Azure Kubernetes 服务 (AKS) 的访问和标识选项Access and identity options for Azure Kubernetes Service (AKS)

可通过不同的方式来对 Kubernetes 群集进行身份验证、控制访问权限/授权和实施保护。There are different ways to authenticate, control access/authorize and secure Kubernetes clusters. 使用 Kubernetes 基于角色的访问控制 (Kubernetes RBAC),可以仅向用户、组和服务帐户授予对所需资源的访问权限。Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need. 借助 Azure Kubernetes 服务 (AKS),可以通过使用 Azure Active Directory 和 Azure RBAC 进一步增强安全性和权限结构。With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure by using Azure Active Directory and Azure RBAC. 这些方法有助于保护群集访问,并仅向开发者和操作员提供所需的最低权限。These approaches help you secure your cluster access and provide only the minimum required permissions to developers and operators.

本文介绍了有助于在 AKS 中进行身份验证和分配权限的核心概念。This article introduces the core concepts that help you authenticate and assign permissions in AKS.

AKS 服务权限AKS service permissions

创建群集时,AKS 会代表创建群集的用户创建或修改在创建和运行群集时所需的资源,例如 VM 和 NIC。When creating a cluster, AKS creates or modifies resources it needs to create and run the cluster, such as VMs and NICs, on behalf of the user creating the cluster. 此标识与群集的标识权限不同,后者是在群集创建过程中创建的。This identity is distinct from the cluster's identity permission, which is created during cluster creation.

创建和操作群集的标识的权限Identity creating and operating the cluster permissions

创建和操作群集的标识需要以下权限。The following permissions are needed by the identity creating and operating the cluster.

权限Permission 原因Reason
Microsoft.Compute/diskEncryptionSets/readMicrosoft.Compute/diskEncryptionSets/read 读取磁盘加密集 ID 时必需。Required to read disk encryption set ID.
Microsoft.Compute/proximityPlacementGroups/writeMicrosoft.Compute/proximityPlacementGroups/write 更新邻近放置组时必需。Required for updating proximity placement groups.
Microsoft.Network/applicationGateways/readMicrosoft.Network/applicationGateways/read
Microsoft.Network/applicationGateways/writeMicrosoft.Network/applicationGateways/write
Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action
配置应用程序网关和加入子网时必需。Required to configure application gateways and join the subnet.
Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action 使用自定义 VNET 为子网配置网络安全组时必需。Required to configure the Network Security Group for the subnet when using a custom VNET.
Microsoft.Network/publicIPAddresses/join/actionMicrosoft.Network/publicIPAddresses/join/action
Microsoft.Network/publicIPPrefixes/join/actionMicrosoft.Network/publicIPPrefixes/join/action
在标准负载均衡器上配置出站公共 IP 时必需。Required to configure the outbound public IPs on the Standard Load Balancer.
Microsoft.OperationalInsights/workspaces/sharedkeys/readMicrosoft.OperationalInsights/workspaces/sharedkeys/read
Microsoft.OperationalInsights/workspaces/readMicrosoft.OperationalInsights/workspaces/read
Microsoft.OperationsManagement/solutions/writeMicrosoft.OperationsManagement/solutions/write
Microsoft.OperationsManagement/solutions/readMicrosoft.OperationsManagement/solutions/read
Microsoft.ManagedIdentity/userAssignedIdentities/assign/actionMicrosoft.ManagedIdentity/userAssignedIdentities/assign/action
为容器创建和更新 Log Analytics 工作区和 Azure 监视时必需。Required to create and update Log Analytics workspaces and Azure monitoring for containers.

AKS 群集标识权限AKS cluster identity permissions

以下权限由 AKS 群集标识使用,该标识在创建 AKS 群集时随群集创建并与群集相关联。The following permissions are used by the AKS cluster identity, which is created and associated with the AKS cluster when the cluster is created. 使用每个权限的原因如下:Each permission is used for the reasons below:

