我创建了 Azure 容器注册表 (ACR),现在需要创建托管群集 (AKS)。当我们使用Azure Portal或Azure CLI时,我们可以集成现有的ACR。在 Pulumi Azure Native 中,ManagedClusterArgs
没有任何属性来接受现有的 ACR。
创建托管集群时如何附加已创建的 ACR?
或分配 AcrPull
自动创建的用户分配的托管身份 ( <clsuter-name>-agentpool
) 的角色会实现相同的效果吗?
最佳答案
是的,您需要将 AcrPull
角色分配给集群的托管身份 (VMSS)。
(确保 Pulumi CLI 使用的服务主体具有用户访问管理员
角色,否则 Pulumi 将无法创建角色分配)
以下是在 TypeScript 中使用系统分配的托管标识的示例:
const cluster = new containerservice.ManagedCluster("managedCluster", {
// ...
identity: {
type: "SystemAssigned",
},
});
const creds = containerservice.listManagedClusterUserCredentialsOutput({
resourceGroupName: resourceGroup.name,
resourceName: cluster.name,
});
const principalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
// const registry = ...
// const subscriptionId = ...
const roleDefinitionId = `/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d`;
const assignment = new azure_native.authorization.RoleAssignment("acr-pull", {
properties: {
principalId: principalId,
roleDefinitionId: roleDefinitionId,
},
scope: registry.id,
});
C#:
// var mainAcr = new AzureNative.ContainerRegistry.Registry("MainContainerRegistry", new AzureNative.ContainerRegistry.RegistryArgs { // ... });
// var aksAppCluster = new ManagedCluster("AksAppplicationCluster", new ManagedClusterArgs { // ... });
var vmssManagedIdentityPrincipalId = aksAppCluster.IdentityProfile.Apply(identityProfile =>
{
var vmssManagedIdentityProfile = identityProfile!["kubeletidentity"];
return vmssManagedIdentityProfile.ObjectId;
});
var acrPullRoleDefinitionId = RoleUtil.GetAcrPullRoleDefinitionId();
// I created RoleUtil and GetAcrPullRoleDefinitionId() will return: "subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d"
var roleAssignment = new AzureNative.Authorization.RoleAssignment(AcrPullRoleAssignment, new AzureNative.Authorization.RoleAssignmentArgs
{
PrincipalId = vmssManagedIdentityPrincipalId!,
PrincipalType = AzureNative.Authorization.PrincipalType.ServicePrincipal,
RoleDefinitionId = acrPullRoleDefinitionId,
Scope = mainAcr.Id,
});
对于内置角色 ID:https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
关于azure - 在 Pulumi Azure Native 中创建 AKS 集群时如何使用现有容器注册表,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69884337/