Azure Kubernetes 服务 (AKS) 的访问和标识选项Access and identity options for Azure Kubernetes Service (AKS)

可通过多种方式对 Kubernetes 群集进行身份验证、授权、保护和控制访问。You can authenticate, authorize, secure, and control access to Kubernetes clusters in a variety of ways.

  • 使用 Kubernetes 基于角色的访问控制 (Kubernetes RBAC),可以仅向用户、组和服务帐户授予对所需资源的访问权限。Using Kubernetes role-based access control (Kubernetes RBAC), you can grant users, groups, and service accounts access to only the resources they need.
  • 借助 Azure Kubernetes 服务 (AKS),可通过 Azure Active Directory 和 Azure RBAC 进一步增强安全性和权限结构。With Azure Kubernetes Service (AKS), you can further enhance the security and permissions structure via Azure Active Directory and Azure RBAC.

Kubernetes RBAC 和 AKS 有助于保护群集访问,并仅向开发人员和操作员提供所需的最低权限。Kubernetes RBAC and AKS help you secure your cluster access and provide only the minimum required permissions to developers and operators.

本文介绍了有助于在 AKS 中进行身份验证和分配权限的核心概念。This article introduces the core concepts that help you authenticate and assign permissions in AKS.

AKS 服务权限AKS service permissions

创建群集时,AKS 会代表用户生成或修改在创建和运行群集时所需的资源,例如 VM 和 NIC。When creating a cluster, AKS generates or modifies resources it needs (like VMs and NICs) to create and run the cluster on behalf of the user. 此标识与群集的标识权限不同,后者是在群集创建过程中创建的。This identity is distinct from the cluster's identity permission, which is created during cluster creation.

创建和操作群集的标识的权限Identity creating and operating the cluster permissions

创建和操作群集的标识需要以下权限。The following permissions are needed by the identity creating and operating the cluster.

权限Permission 原因Reason
Microsoft.Compute/diskEncryptionSets/read 读取磁盘加密集 ID 时必需。Required to read disk encryption set ID.
Microsoft.Compute/proximityPlacementGroups/write 更新邻近放置组时必需。Required for updating proximity placement groups.
配置应用程序网关和加入子网时必需。Required to configure application gateways and join the subnet.
Microsoft.Network/virtualNetworks/subnets/join/action 使用自定义 VNET 为子网配置网络安全组时必需。Required to configure the Network Security Group for the subnet when using a custom VNET.
在标准负载均衡器上配置出站公共 IP 时必需。Required to configure the outbound public IPs on the Standard Load Balancer.
为容器创建和更新 Log Analytics 工作区和 Azure 监视时必需。Required to create and update Log Analytics workspaces and Azure monitoring for containers.

AKS 群集标识权限AKS cluster identity permissions

以下权限由 AKS 群集标识使用,该标识随 AKS 群集创建并与该群集相关联。The following permissions are used by the AKS cluster identity, which is created and associated with the AKS cluster. 使用每个权限的原因如下:Each permission is used for the reasons below:

