在 Pulumi Azure Native 中创建 AKS 集群时如何使用现有的 Container Registry

How to use existing Container Registry when creating AKS cluster in Pulumi Azure Native

我创建了 Azure 容器注册表 (ACR),现在需要创建托管集群 (AKS)。当我们使用 Azure Portal 或 Azure CLI 时,我们可以集成现有的 ACR。在 Pulumi Azure Native 中,ManagedClusterArgs 没有任何 属性 接受现有的 ACR。

创建托管集群时如何附加已创建的 ACR

或者将 AcrPull 角色分配给自动创建的用户分配的托管身份 (<clsuter-name>-agentpool) 会达到同样的目的吗?

是的,您需要将 AcrPull 角色分配给集群的托管标识 (VMSS)。

(确保Pulumi CLI使用的Service Principal有User Access Administrator角色,否则Pulumi无法创建角色分配)

这是在 TypeScript 中使用系统分配的托管标识的示例:

const cluster = new containerservice.ManagedCluster("managedCluster", {
    // ...
    identity: {
        type: "SystemAssigned",
    },
});

const creds = containerservice.listManagedClusterUserCredentialsOutput({
    resourceGroupName: resourceGroup.name,
    resourceName: cluster.name,
});

const principalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);

// const registry = ...
// const subscriptionId = ...

const roleDefinitionId = `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d`;
const assignment = new azure_native.authorization.RoleAssignment("acr-pull", {
    properties: {
        principalId: principalId,
        roleDefinitionId: roleDefinitionId,
    },
    scope: registry.id,
});

C#:

// var mainAcr = new AzureNative.ContainerRegistry.Registry("MainContainerRegistry", new AzureNative.ContainerRegistry.RegistryArgs { // ... });
// var aksAppCluster = new ManagedCluster("AksAppplicationCluster", new ManagedClusterArgs { // ... });

var vmssManagedIdentityPrincipalId = aksAppCluster.IdentityProfile.Apply(identityProfile =>
{
    var vmssManagedIdentityProfile = identityProfile!["kubeletidentity"];
    return vmssManagedIdentityProfile.ObjectId;
});

var acrPullRoleDefinitionId = RoleUtil.GetAcrPullRoleDefinitionId();
// I created RoleUtil and GetAcrPullRoleDefinitionId() will return: "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
    
var roleAssignment = new AzureNative.Authorization.RoleAssignment(AcrPullRoleAssignment, new AzureNative.Authorization.RoleAssignmentArgs
{
    PrincipalId = vmssManagedIdentityPrincipalId!,
    PrincipalType = AzureNative.Authorization.PrincipalType.ServicePrincipal,
    RoleDefinitionId = acrPullRoleDefinitionId,
    Scope = mainAcr.Id,
});

对于内置角色 ID:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles