建立 Azure 角色指派作業

本頁說明如何授予 GKE on Azure 權限,以便存取 Azure API。設定新的 Azure 專用 GKE 叢集,或更新現有叢集的權限時,都需要執行這些步驟。GKE on Azure 必須具備這些權限,才能代表您管理 Azure 資源,例如虛擬機器、網路元件和儲存空間。

取得服務主體和訂閱 ID

如要將權限授予 Azure 上的 GKE,您必須取得 Azure 服務主體和訂用帳戶 ID。Azure 服務主體和訂用帳戶 ID 與您為 Azure 上的 GKE 建立的 Azure AD 應用程式相關聯。詳情請參閱「建立 Azure Active Directory 應用程式」。

服務主體是 Azure Active Directory (AD) 中的身分,用於向 Azure 進行驗證及存取資源。Azure 訂閱是邏輯容器,可授權您存取 Azure 產品和服務。訂閱 ID 是與 Azure 訂閱方案相關聯的專屬 ID。

如要儲存服務主體和訂閱 ID 以供快速參考,可以將這些 ID 儲存在殼層變數中。如要建立這些殼層變數,請執行下列指令:

APPLICATION_ID=$(az ad app list --all \
    --query "[?displayName=='APPLICATION_NAME'].appId" \
    --output tsv)
SERVICE_PRINCIPAL_ID=$(az ad sp list --all  --output tsv \
      --query "[?appId=='$APPLICATION_ID'].id")
SUBSCRIPTION_ID=$(az account show --query "id" --output tsv)

APPLICATION_NAME 替換為 Azure AD 應用程式的名稱。

建立三個自訂角色

如要授予 GKE on Azure 管理 Azure 資源的權限,您需要建立三個自訂角色,並指派給服務主體。下列操作說明只會新增最低權限。如需更多權限,可以新增。

您需要為下列類型的存取權建立自訂角色:

  • 訂閱層級存取權:適用於整個 Azure 訂閱項目的權限,可管理該訂閱項目中的所有 Azure 資源。
  • 叢集資源群組層級存取權:管理特定資源群組中 Azure 資源的專屬權限,該資源群組包含 GKE on Azure 叢集。
  • 虛擬網路資源群組層級存取權:管理資源群組中 Azure 資源的專屬權限,該資源群組包含 Azure 虛擬網路資源。

建立訂閱層級存取權的角色

  1. 建立名為 GKEOnAzureAPISubscriptionScopedRole.json 的檔案。

  2. 在編輯器中開啟 GKEOnAzureAPISubscriptionScopedRole.json,並新增下列權限:

    {
    "Name": "GKE on-Azure API Subscription Scoped Role",
    "IsCustom": true,
    "Description": "Allow GKE on-Azure service manage resources in subscription scope.",
    "Actions": [
      "Microsoft.Authorization/roleAssignments/read",
      "Microsoft.Authorization/roleAssignments/write",
      "Microsoft.Authorization/roleAssignments/delete",
      "Microsoft.Authorization/roleDefinitions/read"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": ["/subscriptions/${SUBSCRIPTION_ID}"]
    }
    
  3. 建立新的自訂角色:

    az role definition create --role-definition "GKEOnAzureAPISubscriptionScopedRole.json"
    
  4. 使用下列指令將角色指派給服務主體:

    az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role "GKE on-Azure API Subscription Scoped Role" --scope /subscriptions/${SUBSCRIPTION_ID}
    

建立叢集資源群組層級存取權的角色

  1. 建立名為 GKEOnAzureClusterResourceGroupScopedRole.json 的檔案。

  2. 在編輯器中開啟 GKEOnAzureClusterResourceGroupScopedRole.json,並新增下列權限:

    {
    "Name": "GKE on-Azure API Cluster Resource Group Scoped Role",
    "IsCustom": true,
    "Description": "Allow GKE on-Azure service manage resources in cluster resource group scope.",
    "Actions": [
        "Microsoft.Resources/subscriptions/resourcegroups/read",
        "Microsoft.Authorization/roleDefinitions/write",
        "Microsoft.Authorization/roleDefinitions/delete",
        "Microsoft.ManagedIdentity/userAssignedIdentities/write",
        "Microsoft.ManagedIdentity/userAssignedIdentities/read",
        "Microsoft.ManagedIdentity/userAssignedIdentities/delete",
        "Microsoft.Network/applicationSecurityGroups/write",
        "Microsoft.Network/applicationSecurityGroups/read",
        "Microsoft.Network/applicationSecurityGroups/delete",
        "Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/read",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Network/loadBalancers/write",
        "Microsoft.Network/loadBalancers/read",
        "Microsoft.Network/loadBalancers/delete",
        "Microsoft.Network/loadBalancers/backendAddressPools/join/action",
        "Microsoft.Network/networkSecurityGroups/write",
        "Microsoft.Network/networkSecurityGroups/read",
        "Microsoft.Network/networkSecurityGroups/delete",
        "Microsoft.Network/networkSecurityGroups/join/action",
        "Microsoft.KeyVault/vaults/write",
        "Microsoft.KeyVault/vaults/read",
        "Microsoft.KeyVault/vaults/delete",
        "Microsoft.Compute/disks/read",
        "Microsoft.Compute/disks/write",
        "Microsoft.Compute/disks/delete",
        "Microsoft.Network/networkInterfaces/read",
        "Microsoft.Network/networkInterfaces/write",
        "Microsoft.Network/networkInterfaces/delete",
        "Microsoft.Network/networkInterfaces/join/action",
        "Microsoft.Compute/virtualMachines/read",
        "Microsoft.Compute/virtualMachines/write",
        "Microsoft.Compute/virtualMachines/delete",
        "Microsoft.Compute/virtualMachineScaleSets/write",
        "Microsoft.Compute/virtualMachineScaleSets/read",
        "Microsoft.Compute/virtualMachineScaleSets/delete",
        "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action",
        "Microsoft.Compute/virtualMachines/retrieveBootDiagnosticsData/action",
        "Microsoft.Insights/Metrics/Read"
    ],
    "NotActions": [],
    "DataActions": [
        "Microsoft.KeyVault/vaults/keys/create/action",
        "Microsoft.KeyVault/vaults/keys/delete",
        "Microsoft.KeyVault/vaults/keys/read",
        "Microsoft.KeyVault/vaults/keys/encrypt/action"
    ],
    "NotDataActions": [],
    "AssignableScopes": ["/subscriptions/${SUBSCRIPTION_ID}"]
     }
     ```
    
  3. 建立新的自訂角色:

    az role definition create --role-definition "GKEOnAzureClusterResourceGroupScopedRole.json"
    
  4. 使用下列指令將角色指派給服務主體:

    az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role "GKE on-Azure API Cluster Resource Group Scoped Role" --scope /subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP_ID}
    

建立虛擬網路資源群組層級存取權的角色

  1. 建立名為 GKEOnAzureAPIVNetResourceGroupScopedRole.json 的檔案。

  2. 在編輯器中開啟 GKEOnAzureAPIVNetResourceGroupScopedRole.json,並新增下列權限:

    {
    "Name": "GKE on-Azure API VNet Resource Group Scoped Role",
    "IsCustom": true,
    "Description": "Allow GKE on-Azure service manage resources in virtual network resource group scope.",
    "Actions": [
        "Microsoft.Network/virtualNetworks/read",
        "Microsoft.Network/virtualNetworks/subnets/read",
        "Microsoft.Network/virtualNetworks/subnets/join/action",
        "Microsoft.Authorization/roleDefinitions/write",
        "Microsoft.Authorization/roleDefinitions/delete"
    ],
    "NotActions": [],
    "DataActions": [],
    "NotDataActions": [],
    "AssignableScopes": ["/subscriptions/${SUBSCRIPTION_ID}"]
    }
    
  3. 建立新的自訂角色:

    az role definition create --role-definition "GKEOnAzureAPIVNetResourceGroupScopedRole.json"
    
  4. 使用下列指令將角色指派給服務主體:

    az role assignment create --assignee ${SERVICE_PRINCIPAL_ID} --role "GKE on-Azure API Subscription Scoped Role" --scope "/subscriptions/${SUBSCRIPTION_ID}/resourceGroups/VNET_RESOURCE_GROUP_ID"
    

後續步驟