权限Permission 原因Reason
Microsoft.Network/loadBalancers/deleteMicrosoft.Network/loadBalancers/delete
Microsoft.Network/loadBalancers/readMicrosoft.Network/loadBalancers/read
Microsoft.Network/loadBalancers/writeMicrosoft.Network/loadBalancers/write
为 LoadBalancer 服务配置负载均衡器时必需。Required to configure the load balancer for a LoadBalancer service.
Microsoft.Network/publicIPAddresses/deleteMicrosoft.Network/publicIPAddresses/delete
Microsoft.Network/publicIPAddresses/readMicrosoft.Network/publicIPAddresses/read
Microsoft.Network/publicIPAddresses/writeMicrosoft.Network/publicIPAddresses/write
为 LoadBalancer 服务查找和配置公共 IP 时必需。Required to find and configure public IPs for a LoadBalancer service.
Microsoft.Network/publicIPAddresses/join/actionMicrosoft.Network/publicIPAddresses/join/action 为 LoadBalancer 服务配置公共 IP 时必需。Required for configuring public IPs for a LoadBalancer service.
Microsoft.Network/networkSecurityGroups/readMicrosoft.Network/networkSecurityGroups/read
Microsoft.Network/networkSecurityGroups/writeMicrosoft.Network/networkSecurityGroups/write
为 LoadBalancer 服务创建或删除安全规则时必需。Required to create or delete security rules for a LoadBalancer service.
Microsoft.Compute/disks/deleteMicrosoft.Compute/disks/delete
Microsoft.Compute/disks/readMicrosoft.Compute/disks/read
Microsoft.Compute/disks/writeMicrosoft.Compute/disks/write
Microsoft.Compute/locations/DiskOperations/readMicrosoft.Compute/locations/DiskOperations/read
配置 AzureDisk 时必需。Required to configure AzureDisks.
Microsoft.Storage/storageAccounts/deleteMicrosoft.Storage/storageAccounts/delete
Microsoft.Storage/storageAccounts/listKeys/actionMicrosoft.Storage/storageAccounts/listKeys/action
Microsoft.Storage/storageAccounts/readMicrosoft.Storage/storageAccounts/read
Microsoft.Storage/storageAccounts/writeMicrosoft.Storage/storageAccounts/write
Microsoft.Storage/operations/readMicrosoft.Storage/operations/read
为 AzureFile 或 AzureDisk 配置存储帐户时必需。Required to configure storage accounts for AzureFile or AzureDisk.
Microsoft.Network/routeTables/readMicrosoft.Network/routeTables/read
Microsoft.Network/routeTables/routes/deleteMicrosoft.Network/routeTables/routes/delete
Microsoft.Network/routeTables/routes/readMicrosoft.Network/routeTables/routes/read
Microsoft.Network/routeTables/routes/writeMicrosoft.Network/routeTables/routes/write
Microsoft.Network/routeTables/writeMicrosoft.Network/routeTables/write
为节点配置路由表和路由时必需。Required to configure route tables and routes for nodes.
Microsoft.Compute/virtualMachines/readMicrosoft.Compute/virtualMachines/read 查找 VMAS 中的虚拟机的信息(例如区域、容错域、大小和数据磁盘)时必需。Required to find information for virtual machines in a VMAS, such as zones, fault domain, size, and data disks.
Microsoft.Compute/virtualMachines/writeMicrosoft.Compute/virtualMachines/write 将 AzureDisk 附加到 VMAS 中的虚拟机时必需。Required to attach AzureDisks to a virtual machine in a VMAS.
Microsoft.Compute/virtualMachineScaleSets/readMicrosoft.Compute/virtualMachineScaleSets/read
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/readMicrosoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/readMicrosoft.Compute/virtualMachineScaleSets/virtualmachines/instanceView/read
查找虚拟机规模集中的虚拟机的信息(例如区域、容错域、大小和数据磁盘)时必需。Required to find information for virtual machines in a virtual machine scale set, such as zones, fault domain, size, and data disks.
Microsoft.Network/networkInterfaces/writeMicrosoft.Network/networkInterfaces/write 将 VMAS 中的虚拟机添加到负载均衡器后端地址池时必需。Required to add a virtual machine in a VMAS to a load balancer backend address pool.
Microsoft.Compute/virtualMachineScaleSets/writeMicrosoft.Compute/virtualMachineScaleSets/write 将虚拟机规模集添加到负载均衡器后端地址池以及在虚拟机规模集中横向扩展节点时必需。Required to add a virtual machine scale set to a load balancer backend address pools and scale out nodes in a virtual machine scale set.
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/writeMicrosoft.Compute/virtualMachineScaleSets/virtualmachines/write 附加 AzureDisk 以及将虚拟机规模集中的虚拟机添加到负载均衡器时必需。Required to attach AzureDisks and add a virtual machine from a virtual machine scale set to the load balancer.
Microsoft.Network/networkInterfaces/readMicrosoft.Network/networkInterfaces/read 搜索 VMAS 中的虚拟机的内部 IP 和负载均衡器后端地址池时必需。Required to search internal IPs and load balancer backend address pools for virtual machines in a VMAS.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/readMicrosoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read 搜索虚拟机规模集中的虚拟机的内部 IP 和负载均衡器后端地址池时必需。Required to search internal IPs and load balancer backend address pools for a virtual machine in a virtual machine scale set.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ ipconfigurations/publicipaddresses/readMicrosoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ ipconfigurations/publicipaddresses/read 查找虚拟机规模集中的虚拟机的公共 IP 时必需。Required to find public IPs for a virtual machine in a virtual machine scale set.
Microsoft.Network/virtualNetworks/readMicrosoft.Network/virtualNetworks/read
Microsoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/read
验证另一个资源组中是否存在内部负载均衡器的子网时必需。Required to verify if a subnet exists for the internal load balancer in another resource group.
Microsoft.Compute/snapshots/deleteMicrosoft.Compute/snapshots/delete
Microsoft.Compute/snapshots/readMicrosoft.Compute/snapshots/read
Microsoft.Compute/snapshots/writeMicrosoft.Compute/snapshots/write
配置 AzureDisk 的快照时必需。Required to configure snapshots for AzureDisk.
Microsoft.Compute/locations/vmSizes/readMicrosoft.Compute/locations/vmSizes/read
Microsoft.Compute/locations/operations/readMicrosoft.Compute/locations/operations/read
查找虚拟机大小以查找 AzureDisk 卷限制时必需。Required to find virtual machine sizes for finding AzureDisk volume limits.

