更新或轮换 Azure Kubernetes 服务 (AKS) 的凭据Update or rotate the credentials for Azure Kubernetes Service (AKS)

默认情况下,使用服务主体创建的 AKS 群集具有为期一年的有效期。By default, AKS clusters are created with a service principal that has a one-year expiration time. 在有效期即将结束时,你可以重置凭据来将服务主体延长额外的一段时间。As you near the expiration date, you can reset the credentials to extend the service principal for an additional period of time. 作为已定义安全策略的一部分,还可能要更新或轮换凭据。You may also want to update, or rotate, the credentials as part of a defined security policy. 本文详细介绍如何为 AKS 群集更新这些凭据。This article details how to update these credentials for an AKS cluster.

还可以将 AKS 群集与 Azure Active Directory 集成,并将其用作群集的身份验证提供程序。You may also have integrated your AKS cluster with Azure Active Directory, and use it as an authentication provider for your cluster. 在这种情况下,你将为群集、AAD 服务器应用和 AAD 客户端应用创建另外 2 个标识,还可以重置这些凭据。In that case you will have 2 more identities created for your cluster, the AAD Server App and the AAD Client App, you may also reset those credentials.

或者,可以使用托管标识而不是服务主体来获得权限。Alternatively, you can use a managed identity for permissions instead of a service principal. 托管标识比服务主体更易于管理,并且不需要更新或轮换。Managed identities are easier to manage than service principals and do not require updates or rotations. 有关详细信息,请参阅使用托管标识For more information, see Use managed identities.

准备阶段Before you begin

需要安装并配置 Azure CLI 2.0.65 或更高版本。You need the Azure CLI version 2.0.65 or later installed and configured. 运行  az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅 安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

为 AKS 群集更新或创建新的服务主体Update or create a new service principal for your AKS cluster

要为 AKS 群集更新凭据时,可以选择以下任一操作:When you want to update the credentials for an AKS cluster, you can choose to either:

  • 为现有服务主体更新凭据。Update the credentials for the existing service principal.
  • 创建新服务主体并更新群集以使用这些新凭据。Create a new service principal and update the cluster to use these new credentials.

![警告] 如果选择创建新服务主体,那么更新大型 AKS 群集以使用这些凭据可能需要很长时间才能完成。![WARNING] If you choose to create a new service principal, updating a large AKS cluster to use these credentials may take a long time to complete.

检查服务主体的到期日期Check the expiration date of your service principal

若要检查服务主体的到期日期,请使用 az ad sp credential list 命令。To check the expiration date of your service principal, use the az ad sp credential list command. 以下示例使用 az aks show 命令获取 myResourceGroup 资源组中名为 myAKSCluster 的群集的服务主体 ID 。The following example gets the service principal ID for the cluster named myAKSCluster in the myResourceGroup resource group using the az aks show command. 将服务主体 ID 设置为名为“SP_ID”的变量,以便与 az ad sp credential list 命令一起使用。The service principal ID is set as a variable named SP_ID for use with the az ad sp credential list command.

SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \
    --query servicePrincipalProfile.clientId -o tsv)
az ad sp credential list --id $SP_ID --query "[].endDate" -o tsv

重置现有的服务主体凭据Reset the existing service principal credential

若要为现有服务主体更新凭据,请使用 az aks show 命令获取群集的服务主体 ID。To update the credentials for the existing service principal, get the service principal ID of your cluster using the az aks show command. 以下示例获取 myResourceGroup 资源组中名为 myAKSCluster 的群集的 ID 。The following example gets the ID for the cluster named myAKSCluster in the myResourceGroup resource group. 服务主体 ID 设置为名为“SP_ID”变量以供在其他命令中使用。The service principal ID is set as a variable named SP_ID for use in additional command. 这些命令使用 Bash 语法。These commands use Bash syntax.

SP_ID=$(az aks show --resource-group myResourceGroup --name myAKSCluster \
    --query servicePrincipalProfile.clientId -o tsv)

借助包含服务主体 ID 的变量集,现在使用 az ad sp credential reset 重置凭据。With a variable set that contains the service principal ID, now reset the credentials using az ad sp credential reset. 下面的示例可让 Azure 平台为服务主体生成新安全密码。The following example lets the Azure platform generate a new secure secret for the service principal. 此新安全密码也存储为变量。This new secure secret is also stored as a variable.

SP_SECRET=$(az ad sp credential reset --name $SP_ID --query password -o tsv)

现在继续浏览使用新的服务主体凭据更新 AKS 群集Now continue on to update AKS cluster with new service principal credentials. 若要在 AKS 群集上反映服务主体更改,必须执行此步骤。This step is necessary for the Service Principal changes to reflect on the AKS cluster.

创建新服务主体Create a new service principal

如果在上一部分中选择更新现有服务主体凭据,请跳过此步骤。If you chose to update the existing service principal credentials in the previous section, skip this step. 继续浏览使用新的服务主体凭据更新 AKS 群集Continue to update AKS cluster with new service principal credentials.

若要创建服务主体,然后更新 AKS 群集以使用这些新凭据,请使用 az ad sp create-for-rbac 命令。To create a service principal and then update the AKS cluster to use these new credentials, use the az ad sp create-for-rbac command. 在以下示例中,--skip-assignment 参数阻止系统分配更多的默认分配。In the following example, the --skip-assignment parameter prevents any additional default assignments being assigned:

az ad sp create-for-rbac --skip-assignment

输出类似于以下示例。The output is similar to the following example. 记下你自己的 appIdpasswordMake a note of your own appId and password. 下一步会使用这些值。These values are used in the next step.

{
  "appId": "7d837646-b1f3-443d-874c-fd83c7c739c5",
  "name": "7d837646-b1f3-443d-874c-fd83c7c739c",
  "password": "a5ce83c9-9186-426d-9183-614597c7f2f7",
  "tenant": "a4342dc8-cd0e-4742-a467-3129c469d0e5"
}

现在使用自己的 az ad sp create-for-rbac 命令的输出为服务主体 ID 和客户端密码定义变量,如下面的示例所示。Now define variables for the service principal ID and client secret using the output from your own az ad sp create-for-rbac command, as shown in the following example. SP_ID 是 appId,SP_SECRET 是 password:The SP_ID is your appId, and the SP_SECRET is your password:

SP_ID=7d837646-b1f3-443d-874c-fd83c7c739c5
SP_SECRET=a5ce83c9-9186-426d-9183-614597c7f2f7

现在继续浏览使用新的服务主体凭据更新 AKS 群集Now continue on to update AKS cluster with new service principal credentials. 若要在 AKS 群集上反映服务主体更改,必须执行此步骤。This step is necessary for the Service Principal changes to reflect on the AKS cluster.

使用新的服务主体凭据更新 AKS 群集Update AKS cluster with new service principal credentials

重要

对于大型群集,使用新服务主体更新 AKS 群集可能需要较长时间才能完成。For large clusters, updating the AKS cluster with a new service principal may take a long time to complete.

无论是选择为现有服务主体更新凭据还是创建服务主体,现在都通过 az aks update-credentials 命令,使用新凭据更新 AKS 群集。Regardless of whether you chose to update the credentials for the existing service principal or create a service principal, you now update the AKS cluster with your new credentials using the az aks update-credentials command. 会使用 --service-principal 和 --client-secret 的变量:The variables for the --service-principal and --client-secret are used:

az aks update-credentials \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --reset-service-principal \
    --service-principal $SP_ID \
    --client-secret "$SP_SECRET"

对于中小型群集,在 AKS 中更新服务主体凭据需要一段时间。For small and medium size clusters, it takes a few moments for the service principal credentials to be updated in the AKS.

使用新的 AAD 应用程序凭据更新 AKS 群集Update AKS Cluster with new AAD Application credentials

可以按照 AAD 集成步骤创建新的 AAD 服务器和客户端应用程序。You may create new AAD Server and Client applications by following the AAD integration steps. 或按照与服务主体重置相同的方法重置现有的 AAD 应用程序。Or reset your existing AAD Applications following the same method as for service principal reset. 之后,只需使用相同的 az aks update-credentials 命令(但使用 --reset-aad 变量)更新群集 AAD 应用程序凭据即可。After that you just need to update your cluster AAD Application credentials using the same az aks update-credentials command but using the --reset-aad variables.

az aks update-credentials \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --reset-aad \
    --aad-server-app-id <SERVER APPLICATION ID> \
    --aad-server-app-secret <SERVER APPLICATION SECRET> \
    --aad-client-app-id <CLIENT APPLICATION ID>

后续步骤Next steps

在本文中,我们更新了 AKS 群集本身的服务主体和 AAD 集成应用程序。In this article, the service principal for the AKS cluster itself and the AAD Integration Applications were updated. 有关如何为群集中的工作负荷管理标识的详细信息,请参阅 AKS 中的身份验证和授权的最佳做法For more information on how to manage identity for workloads within a cluster, see Best practices for authentication and authorization in AKS.