创建 aks 集群时的 pod 标识
pod identity on aks cluster crreation
现在,不可能在创建集群时在 arm 模板(和 terraform)上分配用户分配的身份。我已经尝试了很多东西,并且在手动插入后更新效果很好:
az aks pod-identity add --cluster-name my-aks-cn --resource-group myrg --namespace myns --name example-pod-identity --identity-resource-id /subscriptions/......
但是,我想通过部署立即完成这项工作,因此我需要自动将 pod 用户身份插入集群。我还尝试使用 DeploymentScripts 运行 命令,但部署脚本尚未准备好使用 preview aks extersion。
我的配置如下所示:
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('cluster_name')]",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnet_name'))]"
],
"properties": {
....
"podIdentityProfile": {
"allowNetworkPluginKubenet": null,
"enabled": true,
"userAssignedIdentities": [
{
"identity": {
"clientId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managed-indentity'), '2018-11-30').clientId]",
"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managed-indentity'), '2018-11-30').principalId]",
"resourceId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managed-indentity')]"
},
"name": "managed-indentity",
"namespace": "myns"
}
],
"userAssignedIdentityExceptions": null
},
....
},
"identity": {
"type": "SystemAssigned"
}
},
我总是遇到同样的问题:
"statusMessage": "{\"error\":{\"code\":\"InvalidTemplateDeployment\",\"message\":\"The template deployment 'deployment_test' is not valid according to the validation procedure. The tracking id is '.....'. See inner errors for details.\",\"details\":[{\"code\":\"PodIdentityAddonUserAssignedIdentitiesNotAllowedInCreation\",\"message\":\"Provisioning of resource(s) for container service cluster-12344 in resource group myrc failed. Message: {\n \\"code\\": \\"PodIdentityAddonUserAssignedIdentitiesNotAllowedInCreation\\",\n \\"message\\": \\"PodIdentity addon does not support assigning pod identities on creation.\\"\n }. Details: \"}]}}",
产品团队已在此处分享答案:https://github.com/Azure/aad-pod-identity/issues/1123
上面写着:
This is a known limitation in the existing configuration. We will fix
this in the V2 implementation.
其他遇到同样问题的人,请参考上面的GitHub问题。
现在,不可能在创建集群时在 arm 模板(和 terraform)上分配用户分配的身份。我已经尝试了很多东西,并且在手动插入后更新效果很好:
az aks pod-identity add --cluster-name my-aks-cn --resource-group myrg --namespace myns --name example-pod-identity --identity-resource-id /subscriptions/......
但是,我想通过部署立即完成这项工作,因此我需要自动将 pod 用户身份插入集群。我还尝试使用 DeploymentScripts 运行 命令,但部署脚本尚未准备好使用 preview aks extersion。
我的配置如下所示:
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-02-01",
"name": "[variables('cluster_name')]",
"location": "[variables('location')]",
"dependsOn": [
"[resourceId('Microsoft.Network/virtualNetworks', variables('vnet_name'))]"
],
"properties": {
....
"podIdentityProfile": {
"allowNetworkPluginKubenet": null,
"enabled": true,
"userAssignedIdentities": [
{
"identity": {
"clientId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managed-indentity'), '2018-11-30').clientId]",
"objectId": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managed-indentity'), '2018-11-30').principalId]",
"resourceId": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'managed-indentity')]"
},
"name": "managed-indentity",
"namespace": "myns"
}
],
"userAssignedIdentityExceptions": null
},
....
},
"identity": {
"type": "SystemAssigned"
}
},
我总是遇到同样的问题:
"statusMessage": "{\"error\":{\"code\":\"InvalidTemplateDeployment\",\"message\":\"The template deployment 'deployment_test' is not valid according to the validation procedure. The tracking id is '.....'. See inner errors for details.\",\"details\":[{\"code\":\"PodIdentityAddonUserAssignedIdentitiesNotAllowedInCreation\",\"message\":\"Provisioning of resource(s) for container service cluster-12344 in resource group myrc failed. Message: {\n \\"code\\": \\"PodIdentityAddonUserAssignedIdentitiesNotAllowedInCreation\\",\n \\"message\\": \\"PodIdentity addon does not support assigning pod identities on creation.\\"\n }. Details: \"}]}}",
产品团队已在此处分享答案:https://github.com/Azure/aad-pod-identity/issues/1123
上面写着:
This is a known limitation in the existing configuration. We will fix this in the V2 implementation.
其他遇到同样问题的人,请参考上面的GitHub问题。