有关 Azure Kubernetes 服务 (AKS) 的常见问题解答Frequently asked questions about Azure Kubernetes Service (AKS)

本文解答有关 Azure Kubernetes 服务 (AKS) 的常见问题。This article addresses frequent questions about Azure Kubernetes Service (AKS).

哪些 Azure 区域目前提供 AKS?Which Azure regions currently provide AKS?

有关可用区域的完整列表,请参阅 AKS 区域和可用性For a complete list of available regions, see AKS regions and availability.

能否跨区域分布 AKS 群集?Can I spread an AKS cluster across regions?

否。No. AKS 群集是区域资源,不能跨区域。AKS clusters are regional resources and cannot span regions. 有关如何创建包括多个区域的体系结构的指南,请参阅用于实现业务连续性和灾难恢复的最佳做法See best practices for business continuity and disaster recovery for guidance on how to create an architecture that includes multiple regions.

能否限制哪些人员可以访问 Kubernetes API 服务器?Can I limit who has access to the Kubernetes API server?

是的。Yes. 有一个用于限制对 API 服务器的访问的选项:There is one option for limiting access to the API server:

能否在单个群集中使用不同 VM 大小?Can I have different VM sizes in a single cluster?

能,可以通过创建多个节点池来在 AKS 群集中使用不同虚拟机大小。Yes, you can use different virtual machine sizes in your AKS cluster by creating multiple node pools.

安全更新是否可应用于 AKS 代理节点?Are security updates applied to AKS agent nodes?

Azure 会按照夜间计划自动将安全修补程序应用于群集中的 Linux 节点。Azure automatically applies security patches to the Linux nodes in your cluster on a nightly schedule. 但是,你有责任确保这些 Linux 节点根据需要进行重新启动。However, you are responsible for ensuring that those Linux nodes are rebooted as required. 可以使用多个选项来重新启动节点:You have several options for rebooting nodes:

  • 通过 Azure 门户或 Azure CLI 手动执行。Manually, through the Azure portal or the Azure CLI.
  • 通过升级 AKS 群集。By upgrading your AKS cluster. 群集自动升级 cordon 和 drain 节点,然后使用最新的 Ubuntu 映像和新修补程序版本或 Kubernetes 次要版本将新节点联机。The cluster upgrades cordon and drain nodes automatically and then bring a new node online with the latest Ubuntu image and a new patch version or a minor Kubernetes version. 有关详细信息,请参阅升级 AKS 群集For more information, see Upgrade an AKS cluster.
  • 使用 Kured:适用于 Kubernetes 的开源重新启动守护程序。By using Kured, an open-source reboot daemon for Kubernetes. Kured 作为 DaemonSet 运行并监视每个节点,用于确定指示需要重新启动的文件是否存在。Kured runs as a DaemonSet and monitors each node for the presence of a file that indicates that a reboot is required. 通过将相同的封锁和排空进程用作群集升级跨群集管理 OS 重新启动。Across the cluster, OS reboots are managed by the same cordon and drain process as a cluster upgrade.

有关使用 Kured 的详细信息,请参阅将安全性和内核更新应用于 AKS 中的节点For more information about using kured, see Apply security and kernel updates to nodes in AKS.

Windows Server 节点Windows Server nodes

对于 Windows Server 节点,Windows 更新不会自动运行和应用最新的更新。For Windows Server nodes, Windows Update does not automatically run and apply the latest updates. 在 Windows 更新的发布周期和你自己的验证过程中,你需要定期升级 AKS 群集以及群集中的 Windows Server 节点池。On a regular schedule around the Windows Update release cycle and your own validation process, you should perform an upgrade on the cluster and the Windows Server node pool(s) in your AKS cluster. 此升级过程会创建运行最新 Windows Server 映像和修补程序的节点,然后删除旧节点。This upgrade process creates nodes that run the latest Windows Server image and patches, then removes the older nodes. 有关此过程的详细信息,请参阅升级 AKS 中的节点池For more information on this process, see Upgrade a node pool in AKS.

为什么使用 AKS 创建两个资源组?Why are two resource groups created with AKS?

AKS 在多个 Azure 基础结构资源之上构建,包括虚拟机规模集、虚拟网络和托管磁盘。AKS builds upon a number of Azure infrastructure resources, including virtual machine scale sets, virtual networks, and managed disks. 这使你能够在 AKS 提供的托管 Kubernetes 环境中利用 Azure 平台的许多核心功能。This enables you to leverage many of the core capabilities of the Azure platform within the managed Kubernetes environment provided by AKS.

为了启用此体系结构,每个 AKS 部署跨越两个资源组:To enable this architecture, each AKS deployment spans two resource groups:

  1. 创建第一个资源组。You create the first resource group. 此组仅包含 Kubernetes 服务资源。This group contains only the Kubernetes service resource. 在部署过程中,AKS 资源提供程序会自动创建第二个资源组。The AKS resource provider automatically creates the second resource group during deployment. 例如,第二个资源组为 MC_myResourceGroup_myAKSCluster_chinaeast2An example of the second resource group is MC_myResourceGroup_myAKSCluster_chinaeast2. 有关如何指定这第二个资源组的名称,请参阅下一部分。For information on how to specify the name of this second resource group, see the next section.

  2. 第二个资源组(称为节点资源组)包含与该群集相关联的所有基础结构资源。The second resource group, known as the node resource group, contains all of the infrastructure resources associated with the cluster. 这些资源包括 Kubernetes 节点 VM、虚拟网络和存储。These resources include the Kubernetes node VMs, virtual networking, and storage. 默认情况下,节点资源组使用类似于 MC_myResourceGroup_myAKSCluster_chinaeast2 的名称。By default, the node resource group has a name like MC_myResourceGroup_myAKSCluster_chinaeast2. 每当删除群集时,AKS 会自动删除节点资源,因此,仅应对生命周期与群集相同的资源使用 AKS。AKS automatically deletes the node resource whenever the cluster is deleted, so it should only be used for resources that share the cluster's lifecycle.

我是否可为 AKS 节点资源组提供自己的名称?Can I provide my own name for the AKS node resource group?

是的。Yes. 默认情况下,AKS 将节点资源组命名为 MC_resourcegroupname_clustername_location,但你也可以提供自己的名称。By default, AKS will name the node resource group MC_resourcegroupname_clustername_location, but you can also provide your own name.

若要自行指定一个资源组名称,请安装 aks-preview Azure CLI 扩展版本 0.3.2 或更高版本。To specify your own resource group name, install the aks-preview Azure CLI extension version 0.3.2 or later. 使用 az aks create 命令创建 AKS 群集时,请使用 --node-resource-group 参数并指定资源组的名称。When you create an AKS cluster by using the az aks create command, use the --node-resource-group parameter and specify a name for the resource group. 如果使用 Azure 资源管理器模板部署 AKS 群集,则可以使用 nodeResourceGroup 属性定义资源组名称。If you use an Azure Resource Manager template to deploy an AKS cluster, you can define the resource group name by using the nodeResourceGroup property.

  • Azure 资源提供程序会在你自己的订阅中自动创建辅助资源组。The secondary resource group is automatically created by the Azure resource provider in your own subscription.
  • 只能在创建群集时指定自定义资源组名称。You can specify a custom resource group name only when you're creating the cluster.

使用节点资源组时,请记住,不能:As you work with the node resource group, keep in mind that you cannot:

  • 指定现有的资源组作为节点资源组。Specify an existing resource group for the node resource group.
  • 为节点资源组指定不同的订阅。Specify a different subscription for the node resource group.
  • 创建群集后更改节点资源组名称。Change the node resource group name after the cluster has been created.
  • 不能为节点资源组内的受管理资源指定名称。Specify names for the managed resources within the node resource group.
  • 不能修改或删除节点资源组内受管理资源中由 Azure 创建的标记。Modify or delete Azure-created tags of managed resources within the node resource group. (请参阅下一部分的附加信息。)(See additional information in the next section.)

是否可以修改节点资源组中 AKS 资源的标记和其他属性?Can I modify tags and other properties of the AKS resources in the node resource group?

如果修改或删除节点资源组中 Azure 创建的标记和其他资源属性,可能会出现意外的结果,例如缩放和升级错误。If you modify or delete Azure-created tags and other resource properties in the node resource group, you could get unexpected results such as scaling and upgrading errors. 使用 AKS 可以创建和修改最终用户创建的自定义标记。AKS allows you to create and modify custom tags created by end users. 例如,可以创建或修改标记,以分配业务单位或成本中心。You might want to create or modify custom tags, for example, to assign a business unit or cost center. 这可以通过创建作用域涵盖受管理资源组的 Azure 策略来实现。This can be achieved by creating Azure Policies with a scope on the managed resource group.

但是,在 AKS 群集中的节点资源组下修改任何 Azure 在资源中创建的标记是不受支持的操作,会中断服务级别目标 (SLO)。However, modifying any Azure-created tags on resources under the node resource group in the AKS cluster is an unsupported action which breaks the service-level objective (SLO).

AKS 支持哪些 Kubernetes 许可控制器?What Kubernetes admission controllers does AKS support? 是否可以添加或删除许可控制器?Can admission controllers be added or removed?

AKS 支持以下许可控制器AKS supports the following admission controllers:

  • NamespaceLifecycleNamespaceLifecycle
  • LimitRangerLimitRanger
  • ServiceAccountServiceAccount
  • DefaultStorageClassDefaultStorageClass
  • DefaultTolerationSecondsDefaultTolerationSeconds
  • MutatingAdmissionWebhookMutatingAdmissionWebhook
  • ValidatingAdmissionWebhookValidatingAdmissionWebhook
  • ResourceQuotaResourceQuota

目前无法修改 AKS 中的准入控制器列表。Currently, you can't modify the list of admission controllers in AKS.

是否可以在 AKS 上使用许可控制器 Webhook?Can I use admission controller webhooks on AKS?

是的,可以在 AKS 上使用许可控制器 Webhook。Yes, you may use admission controller webhooks on AKS. 建议你不要使用标记有控制平面标签的内部 AKS 命名空间。It is recommended you exclude internal AKS namespaces which are marked with the control-plane label. 例如,可以将以下内容添加到 Webhook 配置:For example, by adding the below to the webhook configuration:

namespaceSelector:
    matchExpressions:
    - key: control-plane
      operator: DoesNotExist

许可控制器 Webhook 是否会影响 kube 系统和内部 AKS 命名空间?Can admission controller webhooks impact kube-system and internal AKS namespaces?

为了保护系统的稳定性,并防止自定义的许可控制器影响 kube 系统中的内部服务,我们在命名空间 AKS 中设置了一个许可执行程序,它自动排除 kube 系统和 AKS 内部命名空间。To protect the stability of the system and prevent custom admission controllers from impacting internal services in the kube-system, namespace AKS has an Admissions Enforcer, which automatically excludes kube-system and AKS internal namespaces. 此服务确保自定义许可控制器不会影响在 kube 系统中运行的服务。This service ensures the custom admission controllers don't affect the services running in kube-system.

如果你有一个用于在 kube 系统上部署某些内容的关键用例(不建议这样做),并且需要使用自定义许可 Webhook 来涵盖该系统,则可添加以下标签或注释,这样许可执行程序就会忽略该系统。If you have a critical use case for having something deployed on kube-system (not recommended) which you require to be covered by your custom admission webhook, you may add the below label or annotation so that Admissions Enforcer ignores it.

标签:"admissions.enforcer/disabled": "true",或注释:"admissions.enforcer/disabled": trueLabel: "admissions.enforcer/disabled": "true" or Annotation: "admissions.enforcer/disabled": true

不是,它没有与 Azure Key Vault 集成。Is Azure Key Vault integrated with AKS?

AKS 目前尚未与 Azure Key Vault 本机集成。AKS isn't currently natively integrated with Azure Key Vault. 但是,适用于 CSI 机密存储的 Azure Key Vault 提供程序支持从 Kubernetes pod 到 Key Vault 机密的直接集成。However, the Azure Key Vault provider for CSI Secrets Store enables direct integration from Kubernetes pods to Key Vault secrets.

是否可以在 AKS 上运行 Windows Server 容器?Can I run Windows Server containers on AKS?

是的,可以在 AKS 运行 Windows Server 容器。Yes, Windows Server containers are available on AKS. 若要在 AKS 中运行 Windows Server 容器,需创建一个将 Windows Server 作为来宾 OS 运行的节点池。To run Windows Server containers in AKS, you create a node pool that runs Windows Server as the guest OS. Windows Server 容器只能使用 Windows Server 2019。Windows Server containers can use only Windows Server 2019. 若要开始使用,请创建包含单个节点池的 AKS 群集To get started, see Create an AKS cluster with a Windows Server node pool.

Windows Server 对节点池的支持具有一些限制,Kubernetes 项目中的上游 Windows Server 也具有这些限制。Windows Server support for node pool includes some limitations that are part of the upstream Windows Server in Kubernetes project. 有关这些限制的详细信息,请参阅在 AKS 中使用 Windows Server 容器的一些限制For more information on these limitations, see Windows Server containers in AKS limitations.

我可以在 Azure 租户之间移动/迁移群集吗?Can I move/migrate my cluster between Azure tenants?

可以使用 az aks update-credentials 命令在 Azure 租户之间移动 AKS 群集。The az aks update-credentials command can be used to move an AKS cluster between Azure tenants. 选择更新或创建服务主体中的说明操作,然后使用新凭据更新 AKS 群集Follow the instructions in Choose to update or create a service principal and then update aks cluster with new credentials.

我可以在订阅之间移动/迁移群集吗?Can I move/migrate my cluster between subscriptions?

目前不支持跨订阅移动群集。Movement of clusters between subscriptions is currently unsupported.

是否可以将 AKS 群集从当前的 Azure 订阅移到另一个订阅?Can I move my AKS clusters from the current Azure subscription to another?

不支持跨 Azure 订阅移动 AKS 群集及其关联的资源。Moving your AKS cluster and it's associated resources between Azure subscriptions is not supported.

为何群集删除需要如此长的时间?Why is my cluster delete taking so long?

大多数群集是按用户请求删除的;某些情况下,尤其是在客户引入自己的资源组或执行跨 RG 任务的情况下,删除操作可能需要更多的时间,或者可能会失败。Most clusters are deleted upon user request; in some cases, especially where customers are bringing their own Resource Group, or doing cross-RG tasks deletion can take additional time or fail. 如果在删除时出现问题,请仔细检查,确保没有在 RG 上进行锁定、RG 之外的任何资源均已取消与 RG 的关联,等等。If you have an issue with deletes, double-check that you do not have locks on the RG, that any resources outside of the RG are disassociated from the RG, etc.

如果 Pod/部署处于“NodeLost”或“未知”状态,是否仍然可以升级群集?If I have pod / deployments in state 'NodeLost' or 'Unknown' can I still upgrade my cluster?

可以,但是 AKS 不建议这样做。You can, but AKS does not recommend this. 理想情况下,升级应该在群集状态已知且正常的情况下完成。Upgrades should ideally be performed when the state of the cluster is known and healthy.

如果我有一个群集的一个或多个节点处于“运行不正常”状态或关闭状态,是否可以进行升级?If I have a cluster with one or more nodes in an Unhealthy state or shut down, can I perform an upgrade?

否。请删除/移除任何处于故障状态的节点或因为其他原因从群集中移除的节点,然后再进行升级。No, please delete/remove any nodes in a failed state or otherwise removed from the cluster prior to upgrading.

我运行了群集删除操作,但出现错误:[Errno 11001] getaddrinfo failedI ran a cluster delete, but see the error [Errno 11001] getaddrinfo failed

这种情况最可能的原因是用户有一个或多个网络安全组 (NSG) 仍在使用并与群集相关联。Most commonly, this is caused by users having one or more Network Security Groups (NSGs) still in use and associated with the cluster. 请将网络安全组删除,然后再次尝试群集删除操作。Please remove them and attempt the delete again.

我运行了升级,但现在我的 Pod 处于崩溃循环中,且就绪情况探测失败。I ran an upgrade, but now my pods are in crash loops, and readiness probes fail?

请确认你的服务主体尚未过期。Please confirm your service principal has not expired. 请参阅:AKS 服务主体AKS 更新凭据Please see: AKS service principal and AKS update credentials.

我的群集在运行,但突然不能预配 LoadBalancers,不能装载 PVC,等等。My cluster was working, but suddenly cannot provision LoadBalancers, mount PVCs, etc.?

请确认服务主体是否已过期。Please confirm your service principal has not expired. 请参阅:AKS 服务主体AKS 更新凭据Please see: AKS service principal and AKS update credentials.

是否可以使用虚拟机规模集 API 手动进行缩放?Can I use the virtual machine scale set APIs to scale manually?

否。使用虚拟机规模集 API 进行的缩放操作不受支持。No, scale operations by using the virtual machine scale set APIs aren't supported. 请使用 AKS API (az aks scale)。Use the AKS APIs (az aks scale).

是否可以使用虚拟机规模集手动缩放到 0 个节点?Can I use virtual machine scale sets to manually scale to 0 nodes?

否。使用虚拟机规模集 API 进行的缩放操作不受支持。No, scale operations by using the virtual machine scale set APIs aren't supported.

是否可以停止或解除分配我的所有 VM?Can I stop or de-allocate all my VMs?

虽然 AKS 的复原机制可以经受此类配置并从其恢复,但我们建议你不要这样进行配置。While AKS has resilience mechanisms to withstand such a config and recover from it, this is not a recommended configuration.

是否可以使用自定义 VM 扩展?Can I use custom VM extensions?

否。AKS 是一项托管服务,不支持操作 IaaS 资源。No AKS is a managed service, and manipulation of the IaaS resources is not supported. 要安装自定义组件等,To install custom components, etc. 请利用 Kubernetes 的 API 和机制。please leverage the Kubernetes APIs and mechanisms. 例如,使用 DaemonSet 安装所需的组件。For example, leverage DaemonSets to install required components.