azure - AKS 和 ACR 之间的专用终结点

Question

我想在 Azure 环境中创建 AKS 和 ACR 资源。该脚本能够创建这两个资源，并且我能够连接到它们中的每一个。但 AKS 节点无法从 ACR 中提取镜像。经过一番研究，我发现我需要在 AKS 和 ACR 之间创建一个私有(private)端点。

奇怪的是，如果我使用 Terraform 创建 PE，AKS 和 ACR 仍然无法通信。如果我手动创建PE，它们就可以通信。我在UI上对比了两个PE的参数，看起来是一样的。

有人可以帮我使用以下脚本定义 PE 吗？或者让我知道我做错了什么？

谢谢!

没有专用端点的完整 TF 脚本

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.97.0"
    }
  }

  required_version = ">= 1.1.7"
}

provider "azurerm" {
  features {}

  subscription_id = "xxx"
}

resource "azurerm_resource_group" "rg" {
  name     = "aks-rg"
  location = "East US"
}

resource "azurerm_kubernetes_cluster" "aks" {
  name                = "my-aks"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  dns_prefix          = "myaks"

  default_node_pool {
    name       = "default"
    node_count = 2
    vm_size    = "Standard_B2s"
  }

  identity {
    type = "SystemAssigned"
  }
}

resource "azurerm_container_registry" "acr" {
  name                = "my-aks-acr-123"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  sku                 = "Premium"
  admin_enabled       = true

  network_rule_set {
    default_action = "Deny"
  }
}

resource "azurerm_role_assignment" "acrpull" {
  principal_id                     = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
  role_definition_name             = "AcrPull"
  scope                            = azurerm_container_registry.acr.id
  skip_service_principal_aad_check = true
}

Answer 1

然后您需要创建一个 VNET、一个子网(不是此代码的一部分)以及一个私有(private) DNS 区域:

私有(private) DNS 区域:

resource "azurerm_private_dns_zone" "example" {
  name                = "mydomain.com"
  resource_group_name = azurerm_resource_group.example.name
}

AKS 部分:

resource "azurerm_kubernetes_cluster" "aks" {
  name                = "my-aks"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  dns_prefix          = "myaks"
  private_cluster_enabled   = true

  default_node_pool {
    name       = "default"
    node_count = 2
    vm_size    = "Standard_B2s"
  }

  identity {
    type = "SystemAssigned"
  }
}

您需要创建 ACR 和 ACR 的专用端点:

resource "azurerm_container_registry" "acr" {
  name                = "my-aks-acr-123"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  public_network_access_enabled = false
  sku                 = "Premium"
  admin_enabled       = true
}

resource "azurerm_private_endpoint" "acr" {
  name                = "pvep-acr"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  subnet_id           = YOUR_SUBNET

  private_service_connection {
    name                           = "example-acr"
    private_connection_resource_id = azurerm_container_registry.acr.id
    is_manual_connection           = false
    subresource_names              = ["registry"]
  }

  private_dns_zone_group {
    name                 = data.azurerm_private_dns_zone.example.name
    private_dns_zone_ids = [data.azurerm_private_dns_zone.example.id]
  }
}

resource "azurerm_role_assignment" "acrpull" {
  principal_id                     = azurerm_kubernetes_cluster.aks.kubelet_identity[0].object_id
  role_definition_name             = "AcrPull"
  scope                            = azurerm_container_registry.acr.id
  skip_service_principal_aad_check = true
}