在 Azure Kubernetes 服务中使用托管标识Use managed identities in Azure Kubernetes Service

目前,Azure Kubernetes 服务 (AKS) 群集(特指 Kubernetes 云提供商)需要使用标识才能在 Azure 中创建其他资源,例如负载均衡器和托管磁盘。Currently, an Azure Kubernetes Service (AKS) cluster (specifically, the Kubernetes cloud provider) requires an identity to create additional resources like load balancers and managed disks in Azure. 此标识可以是托管标识或服务主体。This identity can be either a managed identity or a service principal. 如果使用服务主体,你必须提供一个服务主体,或由 AKS 代表你创建一个。If you use a service principal, you must either provide one or AKS creates one on your behalf. 如果使用托管标识,AKS 会自动为你创建托管标识。If you use managed identity, this will be created for you by AKS automatically. 使用服务主体的群集最终会达到这样一种状态,即,必须续订服务主体才能让群集保持正常运行。Clusters using service principals eventually reach a state in which the service principal must be renewed to keep the cluster working. 管理服务主体会增加复杂性,这也是托管标识使用起来更简单的原因。Managing service principals adds complexity, which is why it's easier to use managed identities instead. 服务主体和托管标识适用相同的权限要求。The same permission requirements apply for both service principals and managed identities.

托管标识本质上是服务主体的包装器,这使其更易于管理。Managed identities are essentially a wrapper around service principals, and make their management simpler. 根据 Azure Active Directory 的默认设置,MI 的凭据轮换每 46 天自动发生一次。Credential rotation for MI happens automatically every 46 days according to Azure Active Directory default. AKS 使用系统分配和用户分配的托管标识类型。AKS uses both system-assigned and user-assigned managed identity types. 这些标识目前是不可变的。These identities are currently immutable. 若要了解详细信息,请阅读 Azure 资源托管标识To learn more, read about managed identities for Azure resources.

准备阶段Before you begin

必须安装了以下资源:You must have the following resource installed:

  • Azure CLI 2.15.1 或更高版本The Azure CLI, version 2.15.1 or later

限制Limitations

  • 只有在 Azure 中国云上创建群集时,才能启用具有托管标识的 AKS 群集。AKS clusters with managed identities can be enabled only during creation of the cluster on Azure China Cloud.

  • 在群集升级操作期间,托管标识暂时不可用。During cluster upgrade operations, the managed identity is temporarily unavailable.

  • 不支持启用了托管标识的群集的租户移动/迁移。Tenants move / migrate of managed identity enabled clusters isn't supported.

  • 如果群集启用了 aad-pod-identity,节点托管标识 (NMI) pod 将修改节点的 iptable,以拦截对 Azure 实例元数据终结点的调用。If the cluster has aad-pod-identity enabled, Node Managed Identity (NMI) pods modify the nodes' iptables to intercept calls to the Azure Instance Metadata endpoint. 此配置意味着对元数据终结点发出的任何请求都将被 NMI 拦截,即使 pod 不使用 aad-pod-identityThis configuration means any request made to the Metadata endpoint is intercepted by NMI even if the pod doesn't use aad-pod-identity. 可以将 AzurePodIdentityException CRD 配置为通知 aad-pod-identity 应在不使用 NMI 进行出任何处理的情况下,代理与 CRD 中定义的标签匹配的 pod 所发起的对元数据终结点的任何请求。AzurePodIdentityException CRD can be configured to inform aad-pod-identity that any requests to the Metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. 应通过配置 AzurePodIdentityException CRD 在 aad-pod-identity 中排除在 kube-system 命名空间中具有 kubernetes.azure.com/managedby: aks 标签的系统 pod。The system pods with kubernetes.azure.com/managedby: aks label in kube-system namespace should be excluded in aad-pod-identity by configuring the AzurePodIdentityException CRD. 有关详细信息,请参阅禁用特定 pod 或应用程序的 aad-pod-identityFor more information, see Disable aad-pod-identity for a specific pod or application. 若要配置例外情况,请安装 mic-exception YAMLTo configure an exception, install the mic-exception YAML.

托管标识摘要Summary of managed identities

AKS 对内置服务和加载项使用多个托管标识。AKS uses several managed identities for built-in services and add-ons.

标识Identity 名称Name 使用案例Use case 默认权限Default permissions
控制面板Control plane 不可见not visible 由 AKS 控制平面组件用于管理群集资源,包括入口负载均衡器和 AKS 管理的公共 IP,以及群集自动缩放程序操作Used by AKS control plane components to manage cluster resources including ingress load balancers and AKS managed public IPs, and Cluster Autoscaler operations 节点资源组的参与者角色Contributor role for Node resource group
KubeletKubelet AKS Cluster Name-agentpoolAKS Cluster Name-agentpool 向 Azure 容器注册表 (ACR) 进行身份验证Authentication with Azure Container Registry (ACR) NA(对于 kubernetes v1.15+)NA (for kubernetes v1.15+)
加载项Add-on AzureNPMAzureNPM 无需标识No identity required 不可用NA
加载项Add-on AzureCNI 网络监视AzureCNI network monitoring 无需标识No identity required 不可用NA
加载项Add-on azurepolicy(网关守卫)azurepolicy (gatekeeper) 无需标识No identity required 不可用NA
加载项Add-on azurepolicyazurepolicy 无需标识No identity required 不可用NA
加载项Add-on CalicoCalico 无需标识No identity required 不可用NA
加载项Add-on 仪表板Dashboard 无需标识No identity required 不可用NA
加载项Add-on HTTPApplicationRoutingHTTPApplicationRouting 管理所需的网络资源Manages required network resources 节点资源组的读取者角色,DNS 区域的参与者角色Reader role for node resource group, contributor role for DNS zone
加载项Add-on 入口应用程序网关Ingress application gateway 管理所需的网络资源Manages required network resources 节点资源组的参与者角色Contributor role for node resource group
加载项Add-on omsagentomsagent 用于将 AKS 指标发送到 Azure MonitorUsed to send AKS metrics to Azure Monitor “监视指标发布者”角色Monitoring Metrics Publisher role
加载项Add-on Virtual-Node (ACIConnector)Virtual-Node (ACIConnector) 管理 Azure 容器实例 (ACI) 所需的网络资源Manages required network resources for Azure Container Instances (ACI) 节点资源组的参与者角色Contributor role for node resource group
OSS 项目OSS project aad-pod-identityaad-pod-identity 通过 Azure Active Directory (AAD) 使应用程序可安全访问云资源Enables applications to access cloud resources securely with Azure Active Directory (AAD) NANA

创建具有托管标识的 AKS 群集Create an AKS cluster with managed identities

现在,可以使用以下 CLI 命令创建具有托管标识的 AKS 群集。You can now create an AKS cluster with managed identities by using the following CLI commands.

首先,创建 Azure 资源组:First, create an Azure resource group:

# Create an Azure resource group
az group create --name myResourceGroup --location chinaeast2

然后,创建 AKS 群集:Then, create an AKS cluster:

az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity

使用托管标识成功创建群集的命令中包含以下服务主体配置文件信息:A successful cluster creation using managed identities contains this service principal profile information:

"servicePrincipalProfile": {
    "clientId": "msi"
  }

使用以下命令查询控制平面托管标识的 objectid:Use the following command to query objectid of your control plane managed identity:

az aks show -g myResourceGroup -n myManagedCluster --query "identity"

结果应如下所示:The result should look like:

{
  "principalId": "<object_id>",   
  "tenantId": "<tenant_id>",      
  "type": "SystemAssigned"                                 
}

创建群集后,你便可以将应用程序工作负荷部署到新群集中,并与之交互,就像与基于服务主体的 AKS 群集交互一样。Once the cluster is created, you can then deploy your application workloads to the new cluster and interact with it just as you've done with service-principal-based AKS clusters.

备注

若要创建并使用自己的 VNet、静态 IP 地址或附加的 Azure 磁盘(资源位于工作器节点资源组外部),请使用群集系统分配的托管标识的 PrincipalID 来执行角色分配。For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. 有关角色分配的详细信息,请参阅委托对其他 Azure 资源的访问权限For more information on role assignment, see Delegate access to other Azure resources.

向 Azure 云提供商使用的群集托管标识授予的权限可能需要 60 分钟才能填充完毕。Permission grants to cluster Managed Identity used by Azure Cloud provider may take up 60 minutes to populate.

最后,获取用于访问群集的凭据:Finally, get credentials to access the cluster:

az aks get-credentials --resource-group myResourceGroup --name myManagedCluster