其他群集标识权限Additional cluster identity permissions

创建具有特定属性的群集时,群集标识需要以下其他权限。The following additional permissions are needed by the cluster identity when creating a cluster with specific attributes. 不会自动分配这些权限,因此,在创建群集标识之后,必须将这些权限添加到群集标识。These permissions are not automatically assigned so you must add these permissions to the cluster identity after its created.

权限Permission 原因Reason
Microsoft.Network/networkSecurityGroups/writeMicrosoft.Network/networkSecurityGroups/write
Microsoft.Network/networkSecurityGroups/readMicrosoft.Network/networkSecurityGroups/read
使用另一资源组中的网络安全组时必需。Required if using a network security group in another resource group. 为 LoadBalancer 服务配置安全规则时必需。Required to configure security rules for a LoadBalancer service.
Microsoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/read
Microsoft.Network/virtualNetworks/subnets/join/actionMicrosoft.Network/virtualNetworks/subnets/join/action
使用另一资源组(例如自定义 VNET)中的子网时必需。Required if using a subnet in another resource group such as a custom VNET.
Microsoft.Network/routeTables/routes/readMicrosoft.Network/routeTables/routes/read
Microsoft.Network/routeTables/routes/writeMicrosoft.Network/routeTables/routes/write
如果使用的子网与另一资源组(例如采用自定义路由表的自定义 VNET)中的路由表相关联,则需要此权限。Required if using a subnet associated with a route table in another resource group such as a custom VNET with a custom route table. 若要验证是否已存在一个对应于另一资源组中的子网的子网,则需要此权限。Required to verify if a subnet already exists for the subnet in the other resource group.
Microsoft.Network/virtualNetworks/subnets/readMicrosoft.Network/virtualNetworks/subnets/read 如果使用另一资源组中的内部负载均衡器,则需要此权限。Required if using an internal load balancer in another resource group. 验证资源组中是否已存在内部负载均衡器的子网时必需。Required to verify if a subnet already exists for the internal load balancer in the resource group.

Kubernetes 基于角色的访问控制 (Kubernetes RBAC)Kubernetes role-based access control (Kubernetes RBAC)

为了精确地筛选用户可执行的操作,Kubernetes 采用 Kubernetes 基于角色的访问控制 (Kubernetes RBAC)。To provide granular filtering of the actions that users can do, Kubernetes uses Kubernetes role-based access control (Kubernetes RBAC). 使用此控制机制,可以向用户或用户组分配执行各种操作的权限,例如创建或修改资源,或者查看正在运行的应用程序工作负载的日志。This control mechanism lets you assign users, or groups of users, permission to do things like create or modify resources, or view logs from running application workloads. 可将这些权限的范围限制为单个命名空间,也可以授予面向整个 AKS 群集的权限。These permissions can be scoped to a single namespace, or granted across the entire AKS cluster. 使用 Kubernetes RBAC,可通过创建“角色”来定义权限,然后通过“角色绑定”将这些角色分配给用户 。With Kubernetes RBAC, you create roles to define permissions, and then assign those roles to users with role bindings.

有关详细信息,请参阅使用 Kubernetes RBAC 授权For more information, see Using Kubernetes RBAC authorization.

