如何设置实时数据(预览版)功能How to set up the Live Data (preview) feature

若要从 Azure Kubernetes 服务 (AKS) 群集通过用于容器的 Azure Monitor 查看实时数据(预览版),你需要通过配置身份验证来授予访问 Kubernetes 数据的权限。To view Live Data (preview) with Azure Monitor for containers from Azure Kubernetes Service (AKS) clusters, you need to configure authentication to grant permission to access to your Kubernetes data. 此安全配置允许在 Azure 门户中直接通过 Kubernetes API 实时访问你的数据。This security configuration allows real-time access to your data through the Kubernetes API directly in the Azure portal.

此功能支持采用以下方法来控制对日志、事件和指标的访问:This feature supports the following methods to control access to the logs, events, and metrics:

  • 没有启用 Kubernetes RBAC 授权的 AKSAKS without Kubernetes RBAC authorization enabled
  • 启用了 Kubernetes RBAC 授权的 AKSAKS enabled with Kubernetes RBAC authorization
  • 启用了基于 SAML 的 Azure Active Directory (AD) 单一登录的 AKSAKS enabled with Azure Active Directory (AD) SAML-based single-sign on

这些说明要求对 Kubernetes 群集具有管理访问权限,在配置为使用 Azure Active Directory (AD) 进行用户身份验证的情况下,要求对 Azure AD 具有管理访问权限。These instructions require both administrative access to your Kubernetes cluster, and if configuring to use Azure Active Directory (AD) for user authentication, administrative access to Azure AD.

本文介绍了如何配置身份验证,以便从群集中控制对实时数据(预览版)功能的访问:This article explains how to configure authentication to control access to the Live Data (preview) feature from the cluster:

  • 启用了基于角色的访问控制 (RBAC) 的 AKS 群集Role-based access control (RBAC) enabled AKS cluster
  • 集成了 Azure Active Directory 的 AKS 群集。Azure Active Directory integrated AKS cluster.

备注

此功能不支持以专用群集形式启用的 AKS 群集。AKS clusters enabled as private clusters are not supported with this feature. 此功能依赖于从浏览器通过代理服务器直接访问 Kubernetes API。This feature relies on directly accessing the Kubernetes API through a proxy server from your browser. 启用网络安全以阻止通过此代理访问 Kubernetes API 会阻止此流量。Enabling networking security to block the Kubernetes API from this proxy will block this traffic.

身份验证模型Authentication model

实时数据(预览版)功能使用与 kubectl 命令行工具等同的 Kubernetes API。The Live Data (preview) features utilizes the Kubernetes API, identical to the kubectl command-line tool. Kubernetes API 终结点使用自签名证书,你的浏览器无法验证该证书的有效性。The Kubernetes API endpoints utilize a self-signed certificate, which your browser will be unable to validate. 此功能使用内部代理通过 AKS 服务来验证证书,确保流量受信任。This feature utilizes an internal proxy to validate the certificate with the AKS service, ensuring the traffic is trusted.

Azure 门户会提示你验证你用于 Azure Active Directory 群集的登录凭据,并将你重定向到你在创建群集期间设置(并在本文中重新配置)的客户端注册。The Azure portal prompts you to validate your login credentials for an Azure Active Directory cluster, and redirect you to the client registration setup during cluster creation (and re-configured in this article). 此行为类似于 kubectl 所需的身份验证过程。This behavior is similar to the authentication process required by kubectl.

