使用 ARM 模板将用户分配的标识用于 AKS 群集
Use User assigned identity to AKS cluster using ARM template
我想部署具有用户分配标识的 AKS 群集。我在集群创建之前创建了用户分配的托管身份并将其作为参数传递。但是,当我在 ARM 模板中使用相同的模板时,观察结果如下:
- 如果“Identity”是'SystemAssigned' -> 部署会成功
- 如果身份是 'UserAssigned' 并为 UserAssignedIdentity 提供资源 ID,则部署失败表明未提供 'servicePrincipalProfile'。
- 如果'Identity is 'UserAssigned' and 'servicePrincipalProfile' is provided ->部署成功,但是当我查询集群的Identity时,UserAssignedIdentity的详细信息是空白的。
我正在更新的模板部分:
"identity": {
"principalId": null,
"tenantId": null,
"type": "UserAssigned",
"userAssignedIdentities": {
"[parameters('userAssignedIdentitiesResourceID')]": {
"clientId": "[parameters('userAssignedIdentitiesClientID')]",
"principalId": "[parameters('userAssignedIdentitiesPrincipalID')]"
}
}
}
更新:
在创建 AKS 集群(使用 SystemAssignedIdentity)后,我尝试通过 REST API 设置用户 MSI,但它没有得到更新。我仍然可以看到集群标识为 'SystemAssignedIdentity'.
(注意,'Invoke-CoeRestMethod' 是调用 Invoke-RestMethod 的自定义包装函数。包装函数用于缓存不记名令牌等,)
$Body = @"
{"location": "west europe",
"identity": {
"principalId": null,
"tenantId": null,
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/7e7f55d3-f30a-4bfd-a6be-1c59594b8592/resourcegroups/ITQIG-eu-rsv-manjug-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/manjugtestmsi": {}
}
}
}
"@
$Uri = ("https://management.azure.com/subscriptions/7e7f55d3-f30a-4bfd-a6be-1c59594b8592/resourceGroups/ITQIG-eu-rsv-manjug-dev/providers/Microsoft.ContainerService/managedClusters/ITQIG-eu-manjug-aks-dev?api-version=2020-09-01")
Invoke-CoeRestMethod -Method Put -Uri $Uri -Body $Body
用于 AKS 部署的模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"variables": {
"copy": [
{
"name": "create-mi-dict",
"count": 1,
"input": {
"[resourceId('7e7f55d3-f30a-4bf-a6be-1c594b8592', 'ITQIG-eu-rsv-manjug-dev','Microsoft.ManagedIdentity/userAssignedIdentities', 'manjugtestmsi')]": {}
}
}
]
},
"parameters": {
"clusterName": {
"type": "string",
"defaultValue": "aks101cluster",
"metadata": {
"description": "The name of the Managed Cluster resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location of the Managed Cluster resource."
}
},
"userAssignedIdentitiesResourceID": {
"type": "string",
"metadata": {
"description": "Resource ID of the User Assigned Identity."
}
},
"userAssignedIdentitiesClientID": {
"type": "string",
"metadata": {
"description": "Client ID of the User Assigned Identity."
}
},
"userAssignedIdentitiesPrincipalID": {
"type": "string",
"metadata": {
"description": "Principal ID of the User Assigned Identity."
}
},
"dnsPrefix": {
"type": "string",
"defaultValue": "aks-coe-eu-manjug-dev-dns",
"metadata": {
"description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
}
},
"osDiskSizeGB": {
"type": "int",
"defaultValue": 0,
"minValue": 0,
"maxValue": 1023,
"metadata": {
"description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
}
},
"agentCount": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"maxValue": 50,
"metadata": {
"description": "The number of nodes for the cluster."
}
},
"agentVMSize": {
"type": "string",
"defaultValue": "Standard_DS2_v2",
"metadata": {
"description": "The size of the Virtual Machine."
}
},
"linuxAdminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Linux Virtual Machines."
}
},
"sshRSAPublicKey": {
"type": "string",
"metadata": {
"description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'"
}
},
"osType": {
"type": "string",
"defaultValue": "Linux",
"allowedValues": [
"Linux"
],
"metadata": {
"description": "The type of operating system."
}
}
},
"resources": [
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2020-03-01",
"name": "[parameters('clusterName')]",
"location": "[parameters('location')]",
"properties": {
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": [
{
"name": "agentpool",
"maxPods": 110,
"osDiskSizeGB": "[parameters('osDiskSizeGB')]",
"type": "VirtualMachineScaleSets",
"mode": "System",
"count": "[parameters('agentCount')]",
"vmSize": "[parameters('agentVMSize')]",
"osType": "[parameters('osType')]",
"storageProfile": "ManagedDisks",
"availabilityZones": [
"1",
"2",
"3"
]
}
],
"networkProfile": {
"networkPlugin": "kubenet",
"loadBalancerSku": "Standard"
},
"addonProfiles": {
"KubeDashboard": {
"enabled": false
},
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
},
"httpApplicationRouting": {
"enabled": true
}
},
"linuxProfile": {
"adminUsername": "[parameters('linuxAdminUsername')]",
"ssh": {
"publicKeys": [
{
"keyData": "[parameters('sshRSAPublicKey')]"
}
]
}
},
"enableRBAC": true,
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": [
"1f2a3b42-d409-4e5a-a530-cb899f033293"
]
},
"apiServerAccessProfile": {
"enablePrivateCluster": false
}
},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": "[first(variables('create-mi-dict'))]"
}
}
]
}
编辑:
自 2021 年 7 月 12 日起,可以“正常”执行此操作:
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx'))]": {}
}
}
}
据我所知这是正确的(几乎),但是您不能在 arm 模板中使用 属性 名称的参数,因此您必须预渲染模板。
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/xxx/resourcegroups/yyyy/providers/Microsoft.ManagedIdentity/userAssignedIdentities/zzz": {}
}
}
既然我想到了,你可能会逃避复制功能黑客攻击。我认为没有其他解决方法。
示例:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"copy": [
{
"name": "create-mi-dict",
"count": 1,
"input": {
"[resourceId('58aac3e3-e3c7-41e4-8539-5fd1893c46e9', 'rg-name','Microsoft.ManagedIdentity/userAssignedIdentities', 'mi-name')]": {}
}
}
]
},
"resources": [],
"outputs": {
"output1": {
"type": "object",
"value": "[first(variables('create-mi-dict'))]"
}
}
}
编辑:你可以这样使用它:
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": "[first(variables('create-mi-dict'))]"
}
我想部署具有用户分配标识的 AKS 群集。我在集群创建之前创建了用户分配的托管身份并将其作为参数传递。但是,当我在 ARM 模板中使用相同的模板时,观察结果如下:
- 如果“Identity”是'SystemAssigned' -> 部署会成功
- 如果身份是 'UserAssigned' 并为 UserAssignedIdentity 提供资源 ID,则部署失败表明未提供 'servicePrincipalProfile'。
- 如果'Identity is 'UserAssigned' and 'servicePrincipalProfile' is provided ->部署成功,但是当我查询集群的Identity时,UserAssignedIdentity的详细信息是空白的。
我正在更新的模板部分:
"identity": {
"principalId": null,
"tenantId": null,
"type": "UserAssigned",
"userAssignedIdentities": {
"[parameters('userAssignedIdentitiesResourceID')]": {
"clientId": "[parameters('userAssignedIdentitiesClientID')]",
"principalId": "[parameters('userAssignedIdentitiesPrincipalID')]"
}
}
}
更新: 在创建 AKS 集群(使用 SystemAssignedIdentity)后,我尝试通过 REST API 设置用户 MSI,但它没有得到更新。我仍然可以看到集群标识为 'SystemAssignedIdentity'.
(注意,'Invoke-CoeRestMethod' 是调用 Invoke-RestMethod 的自定义包装函数。包装函数用于缓存不记名令牌等,)
$Body = @"
{"location": "west europe",
"identity": {
"principalId": null,
"tenantId": null,
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/7e7f55d3-f30a-4bfd-a6be-1c59594b8592/resourcegroups/ITQIG-eu-rsv-manjug-dev/providers/Microsoft.ManagedIdentity/userAssignedIdentities/manjugtestmsi": {}
}
}
}
"@
$Uri = ("https://management.azure.com/subscriptions/7e7f55d3-f30a-4bfd-a6be-1c59594b8592/resourceGroups/ITQIG-eu-rsv-manjug-dev/providers/Microsoft.ContainerService/managedClusters/ITQIG-eu-manjug-aks-dev?api-version=2020-09-01")
Invoke-CoeRestMethod -Method Put -Uri $Uri -Body $Body
用于 AKS 部署的模板:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.1",
"variables": {
"copy": [
{
"name": "create-mi-dict",
"count": 1,
"input": {
"[resourceId('7e7f55d3-f30a-4bf-a6be-1c594b8592', 'ITQIG-eu-rsv-manjug-dev','Microsoft.ManagedIdentity/userAssignedIdentities', 'manjugtestmsi')]": {}
}
}
]
},
"parameters": {
"clusterName": {
"type": "string",
"defaultValue": "aks101cluster",
"metadata": {
"description": "The name of the Managed Cluster resource."
}
},
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The location of the Managed Cluster resource."
}
},
"userAssignedIdentitiesResourceID": {
"type": "string",
"metadata": {
"description": "Resource ID of the User Assigned Identity."
}
},
"userAssignedIdentitiesClientID": {
"type": "string",
"metadata": {
"description": "Client ID of the User Assigned Identity."
}
},
"userAssignedIdentitiesPrincipalID": {
"type": "string",
"metadata": {
"description": "Principal ID of the User Assigned Identity."
}
},
"dnsPrefix": {
"type": "string",
"defaultValue": "aks-coe-eu-manjug-dev-dns",
"metadata": {
"description": "Optional DNS prefix to use with hosted Kubernetes API server FQDN."
}
},
"osDiskSizeGB": {
"type": "int",
"defaultValue": 0,
"minValue": 0,
"maxValue": 1023,
"metadata": {
"description": "Disk size (in GB) to provision for each of the agent pool nodes. This value ranges from 0 to 1023. Specifying 0 will apply the default disk size for that agentVMSize."
}
},
"agentCount": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"maxValue": 50,
"metadata": {
"description": "The number of nodes for the cluster."
}
},
"agentVMSize": {
"type": "string",
"defaultValue": "Standard_DS2_v2",
"metadata": {
"description": "The size of the Virtual Machine."
}
},
"linuxAdminUsername": {
"type": "string",
"metadata": {
"description": "User name for the Linux Virtual Machines."
}
},
"sshRSAPublicKey": {
"type": "string",
"metadata": {
"description": "Configure all linux machines with the SSH RSA public key string. Your key should include three parts, for example 'ssh-rsa AAAAB...snip...UcyupgH azureuser@linuxvm'"
}
},
"osType": {
"type": "string",
"defaultValue": "Linux",
"allowedValues": [
"Linux"
],
"metadata": {
"description": "The type of operating system."
}
}
},
"resources": [
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2020-03-01",
"name": "[parameters('clusterName')]",
"location": "[parameters('location')]",
"properties": {
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": [
{
"name": "agentpool",
"maxPods": 110,
"osDiskSizeGB": "[parameters('osDiskSizeGB')]",
"type": "VirtualMachineScaleSets",
"mode": "System",
"count": "[parameters('agentCount')]",
"vmSize": "[parameters('agentVMSize')]",
"osType": "[parameters('osType')]",
"storageProfile": "ManagedDisks",
"availabilityZones": [
"1",
"2",
"3"
]
}
],
"networkProfile": {
"networkPlugin": "kubenet",
"loadBalancerSku": "Standard"
},
"addonProfiles": {
"KubeDashboard": {
"enabled": false
},
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
},
"httpApplicationRouting": {
"enabled": true
}
},
"linuxProfile": {
"adminUsername": "[parameters('linuxAdminUsername')]",
"ssh": {
"publicKeys": [
{
"keyData": "[parameters('sshRSAPublicKey')]"
}
]
}
},
"enableRBAC": true,
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": [
"1f2a3b42-d409-4e5a-a530-cb899f033293"
]
},
"apiServerAccessProfile": {
"enablePrivateCluster": false
}
},
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": "[first(variables('create-mi-dict'))]"
}
}
]
}
编辑:
自 2021 年 7 月 12 日起,可以“正常”执行此操作:
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'xxx'))]": {}
}
}
}
据我所知这是正确的(几乎),但是您不能在 arm 模板中使用 属性 名称的参数,因此您必须预渲染模板。
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"/subscriptions/xxx/resourcegroups/yyyy/providers/Microsoft.ManagedIdentity/userAssignedIdentities/zzz": {}
}
}
既然我想到了,你可能会逃避复制功能黑客攻击。我认为没有其他解决方法。
示例:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"variables": {
"copy": [
{
"name": "create-mi-dict",
"count": 1,
"input": {
"[resourceId('58aac3e3-e3c7-41e4-8539-5fd1893c46e9', 'rg-name','Microsoft.ManagedIdentity/userAssignedIdentities', 'mi-name')]": {}
}
}
]
},
"resources": [],
"outputs": {
"output1": {
"type": "object",
"value": "[first(variables('create-mi-dict'))]"
}
}
}
编辑:你可以这样使用它:
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": "[first(variables('create-mi-dict'))]"
}