在 Azure Kubernetes 服务中使用托管标识Use managed identities in Azure Kubernetes Service

目前,Azure Kubernetes 服务 (AKS) 群集(特指 Kubernetes 云提供商)需要使用标识才能在 Azure 中创建其他资源,例如负载均衡器和托管磁盘。Currently, an Azure Kubernetes Service (AKS) cluster (specifically, the Kubernetes cloud provider) requires an identity to create additional resources like load balancers and managed disks in Azure. 此标识可以是托管标识或服务主体。This identity can be either a managed identity or a service principal. 如果使用服务主体,你必须提供一个服务主体,或由 AKS 代表你创建一个。If you use a service principal, you must either provide one or AKS creates one on your behalf. 如果使用托管标识,AKS 会自动为你创建托管标识。If you use managed identity, this will be created for you by AKS automatically. 使用服务主体的群集最终会达到这样一种状态,即,必须续订服务主体才能让群集保持正常运行。Clusters using service principals eventually reach a state in which the service principal must be renewed to keep the cluster working. 管理服务主体会增加复杂性,这也是托管标识使用起来更简单的原因。Managing service principals adds complexity, which is why it's easier to use managed identities instead. 服务主体和托管标识适用相同的权限要求。The same permission requirements apply for both service principals and managed identities.

托管标识本质上是服务主体的包装器,这使其更易于管理。Managed identities are essentially a wrapper around service principals, and make their management simpler. 根据 Azure Active Directory 的默认设置,MI 的凭据轮换每 46 天自动发生一次。Credential rotation for MI happens automatically every 46 days according to Azure Active Directory default. AKS 使用系统分配和用户分配的托管标识类型。AKS uses both system-assigned and user-assigned managed identity types. 这些标识目前是不可变的。These identities are currently immutable. 若要了解详细信息,请阅读 Azure 资源托管标识To learn more, read about managed identities for Azure resources.

准备阶段Before you begin

必须安装了以下资源:You must have the following resource installed:

  • Azure CLI 版本 2.8.0 或更高版本The Azure CLI, version 2.8.0 or later

限制Limitations

  • 具有托管标识的 AKS 群集只能在群集创建过程中启用。AKS clusters with managed identities can be enabled only during creation of the cluster.
  • 现有 AKS 群集无法迁移到托管标识。Existing AKS clusters can't be migrated to managed identities.
  • 在群集升级操作期间,托管标识暂时不可用。During cluster upgrade operations, the managed identity is temporarily unavailable.
  • 不支持启用了托管标识的群集的租户移动/迁移。Tenants move / migrate of managed identity enabled clusters isn't supported.

托管标识摘要Summary of managed identities

AKS 对内置服务和加载项使用多个托管标识。AKS uses several managed identities for built-in services and add-ons.

标识Identity 名称Name 使用案例Use case 默认权限Default permissions
控制面板Control plane 不可见not visible 由 AKS 用于托管网络资源,包括入口负载均衡器和 AKS 托管公共 IPUsed by AKS for managed networking resources including ingress load balancers and AKS managed public IPs 节点资源组的参与者角色Contributor role for Node resource group
KubeletKubelet AKS Cluster Name-agentpoolAKS Cluster Name-agentpool 向 Azure 容器注册表 (ACR) 进行身份验证Authentication with Azure Container Registry (ACR) 节点资源组的读取者角色Reader role for node resource group
加载项Add-on AzureNPMAzureNPM 无需标识No identity required 不可用NA
加载项Add-on AzureCNI 网络监视AzureCNI network monitoring 无需标识No identity required 不可用NA
加载项Add-on azurepolicy(网关守卫)azurepolicy (gatekeeper) 无需标识No identity required 不可用NA
加载项Add-on azurepolicyazurepolicy 无需标识No identity required 不可用NA
加载项Add-on CalicoCalico 无需标识No identity required 不可用NA
加载项Add-on 仪表板Dashboard 无需标识No identity required 不可用NA
加载项Add-on HTTPApplicationRoutingHTTPApplicationRouting 管理所需的网络资源Manages required network resources 节点资源组的读取者角色,DNS 区域的参与者角色Reader role for node resource group, contributor role for DNS zone
加载项Add-on 入口应用程序网关Ingress application gateway 管理所需的网络资源Manages required network resources 节点资源组的参与者角色Contributor role for node resource group
加载项Add-on omsagentomsagent 用于将 AKS 指标发送到 Azure MonitorUsed to send AKS metrics to Azure Monitor “监视指标发布者”角色Monitoring Metrics Publisher role
加载项Add-on Virtual-Node (ACIConnector)Virtual-Node (ACIConnector) 管理 Azure 容器实例 (ACI) 所需的网络资源Manages required network resources for Azure Container Instances (ACI) 节点资源组的参与者角色Contributor role for node resource group

创建具有托管标识的 AKS 群集Create an AKS cluster with managed identities

现在,可以使用以下 CLI 命令创建具有托管标识的 AKS 群集。You can now create an AKS cluster with managed identities by using the following CLI commands.

首先,创建 Azure 资源组:First, create an Azure resource group:

# Create an Azure resource group
az group create --name myResourceGroup --location chinaeast2

然后,创建 AKS 群集:Then, create an AKS cluster:

az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity

使用托管标识成功创建群集的命令中包含以下服务主体配置文件信息:A successful cluster creation using managed identities contains this service principal profile information:

"servicePrincipalProfile": {
    "clientId": "msi"
  }

使用以下命令查询控制平面托管标识的 objectid:Use the following command to query objectid of your control plane managed identity:

az aks show -g myResourceGroup -n myManagedCluster --query "identity"

结果应如下所示:The result should look like:

{
  "principalId": "<object_id>",   
  "tenantId": "<tenant_id>",      
  "type": "SystemAssigned"                                 
}

创建群集后,你便可以将应用程序工作负荷部署到新群集中,并与之交互,就像与基于服务主体的 AKS 群集交互一样。Once the cluster is created, you can then deploy your application workloads to the new cluster and interact with it just as you've done with service-principal-based AKS clusters.

备注

若要创建并使用自己的 VNet、静态 IP 地址或附加的 Azure 磁盘(资源位于工作器节点资源组外部),请使用群集系统分配的托管标识的 PrincipalID 来执行角色分配。For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. 有关角色分配的详细信息,请参阅委托对其他 Azure 资源的访问权限For more information on role assignment, see Delegate access to other Azure resources.

向 Azure 云提供商使用的群集托管标识授予的权限可能需要 60 分钟才能填充完毕。Permission grants to cluster Managed Identity used by Azure Cloud provider may take up 60 minutes to populate.

最后,获取用于访问群集的凭据:Finally, get credentials to access the cluster:

az aks get-credentials --resource-group myResourceGroup --name myManagedCluster