aks:尝试创建负载均衡器时出现未经授权的错误
aks: getting unauthorize error while trying to create load balancer
我在 AKS 中尝试创建负载均衡器时出现以下错误,
{"error":{"code":"AuthorizationFailed","message":"The client
'85e23f21-xxxxxxxxxxx' with object id
'85e23f21-xxxxxxxxxxx' does not have authorization to perform
action 'Microsoft.Network/virtualNetworks/subnets/read' over scope
'/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/my-vnet/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/my-subnet'
or the scope is invalid. If access was recently granted, please refresh your
credentials."}}
此处的客户端和对象 ID 相同,这是托管标识的 principalId,因为我的 AKS 群集启用了托管标识。
❯ az aks show -g my-rg -n my-aks --query "identity"
{
"principalId": "85e23f21-xxxxxxxxxxx",
"tenantId": "xxxxxxxxxxxxxxxxxxxx",
"type": "SystemAssigned",
"userAssignedIdentities": null
}
我还为我的 aks 集群启用了 azure RBAC
az aks update -g myResourceGroup -n myAKSCluster --enable-azure-rbac
这里少了什么,怎么给权限?请帮忙。
这可能是因为您的 VNet 不在工作节点资源组中,因此系统分配的标识默认只能管理该资源组内的资源。您需要对集群系统分配的托管标识的主体 ID 执行角色分配,以授予其访问该资源组之外的托管资源的权限。来自 Azure documentation :
Note
For creating and using your own VNet, static IP address, or attached
Azure disk where the resources are outside of the worker node resource
group, use the PrincipalID of the cluster System Assigned Managed
Identity to perform a role assignment.
我在 AKS 中尝试创建负载均衡器时出现以下错误,
{"error":{"code":"AuthorizationFailed","message":"The client '85e23f21-xxxxxxxxxxx' with object id '85e23f21-xxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/read' over scope '/subscriptions/xxxx-xxxx-xxxx-xxxx-xxxx/resourceGroups/my-vnet/providers/Microsoft.Network/virtualNetworks/my-vnet/subnets/my-subnet' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
此处的客户端和对象 ID 相同,这是托管标识的 principalId,因为我的 AKS 群集启用了托管标识。
❯ az aks show -g my-rg -n my-aks --query "identity" { "principalId": "85e23f21-xxxxxxxxxxx", "tenantId": "xxxxxxxxxxxxxxxxxxxx", "type": "SystemAssigned", "userAssignedIdentities": null }
我还为我的 aks 集群启用了 azure RBAC
az aks update -g myResourceGroup -n myAKSCluster --enable-azure-rbac
这里少了什么,怎么给权限?请帮忙。
这可能是因为您的 VNet 不在工作节点资源组中,因此系统分配的标识默认只能管理该资源组内的资源。您需要对集群系统分配的托管标识的主体 ID 执行角色分配,以授予其访问该资源组之外的托管资源的权限。来自 Azure documentation :
Note
For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment.