Azure Key Vault 和Kubernetes上的Managed Identities
如何配置Azure Key Vault和Kubernetes以使用Azure Managed Identities来获取密钥
配置
要设置Azure Key Vault密钥仓库,请创建一个类型为secretstores.azure.keyvault
的组件。 See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.
在Kubernetes中,将服务主体的证书存储到Kubernetes Secret Store中,然后用Kubernetes secretstore中的这个证书启用Azure Key Vault密钥仓库。
组件yaml使用你的密钥仓库的名称和托管标识的Cliend ID来配置密钥仓库。
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: [your_keyvault_name]
- name: spnClientId
value: [your_managed_identity_client_id]
Warning
以上示例将密钥明文存储, It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.
元数据字段规范
字段 | 必填 | 详情 | Example |
---|---|---|---|
vaultName | Y | Azure Key Vault名称 | “mykeyvault” |
spnClientId | Y | 你的托管标识客户端ID | “yourId” |
设置Managed Identity和 Azure Key Vault
先决条件
步骤
登录到 Azure 并设置默认订阅
# Log in Azure
az login
# Set your subscription to the default subscription
az account set -s [your subscription id]
在一个区域中创建 Azure Key Vault
az keyvault create --location [region] --name [your keyvault] --resource-group [your resource group]
创建托管标识(可选)
只有当AKS集群没有”–enable-managed-identity “标志时,才需要进行这一步。 If the cluster is provisioned with managed identity, than it is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.
$identity = az identity create -g [your resource group] -n [your managed identity name] -o json | ConvertFrom-Json
Below is the command to retrieve the managed identity in the autogenerated scenario:
az aks show -g <AKSResourceGroup> -n <AKSClusterName>
有关将 AKS 与 Azure 服务集成的角色分配的更多详细信息 角色分配。
检索托管标识ID
主要有两种情况:
- 服务主体(Service Principal),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
$clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query servicePrincipalProfile.clientId -otsv
- 托管标识(Managed Identity),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
$clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query identityProfile.kubeletidentity.clientId -otsv
将Reader角色分配给被托管标识
对于AKS集群来说,集群资源组指的是带有MC_前缀的资源组,它包含了与集群相关的所有基础设施资源,如VM/VMSS。
az role assignment create --role "Reader" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
将托管标识管理员(Managed Identity Operator) 的角色分配给AKS服务主体(AKS Service Principal) 参考上一步关于要使用的资源组和要分配的标识的内容
az role assignment create --role "Managed Identity Operator" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
az role assignment create --role "Virtual Machine Contributor" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]
为 Key Vault 添加策略,使托管标识可以读取密钥
az keyvault set-policy --name [your keyvault] --spn $clientId --secret-permissions get list
在AKS上启用AAD Pod身份
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
# For AKS clusters, deploy the MIC and AKS add-on exception by running -
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml
配置Azure Identity和AzureIdentityBinding yaml
在azure-identity-config.yaml中保存以下内容:
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: [your managed identity name]
spec:
type: 0
resourceID: [your managed identity id]
clientID: [your managed identity Client ID]
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: [your managed identity name]-identity-binding
spec:
azureIdentity: [your managed identity name]
selector: [your managed identity selector]
部署azure-identity-config.yaml:
kubectl apply -f azure-identity-config.yaml