AKS 托管的 Azure Active Directory 集成AKS-managed Azure Active Directory integration

AKS 托管的 Azure AD 集成设计用来简化 Azure AD 集成体验,用户以前需要创建客户端应用和服务器应用,而且还需要由 Azure AD 租户授予目录读取权限。AKS-managed Azure AD integration is designed to simplify the Azure AD integration experience, where users were previously required to create a client app, a server app, and required the Azure AD tenant to grant Directory Read permissions. 在新版本中,AKS 资源提供程序为你管理客户端应用和服务器应用。In the new version, the AKS resource provider manages the client and server apps for you.

Azure AD 身份验证概述Azure AD authentication overview

群集管理员可以根据用户的标识或目录组成员身份来配置 Kubernetes 基于角色的访问控制 (Kubernetes RBAC)。Cluster administrators can configure Kubernetes role-based access control (Kubernetes RBAC) based on a user's identity or directory group membership. 使用 OpenID Connect 向 AKS 群集提供 Azure AD 身份验证。Azure AD authentication is provided to AKS clusters with OpenID Connect. OpenID Connect 是构建在 OAuth 2.0 协议顶层的标识层。OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol. 有关 OpenID Connect 的详细信息,请参阅 Open ID Connect 文档For more information on OpenID Connect, see the Open ID connect documentation.

若要详细了解 Azure AD 集成流程,请参阅 Azure Active Directory 集成概念文档Learn more about the Azure AD integration flow on the Azure Active Directory integration concepts documentation.

限制Limitations

  • 无法禁用 AKS 托管的 Azure AD 集成AKS-managed Azure AD integration can't be disabled
  • AKS 托管的 Azure AD 集成不支持未启用 Kubernetes RBAC 的群集non-Kubernetes RBAC enabled clusters aren't supported for AKS-managed Azure AD integration
  • 不支持更改与 AKS 托管的 Azure AD 集成关联的 Azure AD 租户Changing the Azure AD tenant associated with AKS-managed Azure AD integration isn't supported

必备条件Prerequisites

  • Azure CLI 2.11.0 或更高版本The Azure CLI version 2.11.0 or later
  • 版本不低于 1.18.1 的 Kubectl,或者 kubeloginKubectl with a minimum version of 1.18.1 or kubelogin
  • 如果使用的是 helm,则最低版本为 helm 3.3。If you are using helm, minimum version of helm 3.3.

重要

你必须使用最低版本为 1.18.1 的 Kubectl,或者使用 kubelogin。You must use Kubectl with a minimum version of 1.18.1 or kubelogin. 如果未使用正确的版本,你会遇到身份验证问题。If you don't use the correct version, you will notice authentication issues.

若要安装 kubectl 和 kubelogin,请使用以下命令:To install kubectl and kubelogin, use the following commands:

sudo az aks install-cli
kubectl version --client
kubelogin --version

对于其他操作系统,请遵循这些说明Use these instructions for other operating systems.

开始之前Before you begin

对于你的群集,你需要一个 Azure AD 组。For your cluster, you need an Azure AD group. 此组需要用作群集的管理员组,以便授予群集管理员权限。This group is needed as admin group for the cluster to grant cluster admin permissions. 你可以使用现有 Azure AD 组,也可以创建一个新组。You can use an existing Azure AD group, or create a new one. 记录你的 Azure AD 组的对象 ID。Record the object ID of your Azure AD group.

# List existing groups in the directory
az ad group list --filter "displayname eq '<group-name>'" -o table

若要为群集管理员创建新的 Azure AD 组,请使用以下命令:To create a new Azure AD group for your cluster administrators, use the following command:

# Create an Azure AD group
az ad group create --display-name myAKSAdminGroup --mail-nickname myAKSAdminGroup

创建已启用 Azure AD 的 AKS 群集Create an AKS cluster with Azure AD enabled

使用以下 CLI 命令创建 AKS 群集。Create an AKS cluster by using the following CLI commands.

创建 Azure 资源组:Create an Azure resource group:

# Create an Azure resource group
az group create --name myResourceGroup --location chinaeast2

创建一个 AKS 群集,并为你的 Azure AD 组启用管理访问权限Create an AKS cluster, and enable administration access for your Azure AD group

# Create an AKS-managed Azure AD cluster
az aks create -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>]

成功创建 AKS 托管的 Azure AD 群集后,响应正文中会包含以下部分A successful creation of an AKS-managed Azure AD cluster has the following section in the response body

"AADProfile": {
    "adminGroupObjectIds": [
      "5d24****-****-****-****-****afa27aed"
    ],
    "clientAppId": null,
    "managed": true,
    "serverAppId": null,
    "serverAppSecret": null,
    "tenantId": "72f9****-****-****-****-****d011db47"
  }

创建群集后,即可开始访问该群集。Once the cluster is created, you can start accessing it.

访问已启用 Azure AD 的群集Access an Azure AD enabled cluster

你需要具有 Azure Kubernetes 服务群集用户内置角色才能执行以下步骤。You'll need the Azure Kubernetes Service Cluster User built-in role to do the following steps.

获取用于访问群集的用户凭据:Get the user credentials to access the cluster:

 az aks get-credentials --resource-group myResourceGroup --name myManagedCluster

按照说明进行登录。Follow the instructions to sign in.

使用 kubectl get nodes 命令查看群集中的节点:Use the kubectl get nodes command to view nodes in the cluster:

kubectl get nodes

NAME                       STATUS   ROLES   AGE    VERSION
aks-nodepool1-15306047-0   Ready    agent   102m   v1.15.10
aks-nodepool1-15306047-1   Ready    agent   102m   v1.15.10
aks-nodepool1-15306047-2   Ready    agent   102m   v1.15.10

配置 Azure 基于角色的访问控制 (Azure RBAC),以便为群集配置其他安全组。Configure Azure role-based access control (Azure RBAC) to configure additional security groups for your clusters.

排查 Azure AD 的访问权限问题Troubleshooting access issues with Azure AD

重要

下面所述的步骤会绕过正常的 Azure AD 组身份验证。The steps described below are bypassing the normal Azure AD group authentication. 请仅在紧急情况下使用它们。Use them only in an emergency.

如果你被永久阻止,不能访问具有群集访问权限的有效 Azure AD 组,你仍可以获取管理员凭据以直接访问群集。If you're permanently blocked by not having access to a valid Azure AD group with access to your cluster, you can still obtain the admin credentials to access the cluster directly.

若要执行这些步骤,你需要有权访问 Azure Kubernetes 服务群集管理员内置角色。To do these steps, you'll need to have access to the Azure Kubernetes Service Cluster Admin built-in role.

az aks get-credentials --resource-group myResourceGroup --name myManagedCluster --admin

在现有群集上启用 AKS 托管的 Azure AD 集成Enable AKS-managed Azure AD Integration on your existing cluster

你可以在现有的启用了 Kubernetes RBAC 的群集上启用 AKS 托管的 Azure AD 集成。You can enable AKS-managed Azure AD Integration on your existing Kubernetes RBAC enabled cluster. 确保将管理员组设置为在群集上保留访问权限。Ensure to set your admin group to keep access on your cluster.

az aks update -g MyResourceGroup -n MyManagedCluster --enable-aad --aad-admin-group-object-ids <id-1> [--aad-tenant-id <id>]

成功激活 AKS 托管的 Azure AD 群集后,响应正文中会包含以下部分A successful activation of an AKS-managed Azure AD cluster has the following section in the response body

"AADProfile": {
    "adminGroupObjectIds": [
      "5d24****-****-****-****-****afa27aed"
    ],
    "clientAppId": null,
    "managed": true,
    "serverAppId": null,
    "serverAppSecret": null,
    "tenantId": "72f9****-****-****-****-****d011db47"
  }

按照此处的步骤操作,再次下载用户凭据以访问群集。Download user credentials again to access your cluster by following the steps here.

升级到 AKS 托管的 Azure AD 集成Upgrading to AKS-managed Azure AD Integration

如果你的群集使用旧式 Azure AD 集成,则可以升级到 AKS 托管的 Azure AD 集成。If your cluster uses legacy Azure AD integration, you can upgrade to AKS-managed Azure AD Integration.

az aks update -g myResourceGroup -n myManagedCluster --enable-aad --aad-admin-group-object-ids <id> [--aad-tenant-id <id>]

成功迁移 AKS 托管的 Azure AD 群集后,响应正文中会包含以下部分A successful migration of an AKS-managed Azure AD cluster has the following section in the response body

"AADProfile": {
    "adminGroupObjectIds": [
      "5d24****-****-****-****-****afa27aed"
    ],
    "clientAppId": null,
    "managed": true,
    "serverAppId": null,
    "serverAppSecret": null,
    "tenantId": "72f9****-****-****-****-****d011db47"
  }

如果要访问群集,请按照此处的步骤进行操作。If you want to access the cluster, follow the steps here.

通过 kubelogin 进行非交互式登录Non-interactive sign in with kubelogin

有一些当前无法通过 kubectl 执行的非交互式方案,例如持续集成管道。There are some non-interactive scenarios, such as continuous integration pipelines, that aren't currently available with kubectl. 你可以使用 kubelogin 通过非交互式服务主体登录来访问群集。You can use kubelogin to access the cluster with non-interactive service principal sign-in.

后续步骤Next steps