角色和 ClusterRoleRoles and ClusterRoles

使用 Kubernetes RBAC 向用户分配权限之前,请先将这些权限定义为“角色”。Before you assign permissions to users with Kubernetes RBAC, you first define those permissions as a Role. Kubernetes 角色可“授予”权限。Kubernetes roles grant permissions. 不存在“拒绝”权限的概念。There's no concept of a deny permission.

角色用于授予命名空间内的权限。Roles are used to grant permissions within a namespace. 若需要针对整个群集或给定命名空间外的群集资源来授予权限,可以改用“ClusterRole”。If you need to grant permissions across the entire cluster, or to cluster resources outside a given namespace, you can instead use ClusterRoles.

ClusterRole 的工作原理与授予对资源的权限相同,但前者可应用于整个群集而非特定命名空间中的资源。A ClusterRole works in the same way to grant permissions to resources, but can be applied to resources across the entire cluster, not a specific namespace.

RoleBinding 和 ClusterRoleBindingRoleBindings and ClusterRoleBindings

定义了角色来授予针对资源的权限后,可通过 RoleBinding 来分配这些 Kubernetes RBAC 权限。Once roles are defined to grant permissions to resources, you assign those Kubernetes RBAC permissions with a RoleBinding. 若 AKS 群集与 Azure Active Directory (Azure AD) 集成,则向 Azure AD 用户授予在群集中执行操作的权限的过程就称为“绑定”。有关具体操作,请参阅使用 Kubernetes 基于角色的访问控制和 Azure Active Directory 标识来控制对群集资源的访问If your AKS cluster integrates with Azure Active Directory (Azure AD), bindings are how those Azure AD users are granted permissions to perform actions within the cluster, see how in Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities.

角色绑定用于针对给定命名空间分配角色。Role bindings are used to assign roles for a given namespace. 此方法可以从逻辑上分离各 AKS 群集,使用户只能访问向其分配的命名空间中的应用程序资源。This approach lets you logically segregate a single AKS cluster, with users only able to access the application resources in their assigned namespace. 若需要针对整个群集或给定命名空间外的群集资源来绑定角色,可以改用“ClusterRoleBinding”。If you need to bind roles across the entire cluster, or to cluster resources outside a given namespace, you can instead use ClusterRoleBindings.

ClusterRoleBinding 的工作原理与向用户绑定角色相同,但前者可应用于整个群集而非特定命名空间中的资源。A ClusterRoleBinding works in the same way to bind roles to users, but can be applied to resources across the entire cluster, not a specific namespace. 使用此方法,可向管理员或支持工程师授予对 AKS 群集中所有资源的访问权限。This approach lets you grant administrators or support engineers access to all resources in the AKS cluster.

备注

Microsoft/AKS 所执行的任何群集操作都是经用户同意,在内置 Kubernetes 角色 aks-service 和内置角色绑定 aks-service-rolebinding 下执行的。Any cluster actions taken by Microsoft/AKS are made with user consent under a built-in Kubernetes role aks-service and built-in role binding aks-service-rolebinding. 此角色允许 AKS 对群集问题进行故障排除和诊断,但不能修改权限,也不能创建角色或角色绑定,或者执行其他高特权操作。This role enables AKS to troubleshoot and diagnose cluster issues, but can't modify permissions nor create roles or role bindings, or other high privilege actions. 仅在具有实时 (JIT) 访问权限的活动支持票证下启用角色访问。Role access is only enabled under active support tickets with just-in-time (JIT) access. 阅读并详细了解 AKS 支持策略Read more about AKS support policies.

Kubernetes 服务帐户Kubernetes service accounts

Kubernetes 中的一个主要用户类型是“服务帐户”。One of the primary user types in Kubernetes is a service account. 服务帐户存在于 Kubernetes API 中并由 Kubernetes API 进行管理。A service account exists in, and is managed by, the Kubernetes API. 服务帐户的凭据存储为 Kubernetes 机密,可供得到授权的 Pod 用于与 API 服务器进行通信。The credentials for service accounts are stored as Kubernetes secrets, which allows them to be used by authorized pods to communicate with the API Server. 大多数 API 请求都会提供服务帐户或普通用户帐户的身份验证令牌。Most API requests provide an authentication token for a service account or a normal user account.

普通用户帐户允许人工管理员或开发人员进行更为传统的访问,而不仅仅是服务和进程。Normal user accounts allow more traditional access for human administrators or developers, not just services, and processes. Kubernetes 本身不提供存储常规用户帐户和密码的标识管理解决方案。Kubernetes itself doesn't provide an identity management solution where regular user accounts and passwords are stored. 而是将外部标识解决方案集成到 Kubernetes 中。Instead, external identity solutions can be integrated into Kubernetes. 对于 AKS 群集,此集成标识解决方案就是 Azure Active Directory。For AKS clusters, this integrated identity solution is Azure Active Directory.

