在 Pulumi Azure Native 中创建 AKS 集群时如何使用现有的 Container Registry
How to use existing Container Registry when creating AKS cluster in Pulumi Azure Native
我创建了 Azure 容器注册表 (ACR),现在需要创建托管集群 (AKS)。当我们使用 Azure Portal 或 Azure CLI 时,我们可以集成现有的 ACR。在 Pulumi Azure Native 中,ManagedClusterArgs 没有任何 属性 接受现有的 ACR。
创建托管集群时如何附加已创建的 ACR?
或者将 AcrPull 角色分配给自动创建的用户分配的托管身份 (<clsuter-name>-agentpool) 会达到同样的目的吗?
是的,您需要将 AcrPull 角色分配给集群的托管标识 (VMSS)。
(确保Pulumi CLI使用的Service Principal有User Access Administrator角色,否则Pulumi无法创建角色分配)
这是在 TypeScript 中使用系统分配的托管标识的示例:
const cluster = new containerservice.ManagedCluster("managedCluster", {
// ...
identity: {
type: "SystemAssigned",
},
});
const creds = containerservice.listManagedClusterUserCredentialsOutput({
resourceGroupName: resourceGroup.name,
resourceName: cluster.name,
});
const principalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
// const registry = ...
// const subscriptionId = ...
const roleDefinitionId = `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d`;
const assignment = new azure_native.authorization.RoleAssignment("acr-pull", {
properties: {
principalId: principalId,
roleDefinitionId: roleDefinitionId,
},
scope: registry.id,
});
C#:
// var mainAcr = new AzureNative.ContainerRegistry.Registry("MainContainerRegistry", new AzureNative.ContainerRegistry.RegistryArgs { // ... });
// var aksAppCluster = new ManagedCluster("AksAppplicationCluster", new ManagedClusterArgs { // ... });
var vmssManagedIdentityPrincipalId = aksAppCluster.IdentityProfile.Apply(identityProfile =>
{
var vmssManagedIdentityProfile = identityProfile!["kubeletidentity"];
return vmssManagedIdentityProfile.ObjectId;
});
var acrPullRoleDefinitionId = RoleUtil.GetAcrPullRoleDefinitionId();
// I created RoleUtil and GetAcrPullRoleDefinitionId() will return: "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
var roleAssignment = new AzureNative.Authorization.RoleAssignment(AcrPullRoleAssignment, new AzureNative.Authorization.RoleAssignmentArgs
{
PrincipalId = vmssManagedIdentityPrincipalId!,
PrincipalType = AzureNative.Authorization.PrincipalType.ServicePrincipal,
RoleDefinitionId = acrPullRoleDefinitionId,
Scope = mainAcr.Id,
});
对于内置角色 ID:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
我创建了 Azure 容器注册表 (ACR),现在需要创建托管集群 (AKS)。当我们使用 Azure Portal 或 Azure CLI 时,我们可以集成现有的 ACR。在 Pulumi Azure Native 中,ManagedClusterArgs 没有任何 属性 接受现有的 ACR。
创建托管集群时如何附加已创建的 ACR?
或者将 AcrPull 角色分配给自动创建的用户分配的托管身份 (<clsuter-name>-agentpool) 会达到同样的目的吗?
是的,您需要将 AcrPull 角色分配给集群的托管标识 (VMSS)。
(确保Pulumi CLI使用的Service Principal有User Access Administrator角色,否则Pulumi无法创建角色分配)
这是在 TypeScript 中使用系统分配的托管标识的示例:
const cluster = new containerservice.ManagedCluster("managedCluster", {
// ...
identity: {
type: "SystemAssigned",
},
});
const creds = containerservice.listManagedClusterUserCredentialsOutput({
resourceGroupName: resourceGroup.name,
resourceName: cluster.name,
});
const principalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
// const registry = ...
// const subscriptionId = ...
const roleDefinitionId = `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d`;
const assignment = new azure_native.authorization.RoleAssignment("acr-pull", {
properties: {
principalId: principalId,
roleDefinitionId: roleDefinitionId,
},
scope: registry.id,
});
C#:
// var mainAcr = new AzureNative.ContainerRegistry.Registry("MainContainerRegistry", new AzureNative.ContainerRegistry.RegistryArgs { // ... });
// var aksAppCluster = new ManagedCluster("AksAppplicationCluster", new ManagedClusterArgs { // ... });
var vmssManagedIdentityPrincipalId = aksAppCluster.IdentityProfile.Apply(identityProfile =>
{
var vmssManagedIdentityProfile = identityProfile!["kubeletidentity"];
return vmssManagedIdentityProfile.ObjectId;
});
var acrPullRoleDefinitionId = RoleUtil.GetAcrPullRoleDefinitionId();
// I created RoleUtil and GetAcrPullRoleDefinitionId() will return: "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
var roleAssignment = new AzureNative.Authorization.RoleAssignment(AcrPullRoleAssignment, new AzureNative.Authorization.RoleAssignmentArgs
{
PrincipalId = vmssManagedIdentityPrincipalId!,
PrincipalType = AzureNative.Authorization.PrincipalType.ServicePrincipal,
RoleDefinitionId = acrPullRoleDefinitionId,
Scope = mainAcr.Id,
});
对于内置角色 ID:https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles