使用 Azure 基于角色的访问控制定义对 Azure Kubernetes 服务 (AKS) 中的 Kubernetes 配置文件的访问Use Azure role-based access control to define access to the Kubernetes configuration file in Azure Kubernetes Service (AKS)

可以使用 kubectl 工具来与 Kubernetes 群集交互。You can interact with Kubernetes clusters using the kubectl tool. 在 Azure CLI 中,可以轻松获取所需的访问凭据和配置信息,以使用 kubectl 连接到 AKS 群集。The Azure CLI provides an easy way to get the access credentials and configuration information to connect to your AKS clusters using kubectl. 若要限制谁可以获取该 Kubernetes 配置 (kubeconfig) 信息及限制其拥有的权限,可以使用 Azure 基于角色的访问控制 (Azure RBAC)。To limit who can get that Kubernetes configuration (kubeconfig) information and to limit the permissions they then have, you can use Azure role-based access control (Azure RBAC).

本文介绍如何分配 RBAC 角色用于限制谁可以获取 AKS 群集的配置信息。This article shows you how to assign RBAC roles that limit who can get the configuration information for an AKS cluster.

准备阶段Before you begin

本文假定你拥有现有的 AKS 群集。This article assumes that you have an existing AKS cluster. 如果需要 AKS 群集,请参阅 AKS 快速入门使用 Azure CLI使用 Azure 门户If you need an AKS cluster, see the AKS quickstart using the Azure CLI or using the Azure portal.

本文还要求运行 Azure CLI 2.0.65 或更高版本。This article also requires that you are running the Azure CLI version 2.0.65 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

可用的群集角色权限Available cluster roles permissions

使用 kubectl 工具与 AKS 群集交互时,将使用一个定义了群集连接信息的配置文件。When you interact with an AKS cluster using the kubectl tool, a configuration file is used that defines cluster connection information. 此配置文件通常存储在 ~/.kube/config 中。可在此 kubeconfig 文件中定义多个群集。This configuration file is typically stored in ~/.kube/config. Multiple clusters can be defined in this kubeconfig file. 使用 kubectl config use-context 命令在群集之间切换。You switch between clusters using the kubectl config use-context command.

使用 az aks get-credentials 命令可以获取 AKS 群集的访问凭据,并将其合并到 kubeconfig 文件中。The az aks get-credentials command lets you get the access credentials for an AKS cluster and merges them into the kubeconfig file. 可以使用 Azure 基于角色的访问控制 (Azure RBAC) 来控制对这些凭据的访问。You can use Azure role-based access control (Azure RBAC) to control access to these credentials. 使用这些 Azure 角色可以定义谁能够检索 kubeconfig 文件,以及他们在群集中拥有的权限。These Azure roles let you define who can retrieve the kubeconfig file, and what permissions they then have within the cluster.

有两个内置角色:The two built-in roles are:

  • Azure Kubernetes 服务群集管理员角色Azure Kubernetes Service Cluster Admin Role
    • 允许访问 Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action API 调用。Allows access to Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action API call. 此 API 调用列出群集管理员凭据This API call lists the cluster admin credentials.
    • 下载 clusterAdmin 角色的 kubeconfigDownloads kubeconfig for the clusterAdmin role.
  • Azure Kubernetes 服务群集用户角色Azure Kubernetes Service Cluster User Role
    • 允许访问 Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API 调用。Allows access to Microsoft.ContainerService/managedClusters/listClusterUserCredential/action API call. 此 API 调用列出群集用户凭据This API call lists the cluster user credentials.
    • 下载 clusterUser 角色的 kubeconfigDownloads kubeconfig for clusterUser role.

这些 RBAC 角色可以应用到 Azure Active Directory (AD) 用户或组。These RBAC roles can be applied to an Azure Active Directory (AD) user or group.

备注

在使用 Azure AD 的群集上,具有 clusterUser 角色的用户有一个提示登录的空 kubeconfig 文件。On clusters that use Azure AD, users with the clusterUser role have an empty kubeconfig file that prompts a log in. 登录后,用户可以根据其 Azure AD 用户或组设置进行访问。Once logged in, users have access based on their Azure AD user or group settings. 具有 clusterAdmin 角色的用户拥有管理员访问权限。Users with the clusterAdmin role have admin access.

不使用 Azure AD 的群集仅使用 clusterAdmin 角色。Clusters that do not use Azure AD only use the clusterAdmin role.

将角色权限分配给用户或组Assign role permissions to a user or group

若要分配某个可用角色,需要获取 AKS 群集的资源 ID 以及 Azure AD 用户帐户或组的 ID。To assign one of the available roles, you need to get the resource ID of the AKS cluster and the ID of the Azure AD user account or group. 以下示例命令:The following example commands:

以下示例将 Azure Kubernetes 服务群集管理员角色分配给单个用户帐户:The following example assigns the Azure Kubernetes Service Cluster Admin Role to an individual user account:

# Get the resource ID of your AKS cluster
AKS_CLUSTER=$(az aks show --resource-group myResourceGroup --name myAKSCluster --query id -o tsv)

# Get the account credentials for the logged in user
ACCOUNT_UPN=$(az account show --query user.name -o tsv)
ACCOUNT_ID=$(az ad user show --id $ACCOUNT_UPN --query objectId -o tsv)

# Assign the 'Cluster Admin' role to the user
az role assignment create \
    --assignee $ACCOUNT_ID \
    --scope $AKS_CLUSTER \
    --role "Azure Kubernetes Service Cluster Admin Role"

提示

若要将权限分配给 Azure AD 组,请使用组而不是用户的对象 ID 更新在上一示例中显示的 --assignee 参数。 If you want to assign permissions to an Azure AD group, update the --assignee parameter shown in the previous example with the object ID for the group rather than a user. 若要获取组的对象 ID,请使用 az ad group show 命令。To obtain the object ID for a group, use the az ad group show command. 以下示例获取名为 appdev 的 Azure AD 组的对象 ID:az ad group show --group appdev --query objectId -o tsvThe following example gets the object ID for the Azure AD group named appdev: az ad group show --group appdev --query objectId -o tsv

可根据需要将上述分配更改为“群集用户角色”。You can change the previous assignment to the Cluster User Role as needed.

以下示例输出显示已成功创建角色分配:The following example output shows the role assignment has been successfully created:

{
  "canDelegate": null,
  "id": "/subscriptions/<guid>/resourcegroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster/providers/Microsoft.Authorization/roleAssignments/b2712174-5a41-4ecb-82c5-12b8ad43d4fb",
  "name": "b2712174-5a41-4ecb-82c5-12b8ad43d4fb",
  "principalId": "946016dd-9362-4183-b17d-4c416d1f8f61",
  "resourceGroup": "myResourceGroup",
  "roleDefinitionId": "/subscriptions/<guid>/providers/Microsoft.Authorization/roleDefinitions/0ab01a8-8aac-4efd-b8c2-3ee1fb270be8",
  "scope": "/subscriptions/<guid>/resourcegroups/myResourceGroup/providers/Microsoft.ContainerService/managedClusters/myAKSCluster",
  "type": "Microsoft.Authorization/roleAssignments"
}

获取并验证配置信息Get and verify the configuration information

分配 RBAC 角色后,使用 az aks get-credentials 命令获取 AKS 群集的 kubeconfig 定义。With RBAC roles assigned, use the az aks get-credentials command to get the kubeconfig definition for your AKS cluster. 以下示例获取 --admin 凭据,如果为用户分配了“群集管理员角色”,则这些凭据可正常运行:The following example gets the --admin credentials, which work correctly if the user has been granted the Cluster Admin Role:

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin

然后,可以使用 kubectl config view 命令来验证群集上下文是否显示已应用管理员配置信息:You can then use the kubectl config view command to verify that the context for the cluster shows that the admin configuration information has been applied:

$ kubectl config view

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://myaksclust-myresourcegroup-19da35-4839be06.hcp.chinaeast2.cx.prod.service.azk8s.cn:443
  name: myAKSCluster
contexts:
- context:
    cluster: myAKSCluster
    user: clusterAdmin_myResourceGroup_myAKSCluster
  name: myAKSCluster-admin
current-context: myAKSCluster-admin
kind: Config
preferences: {}
users:
- name: clusterAdmin_myResourceGroup_myAKSCluster
  user:
    client-certificate-data: REDACTED
    client-key-data: REDACTED
    token: e9f2f819a4496538b02cefff94e61d35

删除角色权限Remove role permissions

若要删除角色分配,请使用 az role assignment delete 命令。To remove role assignments, use the az role assignment delete command. 指定在前面命令中获取的帐户 ID 和群集资源 ID。Specify the account ID and cluster resource ID, as obtained in the previous commands. 如果将角色分配给组而不是用户,请为 --assignee 参数指定相应的组对象 ID 而不是帐户对象 ID:If you assigned the role to a group rather than a user, specify the appropriate group object ID rather than account object ID for the --assignee parameter:

az role assignment delete --assignee $ACCOUNT_ID --scope $AKS_CLUSTER

后续步骤Next steps

若要增强在访问 AKS 群集时的安全性,请集成 Azure Active Directory 身份验证For enhanced security on access to AKS clusters, integrate Azure Active Directory authentication.