若要详细了解 Kubernetes 中的标识选项,请参阅 Kubernetes 身份验证For more information on the identity options in Kubernetes, see Kubernetes authentication.

Azure Active Directory 集成Azure Active Directory integration

可通过集成 Azure Active Directory (AD) 增强 AKS 群集的安全性。The security of AKS clusters can be enhanced with the integration of Azure Active Directory (AD). Azure AD 是基于数十年的企业标识管理经验推出的基于云的多租户目录,也是一种将核心目录服务、应用程序访问管理和标识保护相结合的标识管理服务。Built on decades of enterprise identity management, Azure AD is a multi-tenant, cloud-based directory, and identity management service that combines core directory services, application access management, and identity protection. 借助 Azure AD,可以将本地标识集成到 AKS 群集中,提供帐户管理和安全性的单一源。With Azure AD, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.

Azure Active Directory 与 AKS 群集集成

借助集成了 Azure AD 的 AKS 群集,可授权用户或组访问一个命名空间或多个群集内的 Kubernetes 资源。With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster. 若要获取 kubectl 配置上下文,用户可以运行 az aks get-credentials 命令。To obtain a kubectl configuration context, a user can run the az aks get-credentials command. 随后在用户使用 kubectl 与 AKS 群集进行交互时,系统会提示他们使用自己的 Azure AD 凭据登录。When a user then interacts with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD credentials. 此方法提供用户帐户管理和密码凭据的单一源。This approach provides a single source for user account management and password credentials. 用户只能访问由群集管理员定义的资源。The user can only access the resources as defined by the cluster administrator.

使用 OpenID Connect 向 AKS 群集提供 Azure AD 身份验证。Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect 是构建在 OAuth 2.0 协议顶层的标识层。OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. 有关 OpenID Connect 的详细信息,请参阅 Open ID Connect 文档For more information on OpenID Connect, see the Open ID connect documentation. 在 Kubernetes 群集内部,使用 Webhook 令牌身份验证来验证身份验证令牌。From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook 令牌身份验证作为 AKS 群集的一部分进行配置和管理。Webhook token authentication is configured and managed as part of the AKS cluster.

Webhook 和 API 服务器Webhook and API server

Webhook 和 API 服务器身份验证流

如上图所示,API 服务器调用 AKS Webhook 服务器并执行以下步骤:As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:

  1. Kubectl 使用 Azure AD 客户端应用程序,通过 OAuth 2.0 设备授权授予流来登录用户。The Azure AD client application is used by kubectl to sign in users with OAuth 2.0 device authorization grant flow.
  2. Azure AD 提供 access_token、id_token 和 refresh_token。Azure AD provides an access_token, id_token, and a refresh_token.
  3. 用户使用 kubeconfig 中的 access_token 来向 kubectl 发出请求。The user makes a request to kubectl with an access_token from kubeconfig.
  4. Kubectl 将 access_token 发送到 API 服务器。Kubectl sends the access_token to API Server.
  5. API 服务器配置身份验证 WebHook 服务器来执行验证。The API Server is configured with the Auth WebHook Server to perform validation.
  6. 身份验证 Webhook 服务器将检查 Azure AD 公共签名密钥,以确认 JSON Web 令牌签名有效。The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key.
  7. 服务器应用程序使用用户提供的凭据从 MS Graph API 查询已登录用户的组成员身份。The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API.
  8. 将向 API 服务器发送一个响应,其中包含用户信息,例如访问令牌的用户主体名称 (UPN) 声明,以及基于对象 ID 的用户的组成员身份。A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group membership of the user based on the object ID.
  9. API 基于 Kubernetes Role/RoleBinding 执行授权决策。The API performs an authorization decision based on the Kubernetes Role/RoleBinding.
  10. 授权后,API 服务器会将响应返回到 kubectl。Once authorized, the API server returns a response to kubectl.
  11. Kubectl 向用户提供反馈。Kubectl provides feedback to the user.

在此处了解如何将 AKS 与 AAD 集成。Learn how to integrate AKS with AAD here.

Azure 基于角色的访问控制 (Azure RBAC)Azure role-based access control (Azure RBAC)

Azure RBAC 是在 Azure 资源管理器基础上构建的授权系统,针对 Azure 资源提供精细的访问权限管理。Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

Azure RBAC 用于 Azure 订阅中的资源,而 Kubernetes RBAC 用于 AKS 群集中的 Kubernetes 资源。Azure RBAC is designed to work on resources within your Azure subscription while Kubernetes RBAC is designed to work on Kubernetes resources within your AKS cluster.

