教程:部署 Azure Kubernetes 服务 (AKS) 群集Tutorial: Deploy an Azure Kubernetes Service (AKS) cluster

Kubernetes 为容器化应用程序提供一个分布式平台。Kubernetes provides a distributed platform for containerized applications. 使用 AKS 可以快速创建生产就绪的 Kubernetes 群集。With AKS, you can quickly create a production ready Kubernetes cluster. 在本教程的第 3 部分(共 7 部分)中,在 AKS 中部署了 Kubernetes 群集。In this tutorial, part three of seven, a Kubernetes cluster is deployed in AKS. 学习如何:You learn how to:

  • 部署可对 Azure 容器注册表进行身份验证的 Kubernetes AKS 群集Deploy a Kubernetes AKS cluster that can authenticate to an Azure container registry
  • 安装 Kubernetes CLI (kubectl)Install the Kubernetes CLI (kubectl)
  • 配置 kubectl,以便连接到 AKS 群集Configure kubectl to connect to your AKS cluster

在其他教程中,Azure 投票应用程序将部署到群集,并进行缩放和更新。In additional tutorials, the Azure Vote application is deployed to the cluster, scaled, and updated.

开始之前Before you begin

在以前的教程中,已创建容器映像并上传到 Azure 容器注册表实例。In previous tutorials, a container image was created and uploaded to an Azure Container Registry instance. 如果尚未完成这些步骤,并且想要逐一完成,请先参阅教程 1 - 创建容器映像If you haven't done these steps, and would like to follow along, start at Tutorial 1 - Create container images.

此教程需要运行 Azure CLI 2.0.53 或更高版本。This tutorial requires that you're running the Azure CLI version 2.0.53 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建 Kubernetes 群集Create a Kubernetes cluster

AKS 群集可以使用 Kubernetes 基于角色的访问控制 (RBAC)。AKS clusters can use Kubernetes role-based access control (RBAC). 可以使用这些控制根据分配给用户的角色定义资源访问权限。These controls let you define access to resources based on roles assigned to users. 权限可以组合(如果为用户分配了多个角色),可以局限于单个命名空间,也可以涵盖整个群集。Permissions are combined if a user is assigned multiple roles, and permissions can be scoped to either a single namespace or across the whole cluster. 默认情况下,Azure CLI 会在你创建 AKS 群集时自动启用 RBAC。By default, the Azure CLI automatically enables RBAC when you create an AKS cluster.

使用 az aks create 创建 AKS 群集。Create an AKS cluster using az aks create. 以下示例在名为 myResourceGroup 的资源组中创建名为 myAKSCluster 的群集。The following example creates a cluster named myAKSCluster in the resource group named myResourceGroup. 此资源组是上一教程中在 chinaeast2 区域中创建的。This resource group was created in the previous tutorial in the chinaeast2 region. 下面的示例未指定区域,因此 AKS 群集也会在 chinaeast2 区域中创建。The following example does not specify a region so the AKS cluster is also created in the chinaeast2 region. 请参阅 Azure Kubernetes 服务 (AKS) 中的配额、虚拟机大小限制和区域可用性,以了解有关 AKS 的资源限制和区域可用性的详细信息。See Quotas, virtual machine size restrictions, and region availability in Azure Kubernetes Service (AKS) for more information about resource limits and region availability for AKS.

为了允许 AKS 群集与其他 Azure 资源进行交互,将自动创建一个 Azure Active Directory 服务主体,因为未指定该主体。To allow an AKS cluster to interact with other Azure resources, an Azure Active Directory service principal is automatically created, since you did not specify one. 在这里,此服务主体被授予从上一教程中创建的 Azure 容器注册表 (ACR) 实例中拉取映像的权限。Here, this service principal is granted the right to pull images from the Azure Container Registry (ACR) instance you created in the previous tutorial.

