使用 RDP 连接到 Azure Kubernetes 服务 (AKS) 群集 Windows Server 节点以进行维护或故障排除Connect with RDP to Azure Kubernetes Service (AKS) cluster Windows Server nodes for maintenance or troubleshooting

在 Azure Kubernetes 服务 (AKS) 群集的整个生命周期内,可能需要访问 AKS Windows Server 节点。Throughout the lifecycle of your Azure Kubernetes Service (AKS) cluster, you may need to access an AKS Windows Server node. 进行这种访问的原因包括维护、日志收集或其他故障排除操作。This access could be for maintenance, log collection, or other troubleshooting operations. 可以使用 RDP 访问 AKS Windows Server 节点。You can access the AKS Windows Server nodes using RDP. 此外,如果要使用 SSH 访问 AKS Windows Server 节点,并且可以访问在群集创建期间使用的相同密钥对,则可以按照 SSH 到 Azure Kubernetes服务 (AKS) 群集节点中的步骤执行操作。Alternatively, if you want to use SSH to access the AKS Windows Server nodes and you have access to the same keypair that was used during cluster creation, you can follow the steps in SSH into Azure Kubernetes Service (AKS) cluster nodes. 出于安全考虑,AKS 节点不会在 Internet 中公开。For security purposes, the AKS nodes are not exposed to the internet.

本文说明如何使用 AKS 节点的专用 IP 地址来与它们建立 RDP 连接。This article shows you how to create an RDP connection with an AKS node using their private IP addresses.

准备阶段Before you begin

本文假设你已有一个 AKS 群集,其中包含 Windows Server 节点。This article assumes that you have an existing AKS cluster with a Windows Server node. 如果需要 AKS 群集,请参阅有关使用 Azure CLI 创建包含 Windows 容器的 AKS 群集的文章。If you need an AKS cluster, see the article on creating an AKS cluster with a Windows container using the Azure CLI. 你需要用于想要进行故障排除的 Windows Server 节点的 Windows 管理员用户名和密码。You need the Windows administrator username and password for the Windows Server node you want to troubleshoot. 你还需要一个 RDP 客户端,例如 Microsoft 远程桌面You also need an RDP client such as Microsoft Remote Desktop.

还需安装并配置 Azure CLI 2.0.61 或更高版本。You also need the Azure CLI version 2.0.61 or later installed and configured. 运行  az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅 安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

将虚拟机部署到与群集相同的子网Deploy a virtual machine to the same subnet as your cluster

AKS 群集的 Windows Server 节点没有可从外部访问的 IP 地址。The Windows Server nodes of your AKS cluster don't have externally accessible IP addresses. 若要建立 RDP 连接,可以将具有可公共访问 IP 地址的虚拟机部署到与 Windows Server 节点相同的子网中。To make an RDP connection, you can deploy a virtual machine with a publicly accessible IP address to the same subnet as your Windows Server nodes.

以下示例在 myResourceGroup 资源组中创建名为 myVM 的虚拟机。The following example creates a virtual machine named myVM in the myResourceGroup resource group.

首先,获取 Windows Server 节点池使用的子网。First, get the subnet used by your Windows Server node pool. 若要获取子网 ID,需要子网的名称。To get the subnet id, you need the name of the subnet. 若要获取子网的名称,需要 VNet 的名称。To get the name of the subnet, you need the name of the vnet. 通过查询群集的网络列表来获取 VNet 名称。Get the vnet name by querying your cluster for its list of networks. 若要查询群集,需要其名称。To query the cluster, you need its name. 可以通过在 Azure 本地 CLI 中运行以下命令来获取所有这些信息:You can get all of these by running the following in the Azure local CLI:

CLUSTER_RG=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv)
VNET_NAME=$(az network vnet list -g $CLUSTER_RG --query [0].name -o tsv)
SUBNET_NAME=$(az network vnet subnet list -g $CLUSTER_RG --vnet-name $VNET_NAME --query [0].name -o tsv)
SUBNET_ID=$(az network vnet subnet show -g $CLUSTER_RG --vnet-name $VNET_NAME --name $SUBNET_NAME --query id -o tsv)

现在,你已拥有 SUBNET_ID,接下来可以在同一 Azure CLI 控制台中运行以下命令来创建 VM:Now that you have the SUBNET_ID, run the following command in the same Azure CLI console to create the VM:

az vm create \
    --resource-group myResourceGroup \
    --name myVM \
    --image win2019datacenter \
    --admin-username azureuser \
    --admin-password myP@ssw0rd12 \
    --subnet $SUBNET_ID \
    --query publicIpAddress -o tsv

以下示例输出显示已成功创建 VM,并显示虚拟机的公共 IP 地址。The following example output shows the VM has been successfully created and displays the public IP address of the virtual machine.

13.62.204.18

记录虚拟机的公共 IP 地址。Record the public IP address of the virtual machine. 你将在后面的步骤中使用此地址。You will use this address in a later step.

允许访问虚拟机Allow access to the virtual machine

默认情况下,AKS 节点池子网受 NSG(网络安全组)保护。AKS node pool subnets are protected with NSGs (Network Security Groups) by default. 若要访问虚拟机,必须在 NSG 中启用访问权限。To get access to the virtual machine, you'll have to enabled access in the NSG.

备注

NSG 由 AKS 服务控制。The NSGs are controlled by the AKS service. 对 NSG 所做的任何更改都会随时被控制平面覆盖。Any change you make to the NSG will be overwritten at any time by the control plane.

首先,获取资源组和要将规则添加到其中的 NSG 的 NSG 名称:First, get the resource group and nsg name of the nsg to add the rule to:

CLUSTER_RG=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv)
NSG_NAME=$(az network nsg list -g $CLUSTER_RG --query [].name -o tsv)

然后,创建 NSG 规则:Then, create the NSG rule:

az network nsg rule create --name tempRDPAccess --resource-group $CLUSTER_RG --nsg-name $NSG_NAME --priority 100 --destination-port-range 3389 --protocol Tcp --description "Temporary RDP access to Windows nodes"

获取节点地址Get the node address

若要管理 Kubernetes 群集,请使用 Kubernetes 命令行客户端 kubectlTo manage a Kubernetes cluster, you use kubectl, the Kubernetes command-line client. 若要在本地安装 kubectl,请使用 az aks install-cli 命令:To install kubectl locally, use the az aks install-cli command:

az aks install-cli

若要将 kubectl 配置为连接到 Kubernetes 群集,请使用 az aks get-credentials 命令。To configure kubectl to connect to your Kubernetes cluster, use the az aks get-credentials command. 此命令将下载凭据,并将 Kubernetes CLI 配置为使用这些凭据。This command downloads credentials and configures the Kubernetes CLI to use them.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

使用 kubectl get 命令列出 Windows Server 节点的内部 IP 地址:List the internal IP address of the Windows Server nodes using the kubectl get command:

kubectl get nodes -o wide

以下示例输出显示群集中所有节点(包括 Windows Server 节点)的内部 IP 地址。The follow example output shows the internal IP addresses of all the nodes in the cluster, including the Windows Server nodes.

$ kubectl get nodes -o wide
NAME                                STATUS   ROLES   AGE   VERSION   INTERNAL-IP   EXTERNAL-IP   OS-IMAGE                    KERNEL-VERSION      CONTAINER-RUNTIME
aks-nodepool1-42485177-vmss000000   Ready    agent   18h   v1.12.7   10.240.0.4    <none>        Ubuntu 16.04.6 LTS          4.15.0-1040-azure   docker://3.0.4
aksnpwin000000                      Ready    agent   13h   v1.12.7   10.240.0.67   <none>        Windows Server Datacenter   10.0.17763.437

记录要进行故障排除的 Windows Server 节点的内部 IP 地址。Record the internal IP address of the Windows Server node you wish to troubleshoot. 你将在后面的步骤中使用此地址。You will use this address in a later step.

连接到虚拟机和节点Connect to the virtual machine and node

使用 Microsoft 远程桌面等 RDP 客户端连接到之前创建的虚拟机的公共 IP 地址。Connect to the public IP address of the virtual machine you created earlier using an RDP client such as Microsoft Remote Desktop.

使用 RDP 客户端连接到虚拟机的图像

连接到虚拟机后,使用虚拟机内部的 RDP 客户端连接到要进行故障排除的 Windows Server 节点的内部 IP 地址。After you've connected to your virtual machine, connect to the internal IP address of the Windows Server node you want to troubleshoot using an RDP client from within your virtual machine.

使用 RDP 客户端连接到 Windows Server 节点的图像

现在,你已连接到 Windows Server 节点。You are now connected to your Windows Server node.

Windows Server 节点中的 CMD 窗口的图像

现在,可以在 CMD 窗口中运行任何故障排除命令。You can now run any troubleshooting commands in the cmd window. 由于 Windows Server 节点使用 Windows Server Core,因此通过 RDP 连接到 Windows Server 节点时,没有完整的 GUI 或其他 GUI 工具。Since Windows Server nodes use Windows Server Core, there's not a full GUI or other GUI tools when you connect to a Windows Server node over RDP.

删除 RDP 访问Remove RDP access

完成后,退出与 Windows Server 节点的 RDP 连接,然后退出与虚拟机的 RDP 会话。When done, exit the RDP connection to the Windows Server node then exit the RDP session to the virtual machine. 退出两个 RDP 会话后,使用 az vm delete 命令删除虚拟机:After you exit both RDP sessions, delete the virtual machine with the az vm delete command:

az vm delete --resource-group myResourceGroup --name myVM

以及 NSG 规则:And the NSG rule:

CLUSTER_RG=$(az aks show -g myResourceGroup -n myAKSCluster --query nodeResourceGroup -o tsv)
NSG_NAME=$(az network nsg list -g $CLUSTER_RG --query [].name -o tsv)
az network nsg rule delete --resource-group $CLUSTER_RG --nsg-name $NSG_NAME --name tempRDPAccess

后续步骤Next steps

如需其他故障排除数据,可以查看 Kubernetes 主节点日志Azure MonitorIf you need additional troubleshooting data, you can view the Kubernetes master node logs or Azure Monitor.