Terraform 正在使用托管标识创建AKS群集以授予其对子网的访问权限-错误:authorization.RoleAssignmentsClient
我将AKS群集配置为使用系统分配的托管标识访问其他Azure资源Terraform 正在使用托管标识创建AKS群集以授予其对子网的访问权限-错误:authorization.RoleAssignmentsClient,terraform,azure-aks,Terraform,Azure Aks,我将AKS群集配置为使用系统分配的托管标识访问其他Azure资源 resource "azurerm_subnet" "aks" { name = var.aks_subnet_name resource_group_name = azurerm_resource_group.main.name virtual_network_name = module.network.vnet_name address_prefix = var.aks_
resource "azurerm_subnet" "aks" {
name = var.aks_subnet_name
resource_group_name = azurerm_resource_group.main.name
virtual_network_name = module.network.vnet_name
address_prefix = var.aks_subnet
service_endpoints = ["Microsoft.KeyVault"]
}
resource "azurerm_kubernetes_cluster" "aks_main" {
name = module.aks_name.result
depends_on = [azurerm_subnet.aks]
location = azurerm_resource_group.main.location
resource_group_name = azurerm_resource_group.main.name
dns_prefix = "aks-${local.name}"
kubernetes_version = var.k8s_version
addon_profile {
oms_agent {
# For monitoring containers
enabled = var.addons.oms_agent
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id
}
kube_dashboard {
enabled = true
}
azure_policy {
# If we want to enfore policy definitions in the future
# Check requirements https://docs.microsoft.com/en-ie/azure/governance/policy/concepts/policy-for-kubernetes
enabled = var.addons.azure_policy
}
}
default_node_pool {
name = "default"
orchestrator_version = var.k8s_version
node_count = var.default_node_pool.node_count
vm_size = var.default_node_pool.vm_size
type = "VirtualMachineScaleSets"
availability_zones = var.default_node_pool.zones
# availability_zones = ["1", "2", "3"]
max_pods = 250
os_disk_size_gb = 128
vnet_subnet_id = azurerm_subnet.aks.id
node_labels = var.default_node_pool.labels
enable_auto_scaling = var.default_node_pool.cluster_auto_scaling
min_count = var.default_node_pool.cluster_auto_scaling_min_count
max_count = var.default_node_pool.cluster_auto_scaling_max_count
enable_node_public_ip = false
}
# Configuring AKS to use a system-assigned managed identity to access
identity {
type = "SystemAssigned"
}
network_profile {
load_balancer_sku = "standard"
outbound_type = "loadBalancer"
network_plugin = "azure"
# if non-azure network policies
# https://azure.microsoft.com/nl-nl/blog/integrating-azure-cni-and-calico-a-technical-deep-dive/
network_policy = "calico"
dns_service_ip = "10.0.0.10"
docker_bridge_cidr = "172.17.0.1/16"
service_cidr = "10.0.0.0/16"
}
lifecycle {
ignore_changes = [
default_node_pool,
windows_profile,
]
}
}
我想使用该托管标识(在AKS群集部分代码中创建的服务主体)在子网上为其提供如下角色网络参与者:
resource "azurerm_role_assignment" "aks_subnet" {
# Giving access to AKS SP identity created to akssubnet by assigning it
# a Network Contributor role
scope = azurerm_subnet.aks.id
role_definition_name = "Network Contributor"
principal_id = azurerm_kubernetes_cluster.aks_main.identity[0].principal_id
# principal_id = azurerm_kubernetes_cluster.aks_main.kubelet_identity[0].object_id
# principal_id = data.azurerm_user_assigned_identity.test.principal_id
# skip_service_principal_aad_check = true
}
但我在terraform应用后得到的结果是:
Error: authorization.RoleAssignmentsClient#Create: Failure responding
to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error.