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-count 2 \
    --generate-ssh-keys \
    --attach-acr <acrName>

还可以手动将服务主体配置为从 ACR 中拉取映像。You can also manually configure a service principal to pull images from ACR. 有关详细信息,请参阅使用服务主体进行 ACR 身份验证使用请求密码从 Kubernetes 进行身份验证For more information, see ACR authentication with service principals or Authenticate from Kubernetes with a pull secret.

几分钟后,部署完成并返回有关 AKS 部署的 JSON 格式信息。After a few minutes, the deployment completes, and returns JSON-formatted information about the AKS deployment.

备注

若要确保群集能够可靠运行,应至少运行 2(两个)节点。To ensure your cluster to operate reliably, you should run at least 2 (two) nodes.

安装 Kubernetes CLIInstall the Kubernetes CLI

若要从本地计算机连接到 Kubernetes 群集,请使用 kubectl(Kubernetes 命令行客户端)。To connect to the Kubernetes cluster from your local computer, you use kubectl, the Kubernetes command-line client.

如果使用 Azure 本地 Shell,也可使用 az aks install-cli 命令在本地安装它:If you use the Azure local Shell, You can also install it locally using the az aks install-cli command:

az aks install-cli --install-location <kubectl-download-path>

备注

原始的 az aks install-cli 命令在 Azure 中国区无效,详见此文Original az aks install-cli command does not work on Azure China, follow detailed steps here.

  • 可以通过 PR 添加适用于 Azure 中国区的“az aks install-cli”支持来修复此问题。以下命令会在 Linux 上启动容器化的 azure-cli(dockerhub.azk8s.cn/andyzhangx/azure-cli:v2.0.60-china) 将最新的 kubectl 版本下载到 /usr/local/bin/There is a PR add "az aks install-cli" support for Azure China to fix this issue, following command will start up containerized azure-cli(dockerhub.azk8s.cn/andyzhangx/azure-cli:v2.0.60-china) to download latest kubectl version to /usr/local/bin/ on Linux:

    # docker run -v ${HOME}:/root -v /usr/local/bin/:/kube -it dockerhub.azk8s.cn/andyzhangx/azure-cli:v2.0.60-china
    root@09feb993f352:/# az cloud set --name AzureChinaCloud
    root@09feb993f352:/# az aks install-cli --install-location /kube/kubectl
    

使用 kubectl 连接到群集Connect to cluster using kubectl

若要将 kubectl 配置为连接到 Kubernetes 群集,请使用 az aks get-credentials 命令。To configure kubectl to connect to your Kubernetes cluster, use the az aks get-credentials command. 以下示例获取 myResourceGroup 中名为“myAKSCluster” 的 AKS 群集的凭据:The following example gets credentials for the AKS cluster named myAKSCluster in the myResourceGroup:

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

若要验证与群集的连接,请运行 kubectl get nodes 命令以返回群集节点列表:To verify the connection to your cluster, run the kubectl get nodes command to return a list of the cluster nodes:

$ kubectl get nodes

NAME                       STATUS   ROLES   AGE   VERSION
aks-nodepool1-12345678-0   Ready    agent   32m   v1.14.8

后续步骤Next steps

本教程在 AKS 中部署了一个 Kubernetes 群集并将 kubectl 配置为连接到该群集。In this tutorial, a Kubernetes cluster was deployed in AKS, and you configured kubectl to connect to it. 你已了解如何执行以下操作:You learned how to:

  • 部署可对 Azure 容器注册表进行身份验证的 Kubernetes AKS 群集Deploy a Kubernetes AKS cluster that can authenticate to an Azure container registry
  • 安装 Kubernetes CLI (kubectl)Install the Kubernetes CLI (kubectl)
  • 配置 kubectl,以便连接到 AKS 群集Configure kubectl to connect to your AKS cluster

请继续学习下一教程,了解如何将应用程序部署到群集。Advance to the next tutorial to learn how to deploy an application to the cluster.