我想将UAMI分配给kubelet,但是由于缺少权限而失败
I want to assign UAMI to kubelet, but it fails due to lack of permissions
我正在尝试使用 terraform 将 UAMI 分配给 AKS kubelet,但我没有权限并且失败并出现以下错误。
错误:创建托管 Kubernetes 集群“ClusterName”(资源组“ResourceGroupName”):containerservice.ManagedClustersClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="CustomKubeletIdentityMissingPermissionError" Message=" cluster user assigned identity must be given permission to assign kubelet identity /subscriptions/***/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMI. 检查 access result not allowed for action Microsoft.ManagedIdentity/userAssignedIdentities/assign/action.
我想授予权限,但是错误消息没有提到范围,所以我不知道在哪里分配权限。
另外,我正在使用当前分配给控制平面的相同UAMI,有什么问题吗?
感谢您的配合。
您需要提供角色 Microsoft.ManagedIdentity/userAssignedIdentities/assign/action。由于它不直接存在于 Azure 中的任何 built-in role definition 中,因此您必须 create自定义角色然后分配给UAMI到设置kublet身份.
我在收到如下错误后尝试了同样的方法:
地形代码:
provider"azurerm"{
features{}
}
provider "random" {}
data "azurerm_subscription" "primary" {
}
data "azurerm_client_config" "example" {
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
resource "azurerm_user_assigned_identity" "UAMI" {
resource_group_name = data.azurerm_resource_group.rg.name
location = data.azurerm_resource_group.rg.location
name = "AKS-MI"
}
resource "random_uuid" "customrole" {}
resource "random_uuid" "roleassignment" {}
resource "azurerm_role_definition" "example" {
role_definition_id = random_uuid.customrole.result
name = "CustomKubeletIdentityPermission"
scope = data.azurerm_subscription.primary.id
permissions {
actions = ["Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id,
]
}
resource "azurerm_role_assignment" "example" {
name = random_uuid.roleassignment.result
scope = data.azurerm_subscription.primary.id
role_definition_id = azurerm_role_definition.example.role_definition_resource_id
principal_id = azurerm_user_assigned_identity.UAMI.principal_id
}
resource "azurerm_user_assigned_identity" "kubletIdentity" {
resource_group_name = data.azurerm_resource_group.rg.name
location = data.azurerm_resource_group.rg.location
name = "Kublet-MI"
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "ansumantestaks"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
dns_prefix = "ansumantestaks-dns"
default_node_pool {
name = "system"
node_count = 1
vm_size = "Standard_B2ms"
type = "VirtualMachineScaleSets"
availability_zones = [1, 2, 3]
enable_auto_scaling = false
}
identity{
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_assigned_identity.UAMI.id
}
kubelet_identity {
client_id = azurerm_user_assigned_identity.kubletIdentity.client_id
object_id = azurerm_user_assigned_identity.kubletIdentity.principal_id
user_assigned_identity_id = azurerm_user_assigned_identity.kubletIdentity.id
}
depends_on = [
azurerm_role_assignment.example
]
}
输出:
我能够通过 built-in 角色实现相同的目标。
data "azurerm_resource_group" "main" {
name = var.resource_group_name
}
resource "azurerm_user_assigned_identity" "this" {
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
name = "${var.cluster_name}-msi"
}
resource "azurerm_role_assignment" "this" {
scope = data.azurerm_resource_group.main.id
role_definition_name = "Managed Identity Operator"
principal_id = azurerm_user_assigned_identity.this.principal_id
}
resource "azurerm_kubernetes_cluster" "this" {
depends_on = [
azurerm_role_assignment.msi_operator,
]
name = var.cluster_name
kubernetes_version = var.kubernetes_version
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
dns_prefix = var.prefix
sku_tier = var.sku_tier
private_cluster_enabled = var.private_cluster_enabled
kubelet_identity {
user_assigned_identity_id = azurerm_user_assigned_identity.this.id
client_id = azurerm_user_assigned_identity.this.client_id
object_id = azurerm_user_assigned_identity.this.principal_id
}
...
}
这样说是错误的....我们需要使用“Microsoft.ManagedIdentity/userAssignedIdentities/assign/action 创建一个自定义角色。因为它不直接出现在 Azure 中的任何 built-in 角色定义中”
- 它存在于内置角色“托管身份操作员”中。 (请查看以下来自 Azure 的屏幕截图)
- 大多数人发现很难找到正确的范围所以从订阅范围开始,它会完成工作。 (例如:var.subscription_id)
- 老实说,范围应该设置为托管身份本身的 ID。
因此,当您已经创建了托管身份时,Terraform 代码应该只分配以下角色。
resource "azurerm_role_assignment" "kubelet_identity" {
scope = azurerm_user_assigned_identity.module.id
role_definition_name = "Managed Identity Operator"
principal_id = azurerm_user_assigned_identity.module.principal_id
}
我正在尝试使用 terraform 将 UAMI 分配给 AKS kubelet,但我没有权限并且失败并出现以下错误。
错误:创建托管 Kubernetes 集群“ClusterName”(资源组“ResourceGroupName”):containerservice.ManagedClustersClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="CustomKubeletIdentityMissingPermissionError" Message=" cluster user assigned identity must be given permission to assign kubelet identity /subscriptions/***/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMI. 检查 access result not allowed for action Microsoft.ManagedIdentity/userAssignedIdentities/assign/action.
我想授予权限,但是错误消息没有提到范围,所以我不知道在哪里分配权限。 另外,我正在使用当前分配给控制平面的相同UAMI,有什么问题吗? 感谢您的配合。
您需要提供角色 Microsoft.ManagedIdentity/userAssignedIdentities/assign/action。由于它不直接存在于 Azure 中的任何 built-in role definition 中,因此您必须 create自定义角色然后分配给UAMI到设置kublet身份.
我在收到如下错误后尝试了同样的方法:
地形代码:
provider"azurerm"{
features{}
}
provider "random" {}
data "azurerm_subscription" "primary" {
}
data "azurerm_client_config" "example" {
}
data "azurerm_resource_group" "rg" {
name = "ansumantest"
}
resource "azurerm_user_assigned_identity" "UAMI" {
resource_group_name = data.azurerm_resource_group.rg.name
location = data.azurerm_resource_group.rg.location
name = "AKS-MI"
}
resource "random_uuid" "customrole" {}
resource "random_uuid" "roleassignment" {}
resource "azurerm_role_definition" "example" {
role_definition_id = random_uuid.customrole.result
name = "CustomKubeletIdentityPermission"
scope = data.azurerm_subscription.primary.id
permissions {
actions = ["Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"]
not_actions = []
}
assignable_scopes = [
data.azurerm_subscription.primary.id,
]
}
resource "azurerm_role_assignment" "example" {
name = random_uuid.roleassignment.result
scope = data.azurerm_subscription.primary.id
role_definition_id = azurerm_role_definition.example.role_definition_resource_id
principal_id = azurerm_user_assigned_identity.UAMI.principal_id
}
resource "azurerm_user_assigned_identity" "kubletIdentity" {
resource_group_name = data.azurerm_resource_group.rg.name
location = data.azurerm_resource_group.rg.location
name = "Kublet-MI"
}
resource "azurerm_kubernetes_cluster" "aks" {
name = "ansumantestaks"
location = data.azurerm_resource_group.rg.location
resource_group_name = data.azurerm_resource_group.rg.name
dns_prefix = "ansumantestaks-dns"
default_node_pool {
name = "system"
node_count = 1
vm_size = "Standard_B2ms"
type = "VirtualMachineScaleSets"
availability_zones = [1, 2, 3]
enable_auto_scaling = false
}
identity{
type = "UserAssigned"
user_assigned_identity_id = azurerm_user_assigned_identity.UAMI.id
}
kubelet_identity {
client_id = azurerm_user_assigned_identity.kubletIdentity.client_id
object_id = azurerm_user_assigned_identity.kubletIdentity.principal_id
user_assigned_identity_id = azurerm_user_assigned_identity.kubletIdentity.id
}
depends_on = [
azurerm_role_assignment.example
]
}
输出:
我能够通过 built-in 角色实现相同的目标。
data "azurerm_resource_group" "main" {
name = var.resource_group_name
}
resource "azurerm_user_assigned_identity" "this" {
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
name = "${var.cluster_name}-msi"
}
resource "azurerm_role_assignment" "this" {
scope = data.azurerm_resource_group.main.id
role_definition_name = "Managed Identity Operator"
principal_id = azurerm_user_assigned_identity.this.principal_id
}
resource "azurerm_kubernetes_cluster" "this" {
depends_on = [
azurerm_role_assignment.msi_operator,
]
name = var.cluster_name
kubernetes_version = var.kubernetes_version
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
dns_prefix = var.prefix
sku_tier = var.sku_tier
private_cluster_enabled = var.private_cluster_enabled
kubelet_identity {
user_assigned_identity_id = azurerm_user_assigned_identity.this.id
client_id = azurerm_user_assigned_identity.this.client_id
object_id = azurerm_user_assigned_identity.this.principal_id
}
...
}
这样说是错误的....我们需要使用“Microsoft.ManagedIdentity/userAssignedIdentities/assign/action 创建一个自定义角色。因为它不直接出现在 Azure 中的任何 built-in 角色定义中”
- 它存在于内置角色“托管身份操作员”中。 (请查看以下来自 Azure 的屏幕截图)
- 大多数人发现很难找到正确的范围所以从订阅范围开始,它会完成工作。 (例如:var.subscription_id)
- 老实说,范围应该设置为托管身份本身的 ID。
因此,当您已经创建了托管身份时,Terraform 代码应该只分配以下角色。
resource "azurerm_role_assignment" "kubelet_identity" {
scope = azurerm_user_assigned_identity.module.id
role_definition_name = "Managed Identity Operator"
principal_id = azurerm_user_assigned_identity.module.principal_id
}