使用 Azure RBAC,可创建“角色定义”,描述要应用的权限。With Azure RBAC, you create a role definition that outlines the permissions to be applied. 随后可通过角色分配在特定范围内向用户或组分配此角色定义,该范围可以是单个资源、资源组或整个订阅 。A user or group is then assigned this role definition via a role assignment for a particular scope, which could be an individual resource, a resource group, or across the subscription.

有关详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?For more information, see What is Azure role-based access control (Azure RBAC)?

完全操作 AKS 群集需要两个级别的访问权限:There are two levels of access needed to fully operate an AKS cluster:

  1. 访问 Azure 订阅中的 AKS 资源Access the AKS resource in your Azure subscription. 借助此过程,可以使用 AKS API 来控制群集缩放或升级,还可以拉取 kubeconfig。This process allows you to control things scaling or upgrading your cluster using the AKS APIs as well as pull your kubeconfig.
  2. 访问 Kubernetes API。Access to the Kubernetes API. 此访问通过 Kubernetes RBAC 进行控制(传统方式),或通过将 Azure RBAC 与 AKS 集成以实现 Kubernetes 授权来进行控制。This access is controlled either by Kubernetes RBAC (traditionally) or by integrating Azure RBAC with AKS for Kubernetes authorization

使用 Azure RBAC 授予对 AKS 资源的访问权限Azure RBAC to authorize access to the AKS resource

使用 Azure RBAC,可为用户(或标识)提供对一个或多个订阅中的 AKS 资源的精细访问权限。With Azure RBAC, you can provide your users (or identities) with granular access to AKS resources across one or more subscriptions. 例如,你可拥有 Azure Kubernetes 服务参与者角色,以便执行缩放和升级群集等操作。For example, you could have the Azure Kubernetes Service Contributor role that allows you to do actions like scale and upgrade your cluster. 而其他用户可能拥有 Azure Kubernetes 服务群集管理员角色,该角色只授予拉取管理员 kubeconfig 的权限。While another user could have the Azure Kubernetes Service Cluster Admin role that only gives permission to pull the Admin kubeconfig.

此外,可为用户提供常规参与者角色,该角色包含上述权限以及可能对 AKS 资源进行的所有操作(管理权限本身除外)。Alternatively you could give your user the general Contributor role, which would encompass the above permissions and every action possible on the AKS resource with the exception of managing permissions itself.

此处详细了解如何使用 Azure RBAC 来保护对 kubeconfig 文件的访问,该文件可提供对 Kubernetes API 的访问权限。See more how to use Azure RBAC to secure the access to the kubeconfig file that gives access to the Kubernetes API here.

使用 Azure RBAC 进行 Kubernetes 授权(预览)Azure RBAC for Kubernetes Authorization (Preview)

使用 Azure RBAC 集成,AKS 将使用 Kubernetes 授权 Webhook 服务器来允许你使用 Azure 角色定义和角色分配管理 Azure AD 集成 K8s 群集资源的权限和分配。With the Azure RBAC integration, AKS will use a Kubernetes Authorization webhook server to enable you to manage permissions and assignments of Azure AD-integrated K8s cluster resources using Azure role definition and role assignments.

使用 Azure RBAC 执行 Kubernetes 授权流

如上图所示,使用 Azure RBAC 集成时,对 Kubernetes API 的所有请求都将遵循 Azure Active Directory 集成部分所述的身份验证流。As shown on the above diagram, when using the Azure RBAC integration all requests to the Kubernetes API will follow the same authentication flow as explained on the Azure Active integration section.

但在此之后,只要 AAD 中存在发出请求的标识,请求实际上就由 Azure 进行授权,而不是仅依赖于 Kubernetes RBAC 进行授权。But after that, instead of solely relying on Kubernetes RBAC for Authorization, the request is actually going to be authorized by Azure, as long as the identity that made the request exists in AAD. 如果 AAD 中不存在该标识(例如,Kubernetes 服务帐户),则 Azure RBAC 不会启动,它将是普通的 Kubernetes RBAC。If the identity doesn't exist in AAD, for example a Kubernetes service account, then the Azure RBAC won't kick in, and it will be the normal Kubernetes RBAC.

在这种情况下,你可以向用户授予四个内置角色之一,或者创建自定义角色,就像使用 Kubernetes 角色时一样,但在此情况下,你将使用 Azure RBAC 机制和 API。In this scenario you could give users one of the four built-in roles, or create custom roles as you would do with Kubernetes roles but in this case using the Azure RBAC mechanisms and APIs.

例如,使用此功能,你不仅可以向用户授予对订阅中的 AKS 资源的权限,而且还可以设置并授予用户在每个群集中将拥有的对 Kubernetes API 的访问进行控制的角色和权限。This feature will allow you to, for example, not only give users permissions to the AKS resource across subscriptions but set up and give them the role and permissions that they will have inside each of those clusters that controls the access to the Kubernetes API. 例如,你可以在订阅范围内授予 Azure Kubernetes Service RBAC Viewer 角色,其接收人将能够列出和获取所有群集中的所有 Kubernetes 对象,但不能修改它们。For example, you can grant the Azure Kubernetes Service RBAC Viewer role on the subscription scope and its recipient will be able to list and get all Kubernetes objects from all clusters, but not modify them.

内置角色Built-in roles

AKS 提供以下四个内置角色。AKS provides the following four built-in roles. 它们类似于 Kubernetes 内置角色,但有一些不同之处,例如支持 CRD。They are similar to the Kubernetes built-in roles but with a few differences like supporting CRDs. 有关每个内置角色允许的操作的完整列表,请参阅此文For the full list of actions allowed by each built-in role, see here.

角色Role 描述Description
Azure Kubernetes 服务 RBAC 查看者Azure Kubernetes Service RBAC Viewer 允许进行只读访问并查看命名空间中的大多数对象。Allows read-only access to see most objects in a namespace. 不允许查看角色或角色绑定。It doesn't allow viewing roles or role bindings. 此角色不允许查看 Secrets,因为通过读取机密内容可以访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)This role doesn't allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation)
Azure Kubernetes 服务 RBAC 写入者Azure Kubernetes Service RBAC Writer 允许对命名空间中的大多数对象进行读/写访问。Allows read/write access to most objects in a namespace. 此角色不允许查看或修改角色或角色绑定。This role doesn't allow viewing or modifying roles or role bindings. 但是,此角色允许以命名空间中任何 ServiceAccount 的身份访问 Secrets 和运行 Pod,因此可用于获取命名空间中任何 ServiceAccount 的 API 访问级别。However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.
Azure Kubernetes 服务 RBAC 管理员Azure Kubernetes Service RBAC Admin 允许要在命名空间内授予的管理员访问权限。Allows admin access, intended to be granted within a namespace. 允许对命名空间(或群集范围)中的大多数资源进行读/写访问,包括在命名空间内创建角色和角色绑定。Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace. 此角色不允许对资源配额或命名空间本身进行写入访问。This role doesn't allow write access to resource quota or to the namespace itself.
Azure Kubernetes 服务 RBAC 群集管理员Azure Kubernetes Service RBAC Cluster Admin 允许超级用户访问权限(对任何资源执行任何操作)。Allows super-user access to perform any action on any resource. 它提供对群集中每个资源和所有命名空间的完全控制。It gives full control over every resource in the cluster and in all namespaces.

摘要Summary

此表总结了当启用 Azure AD 集成时用户可以向 Kubernetes 进行身份验证的方式。This table summarizes the ways users can authenticate to Kubernetes when Azure AD integration is enabled. 在所有情况下,用户的命令序列都是:In all cases, the user's sequence of commands is:

  1. 运行 az cloud set -n AzureChinaClouaz login 向 Azure 进行身份验证。Run az cloud set -n AzureChinaClou and az login to authenticate to Azure.
  2. 运行 az aks get-credentials 将群集的凭据下载到 .kube/config 中。Run az aks get-credentials to download credentials for the cluster into .kube/config.
  3. 运行 kubectl 命令(第一个命令可能会触发基于浏览器的身份验证以向群集进行身份验证,如下表所述)。Run kubectl commands (the first of which may trigger browser-based authentication to authenticate to the cluster, as described in the following table).

第二列中提到的“角色授予”是 Azure 门户中的“访问控制”选项卡上显示的 Azure RBAC 角色授予。The Role Grant referred to in the second column is the Azure RBAC role grant shown on the Access Control tab in the Azure portal. “群集管理员 Azure AD 组”显示在门户中的“配置”选项卡上(或在 Azure CLI 中通过参数名称 --aad-admin-group-object-ids 指定)。The Cluster Admin Azure AD Group is shown on the Configuration tab in the portal (or with parameter name --aad-admin-group-object-ids in the Azure CLI).