备注

对你的群集的授权由 Kubernetes 以及为它配置的安全模型管理。Authorization to your cluster is managed by Kubernetes and the security model it is configured with. 访问此功能的用户需要有权下载 Kubernetes 配置 (kubeconfig),类似于运行 az aks get-credentials -n {your cluster name} -g {your resource group}Users accessing this feature require permission to download the Kubernetes configuration (kubeconfig), similar to running az aks get-credentials -n {your cluster name} -g {your resource group}. 如果启用了 Azure RBAC 并且 AKS 群集未启用 RBAC 授权,则此配置文件包含 Azure Kubernetes 服务群集用户角色的授权和身份验证令牌。This configuration file contains the authorization and authentication token for Azure Kubernetes Service Cluster User Role, in the case of Azure RBAC-enabled and AKS clusters without RBAC authorization enabled. 当为 AKS 启用了 Azure Active Directory (AD) 基于 SAML 的单一登录时,它包含有关 Azure AD 的信息和客户端注册详细信息。It contains information about Azure AD and client registration details when AKS is enabled with Azure Active Directory (AD) SAML-based single-sign on.

重要

此功能的用户需要具有群集的 Azure Kubernetes 群集用户角色才能下载 kubeconfig 并使用此功能。Users of this features requires Azure Kubernetes Cluster User Role to the cluster in order to download the kubeconfig and use this feature. 用户需要具有群集的参与者访问权限便可使用此功能。Users do not require contributor access to the cluster to utilize this feature.

将 clusterMonitoringUser 用于启用了 RBAC 的群集Using clusterMonitoringUser with RBAC-enabled clusters

AKS 添加了一个名为 clusterMonitoringUser 的新的 Kubernetes 群集角色绑定,这样就不需要在进行启用 RBAC 的授权后应用额外的配置更改来允许 Kubernetes 用户角色绑定 clusterUser 对实时数据(预览版)功能进行访问。To eliminate the need to apply additional configuration changes to allow the Kubernetes user role binding clusterUser access to the Live Data (preview) feature after enabling RBAC authorization, AKS has added a new Kubernetes cluster role binding called clusterMonitoringUser. 此群集角色绑定具有现成的所有必需权限,可以访问 Kubernetes API 和用于使用实时数据(预览版)功能的终结点。This cluster role binding has all the necessary permissions out-of-the-box to access the Kubernetes API and the endpoints for utilizing the Live Data (preview) feature.

为了通过此新用户使用实时数据(预览版)功能,你需要是 AKS 群集资源上的参与者角色的成员。In order to utilize the Live Data (preview) feature with this new user, you need to be a member of the Contributor role on the AKS cluster resource. 当启用了适用于容器的 Azure Monitor 时,默认情况下,它配置为使用此用户进行身份验证。Azure Monitor for containers, when enabled, is configured to authenticate using this user by default. 如果群集中不存在 clusterMonitoringUser 角色绑定,则会改用 clusterUser 进行身份验证。If the clusterMonitoringUser role binding does not exist on a cluster, clusterUser is used for authentication instead.

AKS 在 2020 年 1 月发布了此新的角色绑定,因此在 2020 年 1 月之前创建的群集没有此项。AKS released this new role binding in January 2020, so clusters created before January 2020 do not have it. 如果你有一个在 2020 年 1 月之前创建的群集,可以通过在该现有群集上执行 PUT 操作将新的 clusterMonitoringUser 添加到该群集,也可以通过在群集上执行任何会在群集上执行 PUT 操作的其他操作(例如更新群集版本)来这样做。If you have a cluster that was created before January 2020, the new clusterMonitoringUser can be added to an existing cluster by performing a PUT operation on the cluster, or performing any other operation on the cluster tha performs a PUT operation on the cluster, such as updating the cluster version.

未启用 RBAC 的 Kubernetes 群集Kubernetes cluster without RBAC enabled

如果 Kubernetes 群集未配置 Kubernetes RBAC 授权或集成 Azure AD 单一登录,则不需执行这些步骤。If you have a Kubernetes cluster that is not configured with Kubernetes RBAC authorization or integrated with Azure AD single-sign on, you do not need to follow these steps. 这是因为你在非 RBAC 配置中默认拥有管理权限。This is because you have administrative permissions by default in a non-RBAC configuration.

配置 Kubernetes RBAC 授权Configure Kubernetes RBAC authorization

当启用 Kubernetes RBAC 授权时,将使用两个用户(clusterUserclusterAdmin)来访问 Kubernetes API。When you enable Kubernetes RBAC authorization, two users are utilized: clusterUser and clusterAdmin to access the Kubernetes API. 这类似于在不使用管理选项的情况下运行 az aks get-credentials -n {cluster_name} -g {rg_name}This is similar to running az aks get-credentials -n {cluster_name} -g {rg_name} without the administrative option. 这意味着需要向 clusterUser 授予对 Kubernetes API 中的终结点的访问权限。This means the clusterUser needs to be granted access to the end points in Kubernetes API.

以下示例步骤演示如何从此 yaml 配置模板配置群集角色绑定。The following example steps demonstrate how to configure cluster role binding from this yaml configuration template.

  1. 复制并粘贴 yaml 文件,然后将其另存为 LogReaderRBAC.yaml。Copy and paste the yaml file and save it as LogReaderRBAC.yaml.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
       name: containerHealth-log-reader
    rules:
        - apiGroups: ["", "metrics.k8s.io", "extensions", "apps"]
          resources:
             - "pods/log"
             - "events"
             - "nodes"
             - "pods"
             - "deployments"
             - "replicasets"
          verbs: ["get", "list"]
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
       name: containerHealth-read-logs-global
    roleRef:
       kind: ClusterRole
       name: containerHealth-log-reader
       apiGroup: rbac.authorization.k8s.io
    subjects:
    - kind: User
      name: clusterUser
      apiGroup: rbac.authorization.k8s.io
    
  2. 若要更新配置,请运行以下命令:kubectl apply -f LogReaderRBAC.yamlTo update your configuration, run the following command: kubectl apply -f LogReaderRBAC.yaml.

备注

如果已将以前版本的 LogReaderRBAC.yaml 文件应用于群集,请通过复制并粘贴上面步骤 1 中所示的新代码对该文件进行更新,然后运行步骤 2 中显示的命令将其应用于群集。If you have applied a previous version of the LogReaderRBAC.yaml file to your cluster, update it by copying and pasting the new code shown in step 1 above, and then run the command shown in step 2 to apply it to your cluster.

配置 AD 集成式身份验证Configure AD-integrated authentication

配置为使用 Azure Active Directory (AD) 进行用户身份验证的 AKS 群集会利用访问此功能的人员的登录凭据。An AKS cluster configured to use Azure Active Directory (AD) for user authentication utilizes the login credentials of the person accessing this feature. 在此配置中,你可以使用自己的 Azure AD 身份验证令牌登录到 AKS 群集。In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.

必须重新配置 Azure AD 客户端注册,以允许 Azure 门户将授权页重定向为受信任的重定向 URL。Azure AD client registration must be re-configured to allow the Azure portal to redirect authorization pages as a trusted redirect URL. 然后通过 ClusterRolesClusterRoleBindings,授予来自 Azure AD 的用户直接访问相同 Kubernetes API 终结点的权限。Users from Azure AD are then granted access directly to the same Kubernetes API endpoints through ClusterRoles and ClusterRoleBindings.

有关 Kubernetes 中的高级安全设置的详细信息,请查看 Kubernetes 文档For more information on advanced security setup in Kubernetes, review the Kubernetes documentation.

备注

如果你要创建新的启用了 RBAC 的群集,请参阅将 Azure Active Directory 与 Azure Kubernetes 服务集成并按照步骤来配置 Azure AD 身份验证。If you are creating a new RBAC-enabled cluster, see Integrate Azure Active Directory with Azure Kubernetes Service and follow the steps to configure Azure AD authentication. 在创建客户端应用程序的步骤中,该部分中的一个注释突出显示了你需要为适用于容器的 Azure Monitor 创建的与下面步骤 3 中指定的 URL 匹配的两个重定向 URL。During the steps to create the client application, a note in that section highlights the two redirect URLs you need to create for Azure Monitor for containers matching those specified in Step 3 below.

重新配置客户端注册Client registration reconfiguration

  1. 在 Azure 门户中的“Azure Active Directory”>“应用注册”下,找到你在 Azure AD 中的 Kubernetes 群集的客户端注册。Locate the client registration for your Kubernetes cluster in Azure AD under Azure Active Directory > App registrations in the Azure portal.

  2. 从左侧窗格中选择“身份验证”。Select Authentication from the left-hand pane.

  3. 将两个重定向 URL 作为 Web 应用程序类型添加到此列表。Add two redirect URLs to this list as Web application types. 第一个基 URL 值应为 https://afd.hosting.portal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html,第二个基 URL 值应为 https://monitoring.hosting.portal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.htmlThe first base URL value should be https://afd.hosting.portal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html and the second base URL value should be https://monitoring.hosting.portal.chinacloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html.

    备注

    如果你在 Azure 中国版中使用此功能,则第一个基 URL 值应为 https://afd.hosting.azureportal.chinaloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html,第二个基 URL 值应为 https://monitoring.hosting.azureportal.chinaloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.htmlIf you're using this feature in Azure China, the first base URL value should be https://afd.hosting.azureportal.chinaloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html and the second base URL value should be https://monitoring.hosting.azureportal.chinaloudapi.cn/monitoring/Content/iframe/infrainsights.app/web/base-libs/auth/auth.html.

  4. 注册重定向 URL 后,在“隐式授权”下选择“访问令牌”和“ID 令牌”选项,然后保存所做的更改。After registering the redirect URLs, under Implicit grant, select the options Access tokens and ID tokens and then save your changes.

备注

通过 Azure Active Directory 配置身份验证以便实现单一登录的操作只能在初次部署新 AKS 群集过程中完成。Configuring authentication with Azure Active Directory for single-sign on can only be accomplished during initial deployment of a new AKS cluster. 不能为已部署的 AKS 群集配置单一登录。You cannot configure single-sign on for an AKS cluster already deployed.

重要

如果使用更新的 URI 重新配置了用于用户身份验证的 Azure AD,请清除浏览器的缓存,确保更新的身份验证令牌已下载并应用。If you reconfigured Azure AD for user authentication using the updated URI, clear your browser's cache to ensure the updated authentication token is downloaded and applied.

授予权限Grant permission

必须向每个 Azure AD 帐户授予对 Kubernetes 中相应 API 的权限,以便访问实时数据(预览版)功能。Each Azure AD account must be granted permission to the appropriate APIs in Kubernetes in order to access the Live Data (preview) feature. 向 Azure Active Directory 帐户授权的步骤类似于 Kubernetes RBAC 身份验证部分所述的步骤。The steps to grant the Azure Active Directory account are similar to the steps described in the Kubernetes RBAC authentication section. 将 yaml 配置模板应用于群集之前,请将 ClusterRoleBinding 下的 clusterUser 替换为所需的用户。Before applying the yaml configuration template to your cluster, replace clusterUser under ClusterRoleBinding with the desired user.

重要

如果你为其授予 RBAC 绑定的用户在同一个 Azure AD 租户中,请根据 userPrincipalName 分配权限。If the user you grant the RBAC binding for is in the same Azure AD tenant, assign permissions based on the userPrincipalName. 如果该用户位于不同的 Azure AD 租户中,请查询并使用 objectId 属性。If the user is in a different Azure AD tenant, query for and use the objectId property.

有关配置 AKS 群集 ClusterRoleBinding 的更多帮助信息,请参阅创建 RBAC 绑定For additional help configuring your AKS cluster ClusterRoleBinding, see Create RBAC binding.

后续步骤Next steps

现在,你已设置了身份验证,可以从群集中实时查看指标部署以及事件和日志了。Now that you have setup authentication, you can view metrics, Deployments, and events and logs in real-time from your cluster.