Status=403 Code="AuthorizationFailed"
Message="The client 'afd5bd09-c294-4597-9c90-e1ee293e5f3a' with object id
'afd5bd09-c294-4597-9c90-e1ee293e5f3a' does not have authorization
to perform action 'Microsoft.Authorization/roleAssignments/write'
over scope '/subscriptions/77dfff95-fbd3-4a15-b97a-b7182939e61a/resourceGroups/rhd-spec-prod-main-6loe4lpkr0hd8/providers/Microsoft.Network/virtualNetworks/rhd-spec-prod-main-wdaht6cn7s3s8/subnets/aks-subnet/providers/Microsoft.Authorization/roleAssignments/8733864c-a5f7-a6a9-a61d-6393989f0ad1'
or the scope is invalid. If access was recently granted, please refresh your credentials."
on aks.tf line 23, in resource "azurerm_role_assignment" "aks_subnet":
23: resource "azurerm_role_assignment" "aks_subnet" {
似乎正在创建的服务主体没有足够的权限在子网上执行角色分配,或者我的scope
属性有误。我经过那里,aks子网id
我做错了什么
更新
检查托管标识分配角色的方式,看起来我们只能分配与订阅、资源组、存储服务、SQL服务和KeyVault相关的it角色
阅读
在使用托管标识之前,必须对其进行配置。有两个步骤:
为标识分配一个角色,将其与将用于运行Terraform的订阅相关联。此步骤授予访问Azure资源管理器(ARM)资源的标识权限
为一个或多个Azure资源配置访问控制。例如,如果使用密钥vault和存储帐户,则需要分别配置vault和容器
在创建具有托管标识的资源并分配RBAC角色之前,您的帐户需要足够的权限。您需要是帐户所有者角色的成员,或者具有参与者和用户访问管理员角色
尝试相应地继续,我定义了此节代码:
resource "null_resource" "wait_for_resource_to_be_ready" {
provisioner "local-exec" {
command = "sleep 60"
}
depends_on = [
azurerm_kubernetes_cluster.aks_main
]
}
data "azurerm_subscription" "current" {}
# FETCHING THE IDENTITY CREATED ON AKS CLUSTER
data "azurerm_user_assigned_identity" "test" {
name = "${azurerm_kubernetes_cluster.aks_main.name}-agentpool"
resource_group_name = azurerm_kubernetes_cluster.aks_main.node_resource_group
}
data "azurerm_role_definition" "contributor" {
name = "Network Contributor"
}
resource "azurerm_role_assignment" "aks_subnet" {
# Giving access to AKS SP identity created to akssubnet by assigning it
# a Network Contributor role
# name = azurerm_kubernetes_cluster.aks_main.name
# scope = var.aks_subnet_name # azurerm_subnet.aks.id var.aks_subnet
scope = data.azurerm_subscription.current.id
#role_definition_name = "Network Contributor"
role_definition_id = "${data.azurerm_subscription.current.id}${data.azurerm_role_definition.contributor.id}"
# principal_id = azurerm_kubernetes_cluster.aks_main.identity[0].principal_id
# principal_id = azu rerm_kubernetes_cluster.aks_main.kubelet_identity[0].object_id
principal_id = data.azurerm_user_assigned_identity.test.principal_id
skip_service_principal_aad_check = true
depends_on = [
null_resource.wait_for_resource_to_be_ready
]
}
terraform工作流正在尝试创建角色
> terraform_0.12.29 apply "prod_Infrastructure.plan"
null_resource.wait_for_resource_to_be_ready: Creating...
null_resource.wait_for_resource_to_be_ready: Provisioning with 'local-exec'...
null_resource.wait_for_resource_to_be_ready (local-exec): Executing: ["/bin/sh" "-c" "sleep 60"]
null_resource.wait_for_resource_to_be_ready: Still creating... [10s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [20s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [30s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [40s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [50s elapsed]
null_resource.wait_for_resource_to_be_ready: Still creating... [1m0s elapsed]
null_resource.wait_for_resource_to_be_ready: Creation complete after 1m0s [id=8505830187297683728]
azurerm_role_assignment.aks_subnet: Creating...
但是这次在通过的订阅上最终得到了相同的授权失败错误
Error: authorization.RoleAssignmentsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'afd5bd09-c294-4597-9c90-e1ee293e5f3a' with object id 'afd5bd09-c294-4597-9c90-e1ee293e5f3a' does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/77dfff95-fbd3-4a15-b97a-b7182939e61a' or the scope is invalid. If access was recently granted, please refresh your credentials."
on aks.tf line 145, in resource "azurerm_role_assignment" "aks_subnet":
145: resource "azurerm_role_assignment" "aks_subnet" {
根本不知道如何验证此语句
在创建具有托管标识的资源并分配RBAC角色之前,您的帐户需要足够的权限。您需要是帐户所有者角色的成员,或者具有参与者和用户访问管理员角色
顺便说一下,我在使用的订阅中有所有者角色
更新2
上面两条错误消息中引用的对象id属于我的租户中的服务主体。
是的
关于权限,我不确定它是否足够,我会说是的,因为它用于订阅中的多个内容
用户同意
权限如何?我那里什么都没有
但另一方面,为什么流程试图使用此服务主体来分配角色?
我的意思是,使用托管标识旨在消除服务主体的使用,但工作流处理程序使用此SP可能只是为了将角色分配给托管标识,并且从中向前,托管标识(?)将授予来自文档的访问权限:
若要调用此API,您必须有权访问Microsoft.Authorization/roleAssignments/write操作在内置角色中,只有所有者和用户访问管理员有权访问此操作。
因此,您的服务主体必须具有角色所有者或用户访问管理员。或者,您必须创建具有足够权限的自定义角色
关于工作流程,我同意。这与直觉相反
旧答案
有一个bug(?)azure声明资源已经创建,但并非所有服务都可以访问它
您可以让它用如下方式等待一分钟:
resource "null_resource" "wait_for_resource_to_be_ready" {
provisioner "local-exec" {
command = "sleep 60"
}
depends_on = [
azurerm_kubernetes_cluster.aks_main
]
}
向您的“azurerm角色分配”“aks子网”
资源中添加一个dependens\u
depends_on = [
null_resource.wait_for_resource_to_be_ready
]
现在首先创建集群,然后terrform将等待60秒。然后,您的角色分配将发生,并且希望能够授予该角色。在“同步状态资源”透视图下,这是有意义的,但不幸的是,我收到了相同的错误,甚至将sleep=120
。看起来好像本地exec
供应器没有工作。本地执行
和远程执行
供应器之间有什么区别?他们说,也许我们需要的是一个?我更新了我的回答是的,这是一个访问Microsoft.Authorization/roleasignments/write
操作的问题。我所做的只是转到我的订阅,并将用户访问管理员
角色分配给terraform workflow引用的服务主体。我有一个问题,定义的空资源
使工作流等待一分钟,在一天结束时不必包含它。在什么情况下,我们需要考虑它?我使用terraform创建了一个应用程序注册,该应用程序具有与aks的rbac的特定权限。给予管理员许可失败,因为应用程序注册尚未准备就绪,尽管azure表示已准备就绪。在创建应用程序注册和使用null资源授予管理员许可之间等待60秒解决了问题。谢谢你接受我的回答!是的,这是有意义的,在这种情况下,服务主体/应用程序注册已经存在。在任何情况下,应用它都是一个好主意,我记得这种情况发生在我创建存储帐户时,我立即需要在该存储帐户内创建一个blob容器。创建(调配)存储帐户的整个过程需要一些时间(如您所说,最多1分钟),在调配存储帐户之前,不允许对该存储帐户进行任何操作。事实上,这是一种类似的情况。托管身份最终是一个服务主体。在这种情况下,服务主体(称为托管标识)由Microsoft Azure AD for yo管理
depends_on = [
null_resource.wait_for_resource_to_be_ready
]