do things like create or modify resources, or view logs from running application workloads. 可将这些权限的范围限制为单个命名空间,也可以授予面向整个 AKS 群集的权限。These permissions can be scoped to a single namespace, or granted across the entire AKS cluster. 使用 Kubernetes RBAC,可通过创建“角色”来定义权限,然后通过“角色绑定”将这些角色分配给用户 。With Kubernetes RBAC, you create roles to define permissions, and then assign those roles to users with role bindings.

有关详细信息,请参阅使用 RBAC 授权For more information, see Using RBAC authorization.

角色和 ClusterRoleRoles and ClusterRoles

使用 Kubernetes RBAC 向用户分配权限之前,请先将这些权限定义为“角色”。Before you assign permissions to users with Kubernetes RBAC, you first define those permissions as a Role. Kubernetes 角色可“授予”权限。Kubernetes roles grant permissions. 不存在“拒绝”权限的概念。There's no concept of a deny permission.

角色用于授予命名空间内的权限。Roles are used to grant permissions within a namespace. 若需要针对整个群集或给定命名空间外的群集资源来授予权限,可以改用“ClusterRole”。If you need to grant permissions across the entire cluster, or to cluster resources outside a given namespace, you can instead use ClusterRoles.

ClusterRole 的工作原理与授予对资源的权限相同,但前者可应用于整个群集而非特定命名空间中的资源。A ClusterRole works in the same way to grant permissions to resources, but can be applied to resources across the entire cluster, not a specific namespace.

RoleBinding 和 ClusterRoleBindingRoleBindings and ClusterRoleBindings

定义了角色来授予针对资源的权限后,可通过 RoleBinding 来分配这些 Kubernetes RBAC 权限。Once roles are defined to grant permissions to resources, you assign those Kubernetes RBAC permissions with a RoleBinding. 若 AKS 群集与 Azure Active Directory 集成,向 Azure AD 用户授予在群集中执行操作的权限的过程就称为“绑定”,请参阅如何使用基于角色的访问控制和 Azure Active Directory 标识来控制对群集资源的访问If your AKS cluster integrates with Azure Active Directory, bindings are how those Azure AD users are granted permissions to perform actions within the cluster, see how in Control access to cluster resources using role-based access control and Azure Active Directory identities.

角色绑定用于针对给定命名空间分配角色。Role bindings are used to assign roles for a given namespace. 此方法可以从逻辑上分离各 AKS 群集,使用户只能访问向其分配的命名空间中的应用程序资源。This approach lets you logically segregate a single AKS cluster, with users only able to access the application resources in their assigned namespace. 若需要针对整个群集或给定命名空间外的群集资源来绑定角色,可以改用“ClusterRoleBinding”。If you need to bind roles across the entire cluster, or to cluster resources outside a given namespace, you can instead use ClusterRoleBindings.

ClusterRoleBinding 的工作原理与向用户绑定角色相同,但前者可应用于整个群集而非特定命名空间中的资源。A ClusterRoleBinding works in the same way to bind roles to users, but can be applied to resources across the entire cluster, not a specific namespace. 使用此方法,可向管理员或支持工程师授予对 AKS 群集中所有资源的访问权限。This approach lets you grant administrators or support engineers access to all resources in the AKS cluster.

备注

Microsoft/AKS 所执行的任何群集操作都是经用户同意,在内置 Kubernetes 角色 aks-service 和内置角色绑定 aks-service-rolebinding 下执行的。Any cluster actions taken by Microsoft/AKS are made with user consent under a built-in Kubernetes role aks-service and built-in role binding aks-service-rolebinding. 此角色允许 AKS 对群集问题进行故障排除和诊断,但不能修改权限,也不能创建角色或角色绑定,或者执行其他高特权操作。This role enables AKS to troubleshoot and diagnose cluster issues, but can't modify permissions nor create roles or role bindings, or other high privilege actions. 仅在具有实时 (JIT) 访问权限的活动支持票证下启用角色访问。Role access is only enabled under active support tickets with just-in-time (JIT) access. 阅读并详细了解 AKS 支持策略Read more about AKS support policies.

Kubernetes 服务帐户Kubernetes service accounts

Kubernetes 中的一个主要用户类型是“服务帐户”。One of the primary user types in Kubernetes is a service account. 服务帐户存在于 Kubernetes API 中并由 Kubernetes API 进行管理。A service account exists in, and is managed by, the Kubernetes API. 服务帐户的凭据存储为 Kubernetes 机密,可供得到授权的 Pod 用于与 API 服务器进行通信。The credentials for service accounts are stored as Kubernetes secrets, which allows them to be used by authorized pods to communicate with the API Server. 大多数 API 请求都会提供服务帐户或普通用户帐户的身份验证令牌。Most API requests provide an authentication token for a service account or a normal user account.

