如何解决使用 ARM 模板将用户分配的身份用于 AKS 群集
我想使用用户分配的身份部署 AKS 集群。我在创建集群之前创建了用户分配的托管标识,并将其作为参数传递。但是,当我在 ARM 模板中使用相同的代码时,观察结果如下:
- 如果“Identity”为“SystemAssigned” -> 部署将成功
- 如果“Identity 为“UserAssigned”并提供 UserAssignedIdentity 的资源 ID,则部署将失败,告知未提供“servicePrincipalProfile”。
- 如果“Identity 是“UserAssigned”并且提供了“servicePrincipalProfile” ->部署成功,但是当我查询集群的身份时,UserAssignedIdentity 详细信息为空白。
我正在更新的模板部分:
"identity": {
"principalId": null,"tenantId": null,"type": "UserAssigned","userAssignedIdentities": {
"[parameters('userAssignedIdentitiesResourceID')]": {
"clientId": "[parameters('userAssignedIdentitiesClientID')]","principalId": "[parameters('userAssignedIdentitiesPrincipalID')]"
}
}
}
更新: 在创建 AKS 集群(使用 SystemAssignedIdentity)后,我尝试通过 REST API 设置用户 MSI,但是,它没有得到更新。我仍然可以看到集群标识为“SystemAssignedIdentity”。
(注意,'Invoke-CoeRestMethod' 是一个自定义的包装函数,它调用 Invoke-RestMethod。包装函数用于缓存承载令牌等,)
$Body = @"
{"location": "west europe","identity": {
"principalId": null,"userAssignedIdentities": {
"/subscriptions/7e7f55d3-f30a-4bfd-a6be-1c59594b8592/resourcegroups/ITQIG-eu-rsv-manjug-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/manjugtestmsi": {}
}
}
}
"@
$Uri = ("https://management.azure.com/subscriptions/7e7f55d3-f30a-4bfd-a6be-1c59594b8592/resourceGroups/ITQIG-eu-rsv-manjug-dev/providers/Microsoft.ContainerService/managedClusters/ITQIG-eu-manjug-aks-dev?api-version=2020-09-01")
Invoke-CoeRestMethod -Method Put -Uri $Uri -Body $Body
用于 AKS 部署的模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion": "1.0.0.1","variables": {
"copy": [
{
"name": "create-mi-dict","count": 1,"input": {
"[resourceId('7e7f55d3-f30a-4bf-a6be-1c594b8592','ITQIG-eu-rsv-manjug-dev','Microsoft.ManagedIdentity/userAssignedIdentities','manjugtestmsi')]": {}
}
}
]
},"parameters": {
"clusterName": {
"type": "string","defaultValue": "aks101cluster","metadata": {
"description": "The name of the Managed Cluster resource."
}
},"location": {
"type": "string","defaultValue": "[resourceGroup().location]","metadata": {
"description": "The location of the Managed Cluster resource."
}
},"userAssignedIdentitiesResourceID": {
"type": "string","metadata": {
"description": "Resource ID of the User Assigned Identity."
}
},"userAssignedIdentitiesClientID": {
"type": "string","metadata": {
"description": "Client ID of the User Assigned Identity."
}
},"userAssignedIdentitiesPrincipalID": {
"type": "string","metadata": {
"description": "Principal ID of the User Assigned Identity."
}
},"dnsPrefix": {
"type": "string","defaultValue": "aks-coe-eu-manjug-dev-dns","metadata": {
"description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
}
},"osDiskSizeGB": {
"type": "int","defaultValue": 0,"minValue": 0,"maxValue": 1023,"metadata": {
"description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
}
},"agentCount": {
"type": "int","defaultValue": 1,"minValue": 1,"maxValue": 50,"metadata": {
"description": "The number of nodes for the cluster."
}
},"agentVMSize": {
"type": "string","defaultValue": "Standard_DS2_v2","metadata": {
"description": "The size of the Virtual Machine."
}
},"linuxAdminUsername": {
"type": "string","metadata": {
"description": "User name for the Linux Virtual Machines."
}
},"sshRSAPublicKey": {
"type": "string","metadata": {
"description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts,for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'"
}
},"osType": {
"type": "string","defaultValue": "Linux","allowedValues": [
"Linux"
],"metadata": {
"description": "The type of operating system."
}
}
},"resources": [
{
"type": "Microsoft.ContainerService/managedClusters","apiVersion": "2020-03-01","name": "[parameters('clusterName')]","location": "[parameters('location')]","properties": {
"dnsPrefix": "[parameters('dnsPrefix')]","agentPoolProfiles": [
{
"name": "agentpool","maxPods": 110,"osDiskSizeGB": "[parameters('osDiskSizeGB')]","type": "VirtualMachineScaleSets","mode": "System","count": "[parameters('agentCount')]","vmSize": "[parameters('agentVMSize')]","osType": "[parameters('osType')]","storageProfile": "ManagedDisks","availabilityZones": [
"1","2","3"
]
}
],"networkProfile": {
"networkPlugin": "kubenet","loadBalancerSku": "Standard"
},"addonProfiles": {
"KubeDashboard": {
"enabled": false
},"azurepolicy": {
"enabled": true,"config": {
"version": "v2"
}
},"httpApplicationRouting": {
"enabled": true
}
},"linuxProfile": {
"adminUsername": "[parameters('linuxAdminUsername')]","ssh": {
"publicKeys": [
{
"keyData": "[parameters('sshRSAPublicKey')]"
}
]
}
},"enableRBAC": true,"aadProfile": {
"managed": true,"enableAzureRBAC": true,"adminGroupObjectIDs": [
"1f2a3b42-d409-4e5a-a530-cb899f033293"
]
},"apiServerAccessProfile": {
"enablePrivateCluster": false
}
},"identity": {
"type": "UserAssigned","userAssignedIdentities": "[first(variables('create-mi-dict'))]"
}
}
]
}
解决方法
据我所知这是正确的(几乎),但是您不能在 arm 模板中使用属性名称的参数,因此您必须预先渲染模板。
"identity": {
"type": "UserAssigned","userAssignedIdentities": {
"/subscriptions/xxx/resourcegroups/yyyy/providers/Microsoft.ManagedIdentity/userAssignedIdentities/zzz": {}
}
}
现在我考虑了一下,你可能会逃脱复制功能的攻击。我认为没有其他办法可以解决这个问题。
示例:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#","contentVersion": "1.0.0.0","variables": {
"copy": [
{
"name": "create-mi-dict","count": 1,"input": {
"[resourceId('58aac3e3-e3c7-41e4-8539-5fd1893c46e9','rg-name','Microsoft.ManagedIdentity/userAssignedIdentities','mi-name')]": {}
}
}
]
},"resources": [],"outputs": {
"output1": {
"type": "object","value": "[first(variables('create-mi-dict'))]"
}
}
}
编辑:您可以像这样使用它:
"identity": {
"type": "UserAssigned","userAssignedIdentities": "[first(variables('create-mi-dict'))]"
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。