为 AKS 群集使用托管标识功能的最佳方式是什么?
what is the best way to use managed identities feature for AKS cluster?
通过我对 AKS 集群的一些新功能的测试,我想为我的 azure k8s 集群启用托管身份功能,谁能简单地告诉我使用它的主要好处是什么?我需要这样一个外部 DNS 区域吗?
Currently, an Azure Kubernetes Service (AKS) cluster (specifically,
the Kubernetes cloud provider) requires a service principal to create
additional resources like load balancers and managed disks in Azure.
Either you must provide a service principal or AKS creates one on your
behalf. Service principals typically have an expiration date. Clusters
eventually reach a state in which the service principal must be
renewed to keep the cluster working. Managing service principals adds
complexity.
Managed identities are essentially a wrapper around service
principals, and make their management simpler. To learn more, read
about managed identities for Azure resources.
AKS creates two managed identities:
System-assigned managed identity: The identity that the Kubernetes
cloud provider uses to create Azure resources on behalf of the user.
The life cycle of the system-assigned identity is tied to that of the
cluster. The identity is deleted when the cluster is deleted.
User-assigned managed identity: The identity that's used for
authorization in the cluster. For example, the user-assigned identity
is used to authorize AKS to use Azure Container Registries (ACRs), or
to authorize the kubelet to get metadata from Azure. Add-ons also
authenticate using a managed identity. For each add-on, a managed
identity is created by AKS and lasts for the life of the add-on. For
creating and using your own VNet, static IP address, or attached Azure
disk where the resources are outside of the MC_* resource group, use
the PrincipalID of the cluster to perform a role assignment. For more
information on role assignment, see Delegate access to other Azure
resources.
简而言之——便于管理
通过我对 AKS 集群的一些新功能的测试,我想为我的 azure k8s 集群启用托管身份功能,谁能简单地告诉我使用它的主要好处是什么?我需要这样一个外部 DNS 区域吗?
Currently, an Azure Kubernetes Service (AKS) cluster (specifically, the Kubernetes cloud provider) requires a service principal to create additional resources like load balancers and managed disks in Azure. Either you must provide a service principal or AKS creates one on your behalf. Service principals typically have an expiration date. Clusters eventually reach a state in which the service principal must be renewed to keep the cluster working. Managing service principals adds complexity.
Managed identities are essentially a wrapper around service principals, and make their management simpler. To learn more, read about managed identities for Azure resources.
AKS creates two managed identities:
System-assigned managed identity: The identity that the Kubernetes cloud provider uses to create Azure resources on behalf of the user. The life cycle of the system-assigned identity is tied to that of the cluster. The identity is deleted when the cluster is deleted. User-assigned managed identity: The identity that's used for authorization in the cluster. For example, the user-assigned identity is used to authorize AKS to use Azure Container Registries (ACRs), or to authorize the kubelet to get metadata from Azure. Add-ons also authenticate using a managed identity. For each add-on, a managed identity is created by AKS and lasts for the life of the add-on. For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the MC_* resource group, use the PrincipalID of the cluster to perform a role assignment. For more information on role assignment, see Delegate access to other Azure resources.
简而言之——便于管理