创建 Azure 角色分配
本页面介绍了如何向 GKE on Azure 授予权限,以便其可以访问 Azure API。在设置新的 GKE on Azure 集群或更新现有集群的权限时,您需要执行这些步骤。GKE on Azure 需要这些权限才能代表您管理 Azure 资源,例如虚拟机、网络组件和存储空间。
获取服务主账号和订阅 ID
如需向 GKE on Azure 授予权限,您需要获取 Azure 服务主账号和订阅 ID。Azure 服务主账号和订阅 ID 与您为 GKE on Azure 创建的 Azure AD 应用相关联。如需了解详情,请参阅创建 Azure Active Directory 应用。
服务主账号是 Azure Active Directory (AD) 中的一种身份,用于向 Azure 进行身份验证并访问其资源。Azure 订阅是一个逻辑容器,可让您获得对 Azure 产品和服务的授权访问权限。订阅 ID 是与您的 Azure 订阅相关联的唯一标识符。
如需保存服务主账号和订阅 ID 以供快速参考,您可以将其存储在 shell 变量中。如需创建这些 shell 变量,请运行以下命令:
APPLICATION_ID=$(az ad app list --all \
--query "[?displayName=='APPLICATION_NAME'].appId" \
--output tsv)
SERVICE_PRINCIPAL_ID=$(az ad sp list --all --output tsv \
--query "[?appId=='$APPLICATION_ID'].id")
SUBSCRIPTION_ID=$(az account show --query "id" --output tsv)
将 APPLICATION_NAME 替换为 Azure AD 应用的名称。
创建三个自定义角色
如需向 GKE on Azure 授予管理 Azure 资源的权限,您需要创建三个自定义角色并将其分配给服务主账号。以下说明仅添加了最低权限。您可以根据需要添加更多权限。
您需要为以下类型的访问权限创建自定义角色:
- 订阅级访问权限:适用于整个 Azure 订阅的权限,允许管理相应订阅中的所有 Azure 资源。
- 集群资源组级访问权限:用于管理特定资源组(其中包含 GKE on Azure 集群)内 Azure 资源的特定权限。
- 虚拟网络资源组级访问权限:用于管理包含 Azure 虚拟网络资源的资源组内的 Azure 资源的特定权限。
为订阅级访问权限创建角色
创建一个名为
GKEOnAzureAPISubscriptionScopedRole.json的文件。在编辑器中打开
GKEOnAzureAPISubscriptionScopedRole.json并添加以下权限:{ "Name": "GKE on-Azure API Subscription Scoped Role", "IsCustom": true, "Description": "Allow GKE on-Azure service manage resources in subscription scope.", "Actions": [ "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/delete", "Microsoft.Authorization/roleDefinitions/read" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": ["/subscriptions/${SUBSCRIPTION_ID}"] }创建新的自定义角色:
az role definition create --role-definition "GKEOnAzureAPISubscriptionScopedRole.json"使用以下命令将角色分配给服务主账号:
az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role "GKE on-Azure API Subscription Scoped Role" --scope /subscriptions/${SUBSCRIPTION_ID}
为集群资源组级访问权限创建角色
创建一个名为
GKEOnAzureClusterResourceGroupScopedRole.json的文件。在编辑器中打开
GKEOnAzureClusterResourceGroupScopedRole.json并添加以下权限:{ "Name": "GKE on-Azure API Cluster Resource Group Scoped Role", "IsCustom": true, "Description": "Allow GKE on-Azure service manage resources in cluster resource group scope.", "Actions": [ "Microsoft.Resources/subscriptions/resourcegroups/read", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/roleDefinitions/delete", "Microsoft.ManagedIdentity/userAssignedIdentities/write", "Microsoft.ManagedIdentity/userAssignedIdentities/read", "Microsoft.ManagedIdentity/userAssignedIdentities/delete", "Microsoft.Network/applicationSecurityGroups/write", "Microsoft.Network/applicationSecurityGroups/read", "Microsoft.Network/applicationSecurityGroups/delete", "Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action", "Microsoft.Authorization/roleAssignments/write", "Microsoft.Authorization/roleAssignments/read", "Microsoft.Authorization/roleAssignments/delete", "Microsoft.Network/loadBalancers/write", "Microsoft.Network/loadBalancers/read", "Microsoft.Network/loadBalancers/delete", "Microsoft.Network/loadBalancers/backendAddressPools/join/action", "Microsoft.Network/networkSecurityGroups/write", "Microsoft.Network/networkSecurityGroups/read", "Microsoft.Network/networkSecurityGroups/delete", "Microsoft.Network/networkSecurityGroups/join/action", "Microsoft.KeyVault/vaults/write", "Microsoft.KeyVault/vaults/read", "Microsoft.KeyVault/vaults/delete", "Microsoft.Compute/disks/read", "Microsoft.Compute/disks/write", "Microsoft.Compute/disks/delete", "Microsoft.Network/networkInterfaces/read", "Microsoft.Network/networkInterfaces/write", "Microsoft.Network/networkInterfaces/delete", "Microsoft.Network/networkInterfaces/join/action", "Microsoft.Compute/virtualMachines/read", "Microsoft.Compute/virtualMachines/write", "Microsoft.Compute/virtualMachines/delete", "Microsoft.Compute/virtualMachineScaleSets/write", "Microsoft.Compute/virtualMachineScaleSets/read", "Microsoft.Compute/virtualMachineScaleSets/delete", "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action", "Microsoft.Insights/Metrics/Read" ], "NotActions": [], "DataActions": [ "Microsoft.KeyVault/vaults/keys/create/action", "Microsoft.KeyVault/vaults/keys/delete", "Microsoft.KeyVault/vaults/keys/read", "Microsoft.KeyVault/vaults/keys/encrypt/action" ], "NotDataActions": [], "AssignableScopes": ["/subscriptions/${SUBSCRIPTION_ID}"] } ```创建新的自定义角色:
az role definition create --role-definition "GKEOnAzureClusterResourceGroupScopedRole.json"使用以下命令将角色分配给服务主账号:
az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role "GKE on-Azure API Cluster Resource Group Scoped Role" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}
创建角色以实现虚拟网络资源组级访问权限
创建一个名为
GKEOnAzureAPIVNetResourceGroupScopedRole.json的文件。在编辑器中打开
GKEOnAzureAPIVNetResourceGroupScopedRole.json并添加以下权限:{ "Name": "GKE on-Azure API VNet Resource Group Scoped Role", "IsCustom": true, "Description": "Allow GKE on-Azure service manage resources in virtual network resource group scope.", "Actions": [ "Microsoft.Network/virtualNetworks/read", "Microsoft.Network/virtualNetworks/subnets/read", "Microsoft.Network/virtualNetworks/subnets/join/action", "Microsoft.Authorization/roleDefinitions/write", "Microsoft.Authorization/roleDefinitions/delete" ], "NotActions": [], "DataActions": [], "NotDataActions": [], "AssignableScopes": ["/subscriptions/${SUBSCRIPTION_ID}"] }创建新的自定义角色:
az role definition create --role-definition "GKEOnAzureAPIVNetResourceGroupScopedRole.json"使用以下命令将角色分配给服务主账号:
az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role "GKE on-Azure API Subscription Scoped Role" --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_ID"