Terraform Azure AKS -如何为AKS集群设置UAMI为kubelet_identity

vnjpjtjt  于 2023-05-01  发布在  其他
关注(0)|答案(3)|浏览(166)

查看terraform documentation,我很难确定如何为aks集群分配作为kubelet_identity的UAMI。
这里描述的设置controlPlane UAMI的identity { ... }块不是我要找的。
问题是-是否有一种地形方式,我可以分配除identity {..}块中的UAMI之外的额外UAMI,并使用它来访问ACR?
我想像这里描述的那样设置一个单独的UAMI作为kubelet身份

jogvjijk

jogvjijk1#

是否存在一种地形方式,我可以分配除identity {之外的额外UAMI。.}块并使用它访问ACR?
根据您提供的详细信息,您可以创建一个额外的UAMI,并将其与AKS集群kubelet标识关联,然后将角色分配给UAMI,示例代码如下:resource“azurerm_kubernetes_cluster”“example”{ name =“example-aks1”location = azurerm_resource_group.example.location resource_group_name = azurerm_ www.example.com dns_prefix =“exampleaks1”

default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  kubelet_identity {
    client-id = azurerm_user_assigned_identity.kubelet.client_id
    object-id = azurerm_user_assigned_identity.kubelet.principal_id
    user_assigned_identity_id = azurerm_user_assigned_identity.kubelet.id
  }
  ...
}

resource "azurerm_role_assignment" "acr_for_kubelet" {
  principal_id         = azurerm_user_assigned_identity.kubelet.client_id
  scope                = azurerm_container_registry.container_registry.id
  role_definition_name = "AcrPull"
}

更新:

实际上,当你创建AKS并启用系统分配的托管身份时,它会为AKS集群创建两个用户分配的身份,一个是访问其他资源,一个是管理AKS集群本身,这个就是kubelet身份。
分配kubelet身份权限访问ACR没有意义。您需要做的是分配访问ACR的AKS身份权限。或者使用Kubernetes内部的秘密和服务帐户来访问ACR。

f87krz0w

f87krz0w2#

你需要这样的东西,

resource "azurerm_kubernetes_cluster" "kube_cluster" {
  name                = local.cluster_name
  dns_prefix          = local.cluster_name
  location            = var.location
  resource_group_name = local.resource_group

  default_node_pool {
    name       = "default"
    node_count = 2
    vm_size    = "Standard_DS2_v2"
  }

  identity {
    type                      = "UserAssigned"
    user_assigned_identity_id = data.azurerm_user_assigned_identity.managed_identity.id
  }
}

resource "azurerm_role_assignment" "acr_role_assignment" {
  principal_id         = azurerm_kubernetes_cluster.kube_cluster.kubelet_identity[0].object_id
  scope                = data.azurerm_container_registry.container_registry.id
  role_definition_name = "AcrPull"
}

您可以在此处查看整个**script**

yzuktlbb

yzuktlbb3#

Terraform中似乎有一个选项可以将UAMI分配为kubelet身份。 www.example.com
示例:

identity {
    type         = "UserAssigned"
    identity_ids = var.control_plane_user_assigned_managed_identity_ids
  }

  kubelet_identity {
    client_id = var.kubelet_identity_client_id
    object_id = var.kubelet_identity_object_id
    user_assigned_identity_id = var.kubelet_identity_user_assigned_identity_id
  }

如上所述,您需要按照doc将kubelet标识分配给ACR(可以通过Terraform azurerm_role_assignment完成:
https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#add-role-assignment

Use a pre-created kubelet managed identity
A Kubelet identity enables access granted to the existing identity prior to cluster creation. This feature enables scenarios such as connection to ACR with a pre-created managed identity.

相关问题