说明Description 需要的角色授予Role grant required 群集管理员 Azure AD 组Cluster admin Azure AD group(s) 何时使用When to use
使用客户端证书的旧管理员登录名Legacy admin login using client certificate Azure Kubernetes 管理员角色。Azure Kubernetes Admin Role. 此角色允许在使用 --admin 标志的情况下使用 az aks get-credentials,以便将旧的(非 Azure AD)群集管理证书下载到用户的 .kube/config 中。This role allows az aks get-credentials to be used with the --admin flag, which downloads a legacy (non-Azure AD) cluster admin certificate into the user's .kube/config. 这是“Azure Kubernetes 管理员角色”的唯一用途。This is the only purpose of "Azure Kubernetes Admin Role". 不适用n/a 如果你被永久阻止,不能访问对你的群集具有访问权限的有效 Azure AD 组。If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster.
具有手动 (Cluster)RoleBinding 的 Azure ADAzure AD with manual (Cluster)RoleBindings Azure Kubernetes 用户角色。Azure Kubernetes User Role. “用户”角色允许在不使用 --admin 标志的情况下使用 az aks get-credentialsThe "User" role allows az aks get-credentials to be used without the --admin flag. (这是“Azure Kubernetes 用户角色”的唯一用途。)因此,在启用了 Azure AD 的群集上,一个空条目会下载到 .kube/config 中,在首次被 kubectl 使用时会触发基于浏览器的身份验证。(This is the only purpose of "Azure Kubernetes User Role".) The result, on an Azure AD-enabled cluster, is the download of an empty entry into .kube/config, which triggers browser-based authentication when it's first used by kubectl. 用户不在这些组的任何一个中。User is not in any of these groups. 因为用户不在任何群集管理员组中,所以其权限将完全由群集管理员已设置的任何 RoleBinding 或 ClusterRoleBinding 控制。Because the user is not in any Cluster Admin groups, their rights will be controlled entirely by any RoleBindings or ClusterRoleBindings that have been set up by cluster admins. (Cluster)RoleBinding 指定 Azure AD 用户或 Azure AD 组作为其 subjectsThe (Cluster)RoleBindings nominate Azure AD users or Azure AD groups as their subjects. 如果未设置此类绑定,则用户将无法执行任何 kubectl 命令。If no such bindings have been set up, the user will not be able to excute any kubectl commands. 如果你想要进行精细的访问控制,并且不使用 Azure RBAC 进行 Kubernetes 授权。If you want fine-grained access control, and you're not using Azure RBAC for Kubernetes Authorization. 请注意,设置绑定的用户必须通过此表中列出的其他方法之一进行登录。Note that the user who sets up the bindings must log in by one of the other methods listed in this table.
由管理员组成员使用的 Azure ADAzure AD by member of admin group 同上Same as above 用户是此处列出的其中一个组的成员。User is a member of one of the groups listed here. AKS 会自动生成一个 ClusterRoleBinding,后者将所有列出的组绑定到 cluster-admin Kubernetes 角色。AKS automatically generates a ClusterRoleBinding that binds all of the listed groups to the cluster-admin Kubernetes role. 因此,这些组中的用户可以作为 cluster-admin 运行所有 kubectl 命令。So users in these groups can run all kubectl commands as cluster-admin. 如果你希望方便地向用户授予完全的管理员权限,并且不使用 Azure RBAC 进行 Kubernetes 授权。If you want to conveniently grant users full admin rights, and are not using Azure RBAC for Kubernetes authorization.
将 Azure AD 与 Azure RBAC 配合使用进行 Kubernetes 授权Azure AD with Azure RBAC for Kubernetes Authorization 两个角色:第一个为 Azure Kubernetes 用户角色(如上所述)。Two roles: First, Azure Kubernetes User Role (as above). 第二个为上面列出的“Azure Kubernetes 服务 RBAC...”角色之一,或你自己的自定义替代项。Second, one of the "Azure Kubernetes Service RBAC..." roles listed above, or your own custom alternative. 启用了“使用 Azure RBAC 进行 Kubernetes 授权”时,“配置”选项卡上的管理员角色字段不相关。The admin roles field on the Configuration tab is irrelevant when Azure RBAC for Kubernetes Authorization is enabled. 你使用 Azure RBAC 进行 Kubernetes 授权。You are using Azure RBAC for Kubernetes authorization. 此方法提供了精细的控制,无需设置 RoleBinding 或 ClusterRoleBinding。This approach gives you fine-grained control, without the need to set up RoleBindings or ClusterRoleBindings.

后续步骤Next steps

有关核心 Kubernetes 和 AKS 概念的详细信息,请参阅以下文章:For more information on core Kubernetes and AKS concepts, see the following articles: