Azure 请求 agic 身份刷新凭证

Azure aks agic identity refresh credentials

我正在使用带有 bicep 的 agic(应用程序网关入口控制器)部署 aks 集群

在aks.bicep我声明这个

resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-03-01' = {
  name: 'aks-core-${env}'
  location: resourceGroup().location
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    ...
    addonProfiles: {
      ...
      ingressApplicationGateway: {
        enabled: true
        config: {
          applicationGatewayId: applicationGatewayId
          effectiveApplicationGatewayId: applicationGatewayId
        }
      }
      
    }
  }
}

但是由于某些原因,aks创建的身份似乎需要在为节点池创建的资源组中扮演角色,因为出现“需要贡献者角色”的错误,所以我添加了这个:

resource contributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2020-08-01-preview' existing = {
  scope: subscription()
  name: 'xxx'
}

resource aksfix 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(resourceGroup().id,'aksfix','Contributor')
  scope: resourceGroup()
  properties: {
    description: 'fixes aks cross resource group principal permissions for agic'
    principalId: aksCluster.properties.addonProfiles.ingressApplicationGateway.identity.objectId
    principalType: 'ServicePrincipal'
    roleDefinitionId: contributorRoleDefinition.id
  }
}

现在要明确这一点,但并非总是如此。即使委托人拥有适当的权限,同样的错误也会不断弹出 30 分钟到 1-2 小时,然后神奇地起作用了!

我在尝试使用需要 kubelet principal 的网络贡献者的内部负载平衡器时遇到了类似的错误,并且出现了相同的行为,它需要大量的时间来反映角色的变化,现在看起来有趣的是agic pod 上出现消息“如果您的权限已更改,请尝试刷新您的凭据”,是否有办法强制集群刷新其凭据(无需创建新的服务主体)?

您应该将 贡献者角色 分配给 aks magnaged cluster identity到应用程序网关资源所在的资源组ingress application gateway identity 在资源组上。

所以解决方案最好使用 user-assigned identity 并提供贡献者角色并在 AKS 身份中使用它,如下所示:

resource aksClusterUserDefinedManagedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
  name: 'aksClusterUserDefinedManagedIdentityName'
  location: resourceGroup().location
}
resource akscontributorroleassignement 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = {
  name: guid(concat(resourceGroup().id, aksClusterUserDefinedManagedIdentity.name,aksclustername))
  scope: resourceGroup()
  properties: {
    description: 'Contributor role to the AKS identity to access the AGIC reosurce'
    principalId: aksClusterUserDefinedManagedIdentity.properties.principalId
    principalType: 'ServicePrincipal'
    roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
  }
}
resource aksCluster 'Microsoft.ContainerService/managedClusters@2021-03-01' = {
  name: 'aks-core-${env}'
  dependsOn:akscontributorroleassignement
  location: resourceGroup().location
  identity: {
    type: 'UserAssigned',
    userAssignedIdentities: {aksClusterUserDefinedManagedIdentity.id}
  }
  properties: {
    ...
    addonProfiles: {
      ...
      ingressApplicationGateway: {
        enabled: true
        config: {
          applicationGatewayId: applicationGatewayId
          effectiveApplicationGatewayId: applicationGatewayId
        }
      }
      
    }
  }
}


resource contributorRoleDefinition 'Microsoft.Authorization/roleDefinitions@2020-08-01-preview' existing = {
  scope: subscription()
  name: 'xxx'
}

resource aksfix 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid(resourceGroup().id,'aksfix','Contributor')
  scope: resourceGroup()
  properties: {
    description: 'fixes aks cross resource group principal permissions for agic'
    principalId: aksCluster.properties.addonProfiles.ingressApplicationGateway.identity.objectId
    principalType: 'ServicePrincipal'
    roleDefinitionId: contributorRoleDefinition.id
  }
}