Azure Key Vault 和Kubernetes上的Managed Identities

如何配置Azure Key Vault和Kubernetes以使用Azure Managed Identities来获取密钥

配置

要设置Azure Key Vault密钥仓库,请创建一个类型为secretstores.azure.keyvault的组件。 See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.

在Kubernetes中,将服务主体的证书存储到Kubernetes Secret Store中,然后用Kubernetes secretstore中的这个证书启用Azure Key Vault密钥仓库。

组件yaml使用你的密钥仓库的名称和托管标识的Cliend ID来配置密钥仓库。

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
  namespace: default
spec:
  type: secretstores.azure.keyvault
  version: v1
  metadata:
  - name: vaultName
    value: [your_keyvault_name]
  - name: spnClientId
    value: [your_managed_identity_client_id]

元数据字段规范

字段 必填 详情 Example
vaultName Y Azure Key Vault名称 "mykeyvault"
spnClientId Y 你的托管标识客户端ID "yourId"

设置Managed Identity和 Azure Key Vault

先决条件

步骤

  1. 登录到 Azure 并设置默认订阅

    # Log in Azure
    az login
    
    # Set your subscription to the default subscription
    az account set -s [your subscription id]
    
  2. 在一个区域中创建 Azure Key Vault

    az keyvault create --location [region] --name [your keyvault] --resource-group [your resource group]
    
  3. 创建托管标识(可选)

    只有当AKS集群没有”–enable-managed-identity “标志时,才需要进行这一步。 If the cluster is provisioned with managed identity, than it is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.

    $identity = az identity create -g [your resource group] -n [your managed identity name] -o json | ConvertFrom-Json
    

    Below is the command to retrieve the managed identity in the autogenerated scenario:

    az aks show -g <AKSResourceGroup> -n <AKSClusterName>
    

    有关将 AKS 与 Azure 服务集成的角色分配的更多详细信息 角色分配

  4. 检索托管标识ID

    主要有两种情况:

    • 服务主体(Service Principal),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
    $clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query servicePrincipalProfile.clientId -otsv
    
    • 托管标识(Managed Identity),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
    $clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query identityProfile.kubeletidentity.clientId -otsv
    
  5. 将Reader角色分配给被托管标识

    对于AKS集群来说,集群资源组指的是带有MC_前缀的资源组,它包含了与集群相关的所有基础设施资源,如VM/VMSS。

    az role assignment create --role "Reader" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
    
  6. 将托管标识管理员(Managed Identity Operator) 的角色分配给AKS服务主体(AKS Service Principal) 参考上一步关于要使用的资源组和要分配的标识的内容

    az role assignment create  --role "Managed Identity Operator"  --assignee $clientId  --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
    
    az role assignment create  --role "Virtual Machine Contributor"  --assignee $clientId  --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
    
  7. 为 Key Vault 添加策略,使托管标识可以读取密钥

    az keyvault set-policy --name [your keyvault] --spn $clientId --secret-permissions get list
    
  8. 在AKS上启用AAD Pod身份

    kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
    
    # For AKS clusters, deploy the MIC and AKS add-on exception by running -
    kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml
    
  9. 配置Azure Identity和AzureIdentityBinding yaml

    在azure-identity-config.yaml中保存以下内容:

    apiVersion: "aadpodidentity.k8s.io/v1"
    kind: AzureIdentity
    metadata:
      name: [your managed identity name]
    spec:
      type: 0
      resourceID: [your managed identity id]
      clientID: [your managed identity Client ID]
    ---
    apiVersion: "aadpodidentity.k8s.io/v1"
    kind: AzureIdentityBinding
    metadata:
      name: [your managed identity name]-identity-binding
    spec:
      azureIdentity: [your managed identity name]
      selector: [your managed identity selector]
    
  10. 部署azure-identity-config.yaml:

    kubectl apply -f azure-identity-config.yaml
    

参考资料

Last modified January 1, 0001