普通用户帐户允许人工管理员或开发人员进行更为传统的访问,而不仅仅是服务和进程。Normal user accounts allow more traditional access for human administrators or developers, not just services, and processes. Kubernetes 本身不提供存储常规用户帐户和密码的标识管理解决方案。Kubernetes itself doesn't provide an identity management solution where regular user accounts and passwords are stored. 而是将外部标识解决方案集成到 Kubernetes 中。Instead, external identity solutions can be integrated into Kubernetes. 对于 AKS 群集,此集成标识解决方案就是 Azure Active Directory。For AKS clusters, this integrated identity solution is Azure Active Directory.

若要详细了解 Kubernetes 中的标识选项,请参阅 Kubernetes 身份验证For more information on the identity options in Kubernetes, see Kubernetes authentication.

Azure Active Directory 集成Azure Active Directory integration

可通过集成 Azure Active Directory (AD) 增强 AKS 群集的安全性。The security of AKS clusters can be enhanced with the integration of Azure Active Directory (AD). Azure AD 是基于数十年的企业标识管理经验推出的基于云的多租户目录,也是一种将核心目录服务、应用程序访问管理和标识保护相结合的标识管理服务。Built on decades of enterprise identity management, Azure AD is a multi-tenant, cloud-based directory, and identity management service that combines core directory services, application access management, and identity protection. 借助 Azure AD,可以将本地标识集成到 AKS 群集中,提供帐户管理和安全性的单一源。With Azure AD, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.

Azure Active Directory 与 AKS 群集集成

借助集成了 Azure AD 的 AKS 群集,可授权用户或组访问一个命名空间或多个群集内的 Kubernetes 资源。With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster. 若要获取 kubectl 配置上下文,用户可以运行 az aks get-credentials 命令。To obtain a kubectl configuration context, a user can run the az aks get-credentials command. 随后在用户使用 kubectl 与 AKS 群集进行交互时,系统会提示他们使用自己的 Azure AD 凭据登录。When a user then interacts with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD credentials. 此方法提供用户帐户管理和密码凭据的单一源。This approach provides a single source for user account management and password credentials. 用户只能访问由群集管理员定义的资源。The user can only access the resources as defined by the cluster administrator.

使用 OpenID Connect 向 AKS 群集提供 Azure AD 身份验证。Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect 是构建在 OAuth 2.0 协议顶层的标识层。OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. 有关 OpenID Connect 的详细信息,请参阅 Open ID Connect 文档For more information on OpenID Connect, see the Open ID connect documentation. 在 Kubernetes 群集内部,使用 Webhook 令牌身份验证来验证身份验证令牌。From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook 令牌身份验证作为 AKS 群集的一部分进行配置和管理。Webhook token authentication is configured and managed as part of the AKS cluster.

Webhook 和 API 服务器Webhook and API server

Webhook 和 API 服务器身份验证流

如上图所示,API 服务器调用 AKS Webhook 服务器并执行以下步骤:As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:

  1. Kubectl 使用 Azure AD 客户端应用程序,通过 OAuth 2.0 设备授权授予流来登录用户。The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
  2. Azure AD 提供 access_token、id_token 和 refresh_token。Azure AD provides an access_token, id_token, and a refresh_token.
  3. 用户使用 kubeconfig 中的 access_token 来向 kubectl 发出请求。The user makes a request to kubectl with an access_token from kubeconfig.
  4. Kubectl 将 access_token 发送到 APIServer。Kubectl sends the access_token to APIServer.
  5. API 服务器配置身份验证 WebHook 服务器来执行验证。The API Server is configured with the Auth WebHook Server to perform validation.
  6. 身份验证 Webhook 服务器将检查 Azure AD 公共签名密钥,以确认 JSON Web 令牌签名有效。The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key.
  7. 服务器应用程序使用用户提供的凭据从 MS Graph API 查询已登录用户的组成员身份。The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API.
  8. 响应将随用户信息(例如访问令牌的用户主体名称 (UPN) 声明以及基于对象 ID 的用户组成员身份)一起发送到 APIServer。A response is sent to the APIServer with user information such as the user principal name (UPN) claim of the access token, and the group membership of the user based on the object ID.
  9. API 基于 Kubernetes Role/RoleBinding 执行授权决策。The API performs an authorization decision based on the Kubernetes Role/RoleBinding.
  10. 授权后,API 服务器会将响应返回到 kubectl。Once authorized, the API server returns a response to kubectl.
  11. Kubectl 向用户提供反馈。Kubectl provides feedback to the user.

Azure 基于角色的访问控制 (Azure RBAC)Azure role-based access control (Azure RBAC)

Azure RBAC 是在 Azure 资源管理器基础上构建的授权系统,针对 Azure 资源提供精细的访问权限管理。Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

Azure RBAC 用于 Azure 订阅中的资源,而 Kubernetes RBAC 用于 AKS 群集中的 Kubernetes 资源。Azure RBAC is designed to work on resources within your Azure subscription while Kubernetes RBAC is designed to work on Kubernetes resources within your AKS cluster.

使用 Azure RBAC,可创建“角色定义”,描述要应用的权限。With Azure RBAC, you create a role definition that outlines the permissions to be applied. 随后可通过角色分配在特定范围内向用户或组分配此角色定义,该范围可以是单个资源、资源组或整个订阅 。A user or group is then assigned this role definition via a role assignment for a particular scope, which could be an individual resource, a resource group, or across the subscription.

有关详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?For more information, see What is Azure role-based access control (Azure RBAC)?

完全操作 AKS 群集需要两个级别的访问权限:There are two levels of access needed to fully operate an AKS cluster:

  1. 访问 Azure 订阅中的 AKS 资源Access the AKS resource in your Azure subscription. 借助此过程,可以使用 AKS API 来控制群集缩放或升级,还可以拉取 kubeconfig。This process allows you to control things scaling or upgrading your cluster using the AKS APIs as well as pull your kubeconfig.

  2. 访问 Kubernetes API。Access to the Kubernetes API. 此访问权限由 Kubernetes RBAC 控制(传统上)。This access is controlled either by Kubernetes RBAC (traditionally).

使用 Azure RBAC 授予对 AKS 资源的访问权限Azure RBAC to authorize access to the AKS resource

使用 Azure RBAC,可为用户(或标识)提供对一个或多个订阅中的 AKS 资源的精细访问权限。With Azure RBAC, you can provide your users (or identities) with granular access to AKS resources across one or more subscriptions. 例如,你可拥有 Azure Kubernetes 服务参与者角色,以便执行缩放和升级群集等操作。For example, you could have the Azure Kubernetes Service Contributor role that allows you to do actions like scale and upgrade your cluster. 而其他用户可能拥有 Azure Kubernetes 服务群集管理员角色,该角色只授予拉取管理员 kubeconfig 的权限。While another user could have the Azure Kubernetes Service Cluster Admin role that only gives permission to pull the Admin kubeconfig.

此外,可为用户提供常规参与者角色,该角色包含上述权限以及可能对 AKS 资源进行的所有操作(管理权限本身除外)。Alternatively you could give your user the general Contributor role, which would encompass the above permissions and every action possible on the AKS resource with the exception of managing permissions itself.

此处详细了解如何使用 Azure RBAC 来保护对 kubeconfig 文件的访问,该文件可提供对 Kubernetes API 的访问权限。See more how to use Azure RBAC to secure the access to the kubeconfig file that gives access to the Kubernetes API here.

内置角色Built-in roles

AKS 提供以下四个内置角色。AKS provides the following four built-in roles. 它们类似于 Kubernetes 内置角色,但有一些不同之处,例如支持 CRD。They are similar to the Kubernetes built-in roles but with a few differences like supporting CRDs. 有关每个内置角色允许的操作的完整列表,请参阅此处For the full list of actions allowed by each built in role please see here.

角色Role 描述Description
Azure Kubernetes 服务 RBAC 查看者Azure Kubernetes Service RBAC Viewer 允许进行只读访问并查看命名空间中的大多数对象。Allows read-only access to see most objects in a namespace. 不允许查看角色或角色绑定。It doesn't allow viewing roles or role bindings. 此角色不允许查看 Secrets,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)This role doesn't allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation)
Azure Kubernetes 服务 RBAC 写入者Azure Kubernetes Service RBAC Writer 允许对命名空间中的大多数对象进行读/写访问。Allows read/write access to most objects in a namespace. 此角色不允许查看或修改角色或角色绑定。This role doesn't allow viewing or modifying roles or role bindings. 但是,此角色允许以命名空间中任何 ServiceAccount 的身份访问 Secrets 和运行 Pod,因此可用于获取命名空间中任何 ServiceAccount 的 API 访问级别。However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.
Azure Kubernetes 服务 RBAC 管理员Azure Kubernetes Service RBAC Admin 允许要在命名空间内授予的管理员访问权限。Allows admin access, intended to be granted within a namespace. 允许对命名空间(或群集范围)中的大多数资源进行读/写访问,包括在命名空间内创建角色和角色绑定。Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. 此角色不允许对资源配额或命名空间本身进行写入访问。This role doesn't allow write access to resource quota or to the namespace itself.
Azure Kubernetes 服务 RBAC 群集管理员Azure Kubernetes Service RBAC Cluster Admin 允许超级用户访问权限(对任何资源执行任何操作)。Allows super-user access to perform any action on any resource. 它提供对群集中每个资源和所有命名空间的完全控制。It gives full control over every resource in the cluster and in all namespaces.

后续步骤Next steps

有关核心 Kubernetes 和 AKS 概念的详细信息,请参阅以下文章:For more information on core Kubernetes and AKS concepts, see the following articles: