有关 Azure Kubernetes 服务 (AKS) 中的身份验证和授权的最佳做法Best practices for authentication and authorization in Azure Kubernetes Service (AKS)

在 Azure Kubernetes 服务 (AKS) 中部署和维护群集时,实现相应的方法来管理对资源和服务的访问。As you deploy and maintain clusters in Azure Kubernetes Service (AKS), you implement ways to manage access to resources and services. 没有这些控件:Without these controls:

  • 帐户可以访问不必要的资源和服务。Accounts could have access to unnecessary resources and services.
  • 可能难以跟踪用于做出更改的凭据集。Tracking which set of credentials were used to make changes could be difficult.

本最佳做法文章重点介绍群集操作员如何管理 AKS 群集的访问和标识。This best practices article focuses on how a cluster operator can manage access and identity for AKS clusters. 在本文中,学习如何:In this article, you learn how to:

  • 使用 Azure Active Directory 对 AKS 群集用户进行身份验证。Authenticate AKS cluster users with Azure Active Directory.
  • 使用 Kubernetes 基于角色的访问控制 (Kubernetes RBAC) 控制对资源的访问权限。Control access to resources with Kubernetes role-based access control (Kubernetes RBAC).
  • 使用 Azure RBAC 可以精细地控制对 AKS 资源、大规模 Kubernetes API 和 kubeconfig 的访问权限。Use Azure RBAC to granularly control access to the AKS resource, the Kubernetes API at scale, and the kubeconfig.
  • 使用托管标识在其他服务中对 Pod 本身进行身份验证。Use a managed identity to authenticate pods themselves with other services.

使用 Azure Active Directory (Azure AD)Use Azure Active Directory (Azure AD)

最佳实践指南Best practice guidance

使用 Azure AD 集成部署 AKS 群集。Deploy AKS clusters with Azure AD integration. 使用 Azure AD 可以集中化标识管理组件。Using Azure AD centralizes the identity management component. 访问 AKS 群集时,用户帐户或组状态的任何更改会自动更新。Any change in user account or group status is automatically updated in access to the AKS cluster. 使用角色、群集角色或绑定将用户或组的范围限制为最小权限。Scope users or groups to the minimum permissions amount using Roles, ClusterRoles, or Bindings.

Kubernetes 群集开发人员和应用程序所有者需要访问不同的资源。Your Kubernetes cluster developers and application owners need access to different resources. Kubernetes 缺少用于控制用户可与之交互的资源的标识管理解决方案。Kubernetes lacks an identity management solution for you to control the resources with which users can interact. 通常,你会将群集与现有的标识解决方案相集成。Instead, you typically integrate your cluster with an existing identity solution. 输入 Azure AD:与 AKS 群集集成的企业就绪标识管理解决方案。Enter Azure AD: an enterprise-ready identity management solution that integrates with AKS clusters.

使用 AKS 中与 Azure AD 集成的群集,创建用于定义对资源的访问权限的角色或群集角色 。With Azure AD-integrated clusters in AKS, you create Roles or ClusterRoles defining access permissions to resources. 然后,从 Azure AD 将角色绑定到用户或组。You then bind the roles to users or groups from Azure AD. 下一部分中详细了解这些 Kubernetes RBAC。Learn more about these Kubernetes RBAC in the next section. 下图显示了 Azure AD 集成以及如何控制对资源的访问:Azure AD integration and how you control access to resources can be seen in the following diagram:

与 AKS 集成的 Azure Active Directory 的群集级身份验证

  1. 开发人员在 Azure AD 中进行验证身份。Developer authenticates with Azure AD.
  2. Azure AD 令牌颁发终结点颁发访问令牌。The Azure AD token issuance endpoint issues the access token.
  3. 开发人员使用 Azure AD 令牌执行操作,例如 kubectl create podThe developer performs an action using the Azure AD token, such as kubectl create pod.
  4. Kubernetes 使用 Azure AD 验证令牌,并提取开发人员的组成员身份。Kubernetes validates the token with Azure AD and fetches the developer's group memberships.
  5. Kubernetes RBAC 和群集策略已应用。Kubernetes RBAC and cluster policies are applied.
  6. 开发人员的请求成功基于前面的 Azure AD 组成员身份和 Kubernetes RBAC 验证以及策略。Developer's request is successful based on previous validation of Azure AD group membership and Kubernetes RBAC and policies.

若要创建使用 Azure AD 的 AKS 群集,请参阅将 Azure Active Directory 与 AKS 集成To create an AKS cluster that uses Azure AD, see Integrate Azure Active Directory with AKS.

使用 Kubernetes 基于角色的访问控制 (Kubernetes RBAC)Use Kubernetes role-based access control (Kubernetes RBAC)

最佳实践指南Best practice guidance

使用 Kubernetes RBAC 定义群集资源的用户或组权限。Define user or group permissions to cluster resources with Kubernetes RBAC. 创建角色和绑定,用于分配所需的最少量权限。Create roles and bindings that assign the least amount of permissions required. 与 Azure AD 集成以自动更新任何用户状态或组成员身份更改,并保持对当前群集资源的访问。Integrate with Azure AD to automatically update any user status or group membership change and keep access to cluster resources current.

在 Kubernetes 中,提供对群集资源的精细访问控制。In Kubernetes, you provide granular access control to cluster resources. 可以在群集级别或特定命名空间定义权限。You define permissions at the cluster level, or to specific namespaces. 确定可以管理的资源和具有的权限。You determine what resources can be managed and with what permissions. 然后,通过绑定将这些角色应用于用户或组。You then apply these roles to users or groups with a binding. 有关角色、群集角色和绑定的详细信息,请参阅 Azure Kubernetes 服务 (AKS) 的访问和标识选项For more information about Roles, ClusterRoles, and Bindings, see Access and identity options for Azure Kubernetes Service (AKS).

例如,创建一个角色并为其授予对名为 finance-app 的命名空间中的资源的完全访问权限,如以下示例 YAML 清单中所示:As an example, you create a role with full access to resources in the namespace named finance-app, as shown in the following example YAML manifest:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1
  name: finance-app-full-access-role
  namespace: finance-app
- apiGroups: [""]
  resources: ["*"]
  verbs: ["*"]

然后,创建 RoleBinding 并将 Azure AD 用户 developer1 @ contoso.com 绑定到 RoleBinding,如以下 YAML 清单所示:You then create a RoleBinding and bind the Azure AD user developer1@contoso.com to the RoleBinding, as shown in the following YAML manifest:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
  name: finance-app-full-access-role-binding
  namespace: finance-app
- kind: User
  name: developer1@contoso.com
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: finance-app-full-access-role
  apiGroup: rbac.authorization.k8s.io

developer1@contoso.com 通过 AKS 群集进行身份验证后,便对 finance-app 命名空间中的资源拥有了完全权限。When developer1@contoso.com is authenticated against the AKS cluster, they have full permissions to resources in the finance-app namespace. 这样,即可以逻辑方式隔离和控制对资源的访问权限。In this way, you logically separate and control access to resources. 结合使用 Kubernetes RBAC 和 Azure AD 集成。Use Kubernetes RBAC in conjunction with Azure AD-integration.

若要了解如何使用 Azure AD 组通过 Kubernetes RBAC 来控制对 Kubernetes 资源的访问,请参阅在 AKS 中使用基于角色的访问控制和 Azure Active Directory 标识来控制对群集资源的访问To see how to use Azure AD groups to control access to Kubernetes resources using Kubernetes RBAC, see Control access to cluster resources using role-based access control and Azure Active Directory identities in AKS.

使用 Azure RBACUse Azure RBAC

最佳实践指南Best practice guidance

使用 Azure RBAC 定义一个或多个订阅中对 AKS 资源的最低要求用户和组权限。Use Azure RBAC to define the minimum required user and group permissions to AKS resources in one or more subscriptions.

完全操作 AKS 群集需要两个级别的访问权限:There are two levels of access needed to fully operate an AKS cluster:

  1. 访问 Azure 订阅上的 AKS 资源。Access the AKS resource on your Azure subscription.

    此访问级别允许:This access level allows you to:

    • 使用 AKS API 控制缩放或升级群集Control scaling or upgrading your cluster using the AKS APIs
    • 请求 kubeconfigPull your kubeconfig.

    要了解如何控制对 AKS 资源和 kubeconfig 的访问权限,请参阅限制对群集配置文件的访问To see how to control access to the AKS resource and the kubeconfig, see Limit access to cluster configuration file.

  2. 访问 Kubernetes API。Access to the Kubernetes API.

    此访问级别由以下任一方式控制:This access level is controlled either by:

后续步骤Next steps

本最佳做法文章重点介绍了群集和资源的身份验证与授权。This best practices article focused on authentication and authorization for your cluster and resources. 若要实施其中的某些最佳做法,请参阅以下文章:To implement some of these best practices, see the following articles:

有关 AKS 中的群集操作的详细信息,请参阅以下最佳做法:For more information about cluster operations in AKS, see the following best practices: