个人中心
gpt4 book ai didi

azure - 我想将UAMI分配给kubelet,但由于缺乏权限而失败

转载 作者:行者123 更新时间:2023-12-03 05:23:30 25 4
gpt4 key购买 nike

我尝试使用 terraform 将 UAMI 分配给 AKS kubelet,但我没有权限,因此失败并出现以下错误。

错误:创建托管 Kubernetes 集群“ClusterName”(资源组“ResourceGroupName”):containerservice.ManagedClustersClient#CreateOrUpdate:发送请求失败:StatusCode=400 -- 原始错误:Code="CustomKubeletIdentityMissingPermissionError"Message="分配的集群用户必须向身份授予分配 kubelet 身份/subscriptions/***/resourceGroups/ResourceGroupName/providers/Microsoft.ManagedIdentity/userAssignedIdentities/UAMI 的权限。检查不允许操作 Microsoft.ManagedIdentity/userAssignedIdentities/assign/action 的访问结果。

我想授予权限,但错误消息没有提及范围,所以我不知道在哪里分配权限。另外,我使用当前分配给控制平面的相同UAMI,有什么问题吗?感谢您的合作。

最佳答案

您需要提供角色Microsoft.ManagedIdentity/userAssignedIdentities/assign/action。由于它不直接存在于Azure中的任何内置角色定义中,因此您必须创建一个自定义角色,然后将其分配给 UAMI设置 kublet 身份。 p>

收到以下错误后我尝试了相同的操作:

enter image description here

enter image description here

Terraform 代码:​​

provider"azurerm"{
    features{}
}
provider "random" {}
data "azurerm_subscription" "primary" {
}

data "azurerm_client_config" "example" {
}
data "azurerm_resource_group" "rg" {
      name     = "ansumantest"
}

resource "azurerm_user_assigned_identity" "UAMI" {
  resource_group_name = data.azurerm_resource_group.rg.name
  location            = data.azurerm_resource_group.rg.location
  name = "AKS-MI"
}

resource "random_uuid" "customrole" {}
resource "random_uuid" "roleassignment" {}
resource "azurerm_role_definition" "example" {
  role_definition_id = random_uuid.customrole.result
  name               = "CustomKubeletIdentityPermission"
  scope              = data.azurerm_subscription.primary.id

  permissions {
    actions     = ["Microsoft.ManagedIdentity/userAssignedIdentities/assign/action"]
    not_actions = []
  }

  assignable_scopes = [
    data.azurerm_subscription.primary.id,
  ]
}

resource "azurerm_role_assignment" "example" {
  name               = random_uuid.roleassignment.result
  scope              = data.azurerm_subscription.primary.id
  role_definition_id = azurerm_role_definition.example.role_definition_resource_id
  principal_id       = azurerm_user_assigned_identity.UAMI.principal_id
}
resource "azurerm_user_assigned_identity" "kubletIdentity" {
  resource_group_name = data.azurerm_resource_group.rg.name
  location            = data.azurerm_resource_group.rg.location
  name = "Kublet-MI"
}

resource "azurerm_kubernetes_cluster" "aks" {
  name                = "ansumantestaks"
  location            = data.azurerm_resource_group.rg.location
  resource_group_name = data.azurerm_resource_group.rg.name
  dns_prefix          = "ansumantestaks-dns"

  default_node_pool {
    name                = "system"
    node_count          = 1
    vm_size             = "Standard_B2ms"
    type                = "VirtualMachineScaleSets"
    availability_zones  = [1, 2, 3]
    enable_auto_scaling = false
    }
    identity{
       type = "UserAssigned"
       user_assigned_identity_id = azurerm_user_assigned_identity.UAMI.id
   }
   kubelet_identity {
     client_id = azurerm_user_assigned_identity.kubletIdentity.client_id
     object_id = azurerm_user_assigned_identity.kubletIdentity.principal_id
     user_assigned_identity_id = azurerm_user_assigned_identity.kubletIdentity.id
   }
   depends_on = [
     azurerm_role_assignment.example
   ]
}

输出:

enter image description here

关于azure - 我想将UAMI分配给kubelet,但由于缺乏权限而失败,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70592281/

25 4 0
文章推荐: azure - 动态数组上的 Kusto UDF(映射字符串值)
文章推荐: django - 将 django Rest Framework Web 应用程序部署到 Azure 时如何解决 ERR_TOO_MANY_REDIRECT?
文章推荐: Azure 通知中心 CreateOrUpdateInstallationAsync 未失败,但未创建安装
文章推荐: azure - Azure 应用服务中的 Key Vault 引用无法解析
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com