权限Permission 原因Reason
创建用户和运行群集时必需Required for creating users and operating the cluster
为 LoadBalancer 服务配置负载均衡器时必需。Required to configure the load balancer for a LoadBalancer service.
为 LoadBalancer 服务查找和配置公共 IP 时必需。Required to find and configure public IPs for a LoadBalancer service.
Microsoft.Network/publicIPAddresses/join/action 为 LoadBalancer 服务配置公共 IP 时必需。Required for configuring public IPs for a LoadBalancer service.
为 LoadBalancer 服务创建或删除安全规则时必需。Required to create or delete security rules for a LoadBalancer service.
配置 AzureDisk 时必需。Required to configure AzureDisks.
为 AzureFile 或 AzureDisk 配置存储帐户时必需。Required to configure storage accounts for AzureFile or AzureDisk.
为节点配置路由表和路由时必需。Required to configure route tables and routes for nodes.
Microsoft.Compute/virtualMachines/read 查找 VMAS 中的虚拟机的信息(例如区域、容错域、大小和数据磁盘)时必需。Required to find information for virtual machines in a VMAS, such as zones, fault domain, size, and data disks.
Microsoft.Compute/virtualMachines/write 将 AzureDisk 附加到 VMAS 中的虚拟机时必需。Required to attach AzureDisks to a virtual machine in a VMAS.
查找虚拟机规模集中的虚拟机的信息(例如区域、容错域、大小和数据磁盘)时必需。Required to find information for virtual machines in a virtual machine scale set, such as zones, fault domain, size, and data disks.
Microsoft.Network/networkInterfaces/write 将 VMAS 中的虚拟机添加到负载均衡器后端地址池时必需。Required to add a virtual machine in a VMAS to a load balancer backend address pool.
Microsoft.Compute/virtualMachineScaleSets/write 将虚拟机规模集添加到负载均衡器后端地址池以及在虚拟机规模集中横向扩展节点时必需。Required to add a virtual machine scale set to a load balancer backend address pools and scale out nodes in a virtual machine scale set.
Microsoft.Compute/virtualMachineScaleSets/virtualmachines/write 附加 AzureDisk 以及将虚拟机规模集中的虚拟机添加到负载均衡器时必需。Required to attach AzureDisks and add a virtual machine from a virtual machine scale set to the load balancer.
Microsoft.Network/networkInterfaces/read 搜索 VMAS 中的虚拟机的内部 IP 和负载均衡器后端地址池时必需。Required to search internal IPs and load balancer backend address pools for virtual machines in a VMAS.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/read 搜索虚拟机规模集中的虚拟机的内部 IP 和负载均衡器后端地址池时必需。Required to search internal IPs and load balancer backend address pools for a virtual machine in a virtual machine scale set.
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/networkInterfaces/ipconfigurations/publicipaddresses/read 查找虚拟机规模集中的虚拟机的公共 IP 时必需。Required to find public IPs for a virtual machine in a virtual machine scale set.
验证另一个资源组中是否存在内部负载均衡器的子网时必需。Required to verify if a subnet exists for the internal load balancer in another resource group.
配置 AzureDisk 的快照时必需。Required to configure snapshots for AzureDisk.
查找虚拟机大小以查找 AzureDisk 卷限制时必需。Required to find virtual machine sizes for finding AzureDisk volume limits.

其他群集标识权限Additional cluster identity permissions

使用特定属性创建群集时,你将需要群集标识以下额外权限。When creating a cluster with specific attributes, you will need the following additional permissions for the cluster identity. 不会自动分配这些权限,因此必须在创建群集标识之后将这些权限添加到该标识。Since these permissions are not automatically assigned, you must add them to the cluster identity after it's created.

权限Permission 原因Reason
使用另一资源组中的网络安全组时必需。Required if using a network security group in another resource group. 为 LoadBalancer 服务配置安全规则时必需。Required to configure security rules for a LoadBalancer service.
使用另一资源组(例如自定义 VNET)中的子网时必需。Required if using a subnet in another resource group such as a custom VNET.
如果使用的子网与另一资源组(例如采用自定义路由表的自定义 VNET)中的路由表相关联,则需要此权限。Required if using a subnet associated with a route table in another resource group such as a custom VNET with a custom route table. 若要验证是否已存在一个对应于另一资源组中的子网的子网,则需要此权限。Required to verify if a subnet already exists for the subnet in the other resource group.
Microsoft.Network/virtualNetworks/subnets/read 如果使用另一资源组中的内部负载均衡器,则需要此权限。Required if using an internal load balancer in another resource group. 验证资源组中是否已存在内部负载均衡器的子网时必需。Required to verify if a subnet already exists for the internal load balancer in the resource group.
Microsoft.Network/privatednszones/* 使用另一资源组(例如自定义 privateDNSZone)中的专用 DNS 区域时必需。Required if using a private DNS zone in another resource group such as a custom privateDNSZone.

Kubernetes RBACKubernetes RBAC

Kubernetes RBAC 提供对用户操作的精细筛选。Kubernetes RBAC provides granular filtering of user actions. 借助此控制机制:With this control mechanism:

  • 可向用户或用户组分配权限来创建和修改资源,或者查看正在运行的应用程序工作负载的日志。You assign users or user groups permission to create and modify resources or view logs from running application workloads.
  • 可将这些权限的范围限制为单个命名空间,也可面向整个 AKS 群集。You can scope permissions to a single namespace or across the entire AKS cluster.
  • 可创建角色来定义权限,然后通过角色绑定将这些角色分配给用户 。You create roles to define permissions, and then assign those roles to users with role bindings.

有关详细信息,请参阅使用 Kubernetes RBAC 授权For more information, see Using Kubernetes RBAC authorization.

角色和 ClusterRoleRoles and ClusterRoles


使用 Kubernetes RBAC 向用户分配权限之前,请先将用户权限定义为“角色”。Before assigning permissions to users with Kubernetes RBAC, you'll define user permissions as a Role. 使用角色授予命名空间内的权限。Grant permissions within a namespace using roles.


Kubernetes 角色可授予权限,它们不会拒绝权限 。Kubernetes roles grant permissions; they don't deny permissions.

若要针对整个群集或给定命名空间外的群集资源授予权限,可改用“ClusterRole”。To grant permissions across the entire cluster or to cluster resources outside a given namespace, you can instead use ClusterRoles.


ClusterRole 可授予权限并将权限应用于整个群集中的资源,而不是特定命名空间。A ClusterRole grants and applies permissions to resources across the entire cluster, not a specific namespace.

RoleBinding 和 ClusterRoleBindingRoleBindings and ClusterRoleBindings

定义角色来授予针对资源的权限后,可通过 RoleBinding 来分配这些 Kubernetes RBAC 权限。Once you've defined roles to grant permissions to resources, you assign those Kubernetes RBAC permissions with a RoleBinding. 如果 AKS 群集与 Azure Active Directory (Azure AD) 集成,RoleBinding 会向 Azure AD 用户授予权限来在群集中执行操作。If your AKS cluster integrates with Azure Active Directory (Azure AD), RoleBindings grant permissions to Azure AD users to perform actions within the cluster. 请查看使用 Kubernetes 基于角色的访问控制和 Azure Active Directory 标识来控制对群集资源的访问,了解操作方法。See how in Control access to cluster resources using Kubernetes role-based access control and Azure Active Directory identities.


针对给定命名空间,使用 RoleBinding 向用户分配角色。Assign roles to users for a given namespace using RoleBindings. 借助 RoleBinding,可从逻辑上分离各 AKS 群集,使用户只能访问向其分配的命名空间中的应用程序资源。With RoleBindings, you can logically segregate a single AKS cluster, only enabling users to access the application resources in their assigned namespace.

若要针对整个群集或给定命名空间外的群集资源绑定角色,可改用“ClusterRoleBinding”。To bind roles across the entire cluster, or to cluster resources outside a given namespace, you instead use ClusterRoleBindings.


通过 ClusterRoleBinding,可将角色绑定到用户,并应用于整个群集中的资源,而不是特定命名空间。With a ClusterRoleBinding, you bind roles to users and apply to resources across the entire cluster, not a specific namespace. 使用此方法,可向管理员或支持工程师授予对 AKS 群集中所有资源的访问权限。This approach lets you grant administrators or support engineers access to all resources in the AKS cluster.


Microsoft/AKS 在内置 Kubernetes 角色 aks-service 和内置角色绑定 aks-service-rolebinding 下经用户同意后执行任何群集操作。Microsoft/AKS performs any cluster actions with user consent under a built-in Kubernetes role aks-service and built-in role binding aks-service-rolebinding.

此角色允许 AKS 对群集问题进行故障排除和诊断,但不能修改权限,也不能创建角色或角色绑定,或者执行其他高特权操作。This role enables AKS to troubleshoot and diagnose cluster issues, but can't modify permissions nor create roles or role bindings, or other high privilege actions. 仅在具有实时 (JIT) 访问权限的活动支持票证下启用角色访问。Role access is only enabled under active support tickets with just-in-time (JIT) access. 阅读并详细了解 AKS 支持策略Read more about AKS support policies.

Kubernetes 服务帐户Kubernetes service accounts

服务帐户是 Kubernetes 中的主要用户类型之一。Service accounts are one of the primary user types in Kubernetes. Kubernetes API 保存和管理服务帐户。The Kubernetes API holds and manages service accounts. 服务帐户凭据存储为 Kubernetes 机密,可供已获获权的 Pod 用于与 API 服务器通信。Service account credentials are stored as Kubernetes secrets, allowing them to be used by authorized pods to communicate with the API Server. 大多数 API 请求都会提供服务帐户或普通用户帐户的身份验证令牌。Most API requests provide an authentication token for a service account or a normal user account.

普通用户帐户允许人工管理员或开发人员进行更为传统的访问,而不仅仅是服务和进程。Normal user accounts allow more traditional access for human administrators or developers, not just services and processes. 尽管 Kubernetes 没有提供用于存储常规用户帐户和密码的标识管理解决方案,但你可将外部标识解决方案集成到 Kubernetes 中。While Kubernetes doesn't provide an identity management solution to store regular user accounts and passwords, you can integrate external identity solutions into Kubernetes. 对于 AKS 群集,这种集成的标识解决方案就是 Azure AD。For AKS clusters, this integrated identity solution is Azure AD.

若要详细了解 Kubernetes 中的标识选项,请参阅 Kubernetes 身份验证For more information on the identity options in Kubernetes, see Kubernetes authentication.

Azure AD 集成Azure AD integration

通过 Azure AD 集成增强 AKS 群集安全性。Enhance your AKS cluster security with Azure AD integration. Azure AD 基于数十年的企业标识管理经验,它是一种基于云的多租户目录,也是一种将核心目录服务、应用程序访问管理和标识保护相结合的标识管理服务。Built on decades of enterprise identity management, Azure AD is a multi-tenant, cloud-based directory and identity management service that combines core directory services, application access management, and identity protection. 借助 Azure AD,可以将本地标识集成到 AKS 群集中,提供帐户管理和安全性的单一源。With Azure AD, you can integrate on-premises identities into AKS clusters to provide a single source for account management and security.

Azure Active Directory 与 AKS 群集集成

借助集成了 Azure AD 的 AKS 群集,可授权用户或组访问一个命名空间或多个群集内的 Kubernetes 资源。With Azure AD-integrated AKS clusters, you can grant users or groups access to Kubernetes resources within a namespace or across the cluster.

  1. 若要获取 kubectl 配置上下文,用户可运行 az aks get-credentials 命令。To obtain a kubectl configuration context, a user runs the az aks get-credentials command.
  2. 在用户使用 kubectl 与 AKS 群集交互时,系统会提示他们使用自己的 Azure AD 凭据登录。When a user interacts with the AKS cluster with kubectl, they're prompted to sign in with their Azure AD credentials.

此方法提供用户帐户管理和密码凭据的单一源。This approach provides a single source for user account management and password credentials. 用户只能访问由群集管理员定义的资源。The user can only access the resources as defined by the cluster administrator.

使用 OpenID Connect 向 AKS 群集提供 Azure AD 身份验证。Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect 是构建在 OAuth 2.0 协议顶层的标识层。OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. 有关 OpenID Connect 的详细信息,请参阅 Open ID Connect 文档For more information on OpenID Connect, see the Open ID connect documentation. 在 Kubernetes 群集内部,使用 Webhook 令牌身份验证来验证身份验证令牌。From inside of the Kubernetes cluster, Webhook Token Authentication is used to verify authentication tokens. Webhook 令牌身份验证作为 AKS 群集的一部分进行配置和管理。Webhook token authentication is configured and managed as part of the AKS cluster.

Webhook 和 API 服务器Webhook and API server

Webhook 和 API 服务器身份验证流

如上图所示,API 服务器调用 AKS Webhook 服务器并执行以下步骤:As shown in the graphic above, the API server calls the AKS webhook server and performs the following steps:

  1. kubectl 使用 Azure AD 客户端应用程序,通过 OAuth 2.0 设备授权授予流来登录用户。kubectl uses the Azure AD client application to sign in users with OAuth 2.0 device authorization grant flow.
  2. Azure AD 提供 access_token、id_token 和 refresh_token。Azure AD provides an access_token, id_token, and a refresh_token.
  3. 用户使用 kubeconfig 中的 access_token 来向 kubectl 发出请求。The user makes a request to kubectl with an access_token from kubeconfig.
  4. kubectl 将 access_token 发送到 API 服务器。kubectl sends the access_token to API Server.
  5. API 服务器配置身份验证 WebHook 服务器来执行验证。The API Server is configured with the Auth WebHook Server to perform validation.
  6. 身份验证 Webhook 服务器将检查 Azure AD 公共签名密钥,以确认 JSON Web 令牌签名有效。The authentication webhook server confirms the JSON Web Token signature is valid by checking the Azure AD public signing key.
  7. 服务器应用程序使用用户提供的凭据从 MS Graph API 查询已登录用户的组成员身份。The server application uses user-provided credentials to query group memberships of the logged-in user from the MS Graph API.
  8. 将向 API 服务器发送一个响应,其中包含用户信息,例如访问令牌的用户主体名称 (UPN) 声明,以及基于对象 ID 的用户的组成员身份。A response is sent to the API Server with user information such as the user principal name (UPN) claim of the access token, and the group membership of the user based on the object ID.
  9. API 基于 Kubernetes Role/RoleBinding 执行授权决策。The API performs an authorization decision based on the Kubernetes Role/RoleBinding.
  10. 授权后,API 服务器会将响应返回到 kubectlOnce authorized, the API server returns a response to kubectl.
  11. kubectl 向用户提供反馈。kubectl provides feedback to the user.

通过我们的 AKS 托管的 Azure AD 集成操作指南,了解如何将 AKS 与 Azure AD 进行集成。Learn how to integrate AKS with Azure AD with our AKS-managed Azure AD integration how-to guide.

Azure 基于角色的访问控制Azure role-based access control

Azure 基于角色的访问控制 (RBAC) 是在 Azure 资源管理器基础上构建的一种授权系统,它针对 Azure 资源提供精细的访问权限管理。Azure role-based access control (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.

RBAC 系统RBAC system 说明Description
Kubernetes RBACKubernetes RBAC 旨在处理 AKS 群集中的 Kubernetes 资源。Designed to work on Kubernetes resources within your AKS cluster.
Azure RBACAzure RBAC 旨在处理 Azure 订阅中的资源。Designed to work on resources within your Azure subscription.

使用 Azure RBAC,可创建“角色定义”,描述要应用的权限。With Azure RBAC, you create a role definition that outlines the permissions to be applied. 然后,可通过特定范围的角色分配为用户或组分配此角色定义 。You then assign a user or group this role definition via a role assignment for a particular scope. 范围可以是单个资源、资源组或整个订阅。The scope can be an individual resource, a resource group, or across the subscription.

有关详细信息,请参阅什么是 Azure 基于角色的访问控制 (Azure RBAC)?For more information, see What is Azure role-based access control (Azure RBAC)?

完全操作 AKS 群集需要两个级别的访问权限:There are two levels of access needed to fully operate an AKS cluster:

使用 Azure RBAC 授予对 AKS 资源的访问权限Azure RBAC to authorize access to the AKS resource

使用 Azure RBAC,可为用户(或标识)提供对一个或多个订阅中的 AKS 资源的精细访问权限。With Azure RBAC, you can provide your users (or identities) with granular access to AKS resources across one or more subscriptions. 例如,你可使用 Azure Kubernetes 服务参与者角色来缩放和升级群集。For example, you could use the Azure Kubernetes Service Contributor role to scale and upgrade your cluster. 与此同时,另一位拥有 Azure Kubernetes 服务群集管理员角色的用户只有拉取管理员 kubeconfig 的权限。Meanwhile, another user with the Azure Kubernetes Service Cluster Admin role only has permission to pull the Admin kubeconfig.

或者,你可向用户授予常规的参与者角色。Alternatively, you could give your user the general Contributor role. 有了常规的参与者角色,用户可对 AKS 资源执行上述权限和每个可能的操作(管理权限除外)。With the general Contributor role, users can perform the above permissions and every action possible on the AKS resource, except managing permissions.

使用 Azure RBAC 来定义对 AKS 中的 Kubernetes 配置文件的访问Use Azure RBAC to define access to the Kubernetes configuration file in AKS.

内置角色Built-in roles

AKS 提供以下四个内置角色。AKS provides the following four built-in roles. 它们与 Kubernetes 内置角色很相似,但有一些不同之处,例如支持 CRD。They are similar to the Kubernetes built-in roles with a few differences, like supporting CRDs. 请查看每个 Azure内置角色允许的操作的完整列表。See the full list of actions allowed by each Azure built-in role.

角色Role 描述Description
Azure Kubernetes 服务 RBAC 查看者Azure Kubernetes Service RBAC Viewer 允许进行只读访问并查看命名空间中的大多数对象。Allows read-only access to see most objects in a namespace.
不允许查看角色或角色绑定。Doesn't allow viewing roles or role bindings.
不允许查看 SecretsDoesn't allow viewing Secrets. 读取 Secrets 内容可访问命名空间中的 ServiceAccount 凭据,这样就会允许以命名空间中任何 ServiceAccount 的身份进行 API 访问(一种特权提升形式)。Reading the Secrets contents enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).
Azure Kubernetes 服务 RBAC 写入者Azure Kubernetes Service RBAC Writer 允许对命名空间中的大多数对象进行读/写访问。Allows read/write access to most objects in a namespace.
不允许查看或修改角色或角色绑定。Doesn't allow viewing or modifying roles, or role bindings.
允许以命名空间中任何 ServiceAccount 的身份访问 Secrets 和运行 Pod,因此可用于获取命名空间中任何 ServiceAccount 的 API 访问级别。Allows accessing Secrets and running pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace.
Azure Kubernetes 服务 RBAC 管理员Azure Kubernetes Service RBAC Admin 允许要在命名空间内授予的管理员访问权限。Allows admin access, intended to be granted within a namespace.
允许对命名空间(或群集范围)中的大多数资源进行读/写访问,包括在命名空间内创建角色和角色绑定。Allows read/write access to most resources in a namespace (or cluster scope), including the ability to create roles and role bindings within the namespace.
不允许对资源配额或命名空间本身进行写入访问。Doesn't allow write access to resource quota or to the namespace itself.
Azure Kubernetes 服务 RBAC 群集管理员Azure Kubernetes Service RBAC Cluster Admin 允许超级用户访问权限(对任何资源执行任何操作)。Allows super-user access to perform any action on any resource.
提供对群集中每个资源和所有命名空间的完全控制。Gives full control over every resource in the cluster and in all namespaces.


请查看快速摘要表格,了解在启用 Azure AD 集成后用户可如何向 Kubernetes 进行身份验证。View the table for a quick summary of how users can authenticate to Kubernetes when Azure AD integration is enabled. 在所有情况下,用户的命令序列都是:In all cases, the user's sequence of commands is:

  1. 运行 az cloud set -n AzureChinaClouaz login 向 Azure 进行身份验证。Run az cloud set -n AzureChinaClou and az login to authenticate to Azure.
  2. 运行 az aks get-credentials 将群集的凭据下载到 .kube/config 中。Run az aks get-credentials to download credentials for the cluster into .kube/config.
  3. 运行 kubectl 命令。Run kubectl commands.
    • 第一个命令可能会触发基于浏览器的身份验证来向群集进行身份验证,如下表所述。The first command may trigger browser-based authentication to authenticate to the cluster, as described in the following table.

可在 Azure 门户中找到:In the Azure portal, you can find:

  • 第二列中提到的“角色授予”(Azure RBAC 角色授予)显示在“访问控制”选项卡上。The Role Grant (Azure RBAC role grant) referred to in the second column is shown on the Access Control tab.
  • 群集管理员 Azure AD 组显示在“配置”选项卡上。The Cluster Admin Azure AD Group is shown on the Configuration tab.
    • 还可在 Azure CLI 中通过参数名称 --aad-admin-group-object-ids 找到。Also found with parameter name --aad-admin-group-object-ids in the Azure CLI.
说明Description 需要的角色授予Role grant required 群集管理员 Azure AD 组Cluster admin Azure AD group(s) 何时使用When to use
使用客户端证书的旧管理员登录名Legacy admin login using client certificate Azure Kubernetes 管理员角色。Azure Kubernetes Admin Role. 此角色允许在使用 --admin 标志的情况下使用 az aks get-credentials,以便将旧的(非 Azure AD)群集管理证书下载到用户的 .kube/config 中。This role allows az aks get-credentials to be used with the --admin flag, which downloads a legacy (non-Azure AD) cluster admin certificate into the user's .kube/config. 这是“Azure Kubernetes 管理员角色”的唯一用途。This is the only purpose of "Azure Kubernetes Admin Role". 不适用n/a 如果你被永久阻止,不能访问对你的群集具有访问权限的有效 Azure AD 组。If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster.
具有手动 (Cluster)RoleBinding 的 Azure ADAzure AD with manual (Cluster)RoleBindings Azure Kubernetes 用户角色。Azure Kubernetes User Role. “用户”角色允许在不使用 --admin 标志的情况下使用 az aks get-credentialsThe "User" role allows az aks get-credentials to be used without the --admin flag. (这是“Azure Kubernetes 用户角色”的唯一用途。)因此,在启用了 Azure AD 的群集上,一个空条目会下载到 .kube/config 中,在首次被 kubectl 使用时会触发基于浏览器的身份验证。(This is the only purpose of "Azure Kubernetes User Role".) The result, on an Azure AD-enabled cluster, is the download of an empty entry into .kube/config, which triggers browser-based authentication when it's first used by kubectl. 用户不在这些组的任何一个中。User is not in any of these groups. 因为用户不在任何群集管理员组中,所以其权限将完全由群集管理员已设置的任何 RoleBinding 或 ClusterRoleBinding 控制。Because the user is not in any Cluster Admin groups, their rights will be controlled entirely by any RoleBindings or ClusterRoleBindings that have been set up by cluster admins. (Cluster)RoleBinding 指定 Azure AD 用户或 Azure AD 组作为其 subjectsThe (Cluster)RoleBindings nominate Azure AD users or Azure AD groups as their subjects. 如果未设置此类绑定,则用户将无法执行任何 kubectl 命令。If no such bindings have been set up, the user will not be able to excute any kubectl commands. 如果你想要进行精细的访问控制,并且不使用 Azure RBAC 进行 Kubernetes 授权。If you want fine-grained access control, and you're not using Azure RBAC for Kubernetes Authorization. 请注意,设置绑定的用户必须通过此表中列出的其他方法之一进行登录。Note that the user who sets up the bindings must log in by one of the other methods listed in this table.
由管理员组成员使用的 Azure ADAzure AD by member of admin group 同上Same as above 用户是此处列出的其中一个组的成员。User is a member of one of the groups listed here. AKS 会自动生成一个 ClusterRoleBinding,后者将所有列出的组绑定到 cluster-admin Kubernetes 角色。AKS automatically generates a ClusterRoleBinding that binds all of the listed groups to the cluster-admin Kubernetes role. 因此,这些组中的用户可以作为 cluster-admin 运行所有 kubectl 命令。So users in these groups can run all kubectl commands as cluster-admin. 如果你希望方便地向用户授予完全的管理员权限,并且不使用 Azure RBAC 进行 Kubernetes 授权。If you want to conveniently grant users full admin rights, and are not using Azure RBAC for Kubernetes authorization.
将 Azure AD 与 Azure RBAC 配合使用进行 Kubernetes 授权Azure AD with Azure RBAC for Kubernetes Authorization 两个角色:Two roles:
第一个为 Azure Kubernetes 用户角色(如上所述)。First, Azure Kubernetes User Role (as above).
第二个为上面列出的“Azure Kubernetes 服务 RBAC...”角色之一,或你自己的自定义替代项。Second, one of the "Azure Kubernetes Service RBAC..." roles listed above, or your own custom alternative.
启用了“使用 Azure RBAC 进行 Kubernetes 授权”时,“配置”选项卡上的管理员角色字段不相关。The admin roles field on the Configuration tab is irrelevant when Azure RBAC for Kubernetes Authorization is enabled. 你使用 Azure RBAC 进行 Kubernetes 授权。You are using Azure RBAC for Kubernetes authorization. 此方法提供了精细的控制,无需设置 RoleBinding 或 ClusterRoleBinding。This approach gives you fine-grained control, without the need to set up RoleBindings or ClusterRoleBindings.

后续步骤Next steps

有关核心 Kubernetes 和 AKS 概念的详细信息,请参阅以下文章:For more information on core Kubernetes and AKS concepts, see the following articles: