azure - 我想将UAMI分配给kubelet，但由于缺乏权限而失败

Question

我尝试使用 terraform 将 UAMI 分配给 AKS kubelet，但我没有权限，因此失败并出现以下错误。

错误:创建托管 Kubernetes 集群“ClusterName”(资源组“ResourceGroupName”):containerservice.ManagedClustersClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="CustomKubeletIdentityMissingPermissionError"Message="分配的集群用户必须向身份授予分配 kubelet 身份/subscriptions/***/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMI 的权限。检查不允许操作 Microsoft.ManagedIdentity/userAssignedIdentities/assign/action 的访问结果。

我想授予权限，但错误消息没有提及范围，所以我不知道在哪里分配权限。 另外，我使用当前分配给控制平面的相同UAMI，有什么问题吗？ 感谢您的合作。

Answer 1

您需要提供角色Microsoft.ManagedIdentity/userAssignedIdentities/assign/action。由于它不直接存在于Azure中的任何内置角色定义中，因此您必须创建一个自定义角色，然后将其分配给 UAMI 以设置 kublet 身份。 p>

收到以下错误后我尝试了相同的操作:

Terraform 代码:​​

provider"azurerm"{
    features{}
}
provider "random" {}
data "azurerm_subscription" "primary" {
}

data "azurerm_client_config" "example" {
}
data "azurerm_resource_group" "rg" {
      name     = "ansumantest"
}

resource "azurerm_user_assigned_identity" "UAMI" {
  resource_group_name = data.azurerm_resource_group.rg.name
  location            = data.azurerm_resource_group.rg.location
  name = "AKS-MI"
}

resource "random_uuid" "customrole" {}
resource "random_uuid" "roleassignment" {}
resource "azurerm_role_definition" "example" {
  role_definition_id = random_uuid.customrole.result
  name               = "CustomKubeletIdentityPermission"
  scope              = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id,
  ]
}

resource "azurerm_role_assignment" "example" {
  name               = random_uuid.roleassignment.result
  scope              = data.azurerm_subscription.primary.id
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = azurerm_user_assigned_identity.UAMI.principal_id
}
resource "azurerm_user_assigned_identity" "kubletIdentity" {
  resource_group_name = data.azurerm_resource_group.rg.name
  location            = data.azurerm_resource_group.rg.location
  name = "Kublet-MI"
}

resource "azurerm_kubernetes_cluster" "aks" {
  name                = "ansumantestaks"
  location            = data.azurerm_resource_group.rg.location
  resource_group_name = data.azurerm_resource_group.rg.name
  dns_prefix          = "ansumantestaks-dns"

  default_node_pool {
    name                = "system"
    node_count          = 1
    vm_size             = "Standard_B2ms"
    type                = "VirtualMachineScaleSets"
    availability_zones  = [1, 2, 3]
    enable_auto_scaling = false
    }
    identity{
       type = "UserAssigned"
       user_assigned_identity_id = azurerm_user_assigned_identity.UAMI.id
   }
   kubelet_identity {
     client_id = azurerm_user_assigned_identity.kubletIdentity.client_id
     object_id = azurerm_user_assigned_identity.kubletIdentity.principal_id
     user_assigned_identity_id = azurerm_user_assigned_identity.kubletIdentity.id
   }
   depends_on = [
     azurerm_role_assignment.example
   ]
}

输出: