将 Azure Stack HCI 群集上的 Azure Kubernetes 服务连接到 Kubernetes 的 Azure ArcConnect an Azure Kubernetes Service on Azure Stack HCI cluster to Azure Arc for Kubernetes

适用于 Azure Stack HCI 上的 AKS、Windows Server 2019 Datacenter 上的 AKS 运行时Applies to: AKS on Azure Stack HCI, AKS runtime on Windows Server 2019 Datacenter

Azure Stack HCI 群集上的 Azure Kubernetes 服务附加到 Azure Arc 时,它将显示在 Azure 门户中。When an Azure Kubernetes Service on Azure Stack HCI cluster is attached to Azure Arc, it will appear in the Azure portal. 它具有一个 Azure 资源管理器 ID 和一个托管标识。It will have an Azure Resource Manager ID and a managed identity. 群集附加到标准 Azure 订阅,位于资源组中,可以像任何其他 Azure 资源一样接收标记。Clusters are attached to standard Azure subscriptions, are located in a resource group, and can receive tags just like any other Azure resource.

若要将 Kubernetes 群集连接到 Azure,群集管理员需要部署代理。To connect a Kubernetes cluster to Azure, the cluster administrator needs to deploy agents. 这些代理在名为 azure-arc 的 Kubernetes 命名空间中运行,并且是标准 Kubernetes 部署。These agents run in a Kubernetes namespace named azure-arc and are standard Kubernetes deployments. 代理负责连接到 Azure、收集 Azure Arc 日志和指标并监视配置请求。The agents are responsible for connectivity to Azure, collecting Azure Arc logs and metrics, and watching for configuration requests.

已启用 Azure Arc 的 Kubernetes 支持行业标准 SSL 来保护传输中的数据。Azure Arc enabled Kubernetes supports industry-standard SSL to secure data in transit. 此外,数据以静态加密方式存储在 Azure Cosmos DB 数据库中,确保数据保密性。Also, data is stored encrypted at rest in an Azure Cosmos DB database to ensure data confidentiality.

以下步骤提供了有关在 Azure Stack HCI 群集到 Azure Arc 上载入 Azure Kubernetes 服务的演练。 如果已通过 Windows 管理中心将 Kubernetes 群集载入到 Azure Arc,则可以跳过这些步骤。The following steps provide a walkthrough on onboarding Azure Kubernetes Service on Azure Stack HCI clusters to Azure Arc. You may skip these steps if you've already onboarded your Kubernetes cluster to Azure Arc through Windows Admin Center.

在开始之前Before you begin

验证是否已准备好以下要求:Verify you've the following requirements ready:

  • Azure Stack HCI 上的 Azure Kubernetes 服务群集,其中至少有一个启动并运行的 Linux 工作器节点。An Azure Kubernetes Service on Azure Stack HCI cluster with at least one Linux worker node that is up and running.

  • 需要一个 kubeconfig 文件来访问群集上的群集和群集管理角色,以便部署启用了 Arc 的 Kubernetes 代理。You'll need a kubeconfig file to access the cluster and cluster-admin role on the cluster for deployment of Arc enabled Kubernetes agents.

  • 安装了 Azure Stack HCI 上的 Azure Kubernetes 服务 PowerShell 模块。Have the Azure Kubernetes Service on Azure Stack HCI PowerShell module installed.

  • 安装支持 Azure Arc 的 Kubernetes CLI 扩展需要 Azure CLI 版本 2.3 +。Azure CLI version 2.3+ is required for installing the Azure Arc enabled Kubernetes CLI extensions. 安装 Azure CLIInstall Azure CLI. 还可以更新到最新版本,以确保具有 Azure CLI 版本 2.3 +。You can also update to the latest version to ensure that you have Azure CLI version 2.3+.

  • 作为所有者或参与者的 Azure 订阅。An Azure subscription on which you're an owner or contributor.

  • 在 PowerShell 管理窗口中运行本文档中的命令。Run the commands in this document in a PowerShell administrative window.

网络要求Network requirements

Azure Arc 代理需要以下协议/端口/出站 URL 才能正常运行。Azure Arc agents require the following protocols/ports/outbound URLs to function.

  • 端口 443 上的 TCP --> https://:443TCP on port 443 --> https://:443
  • 端口 9418 上的 TCP --> git://:9418TCP on port 9418 --> git://:9418
终结点 (DNS)Endpoint (DNS) 说明Description
https://management.azure.com 代理需要该终结点才可连接到 Azure 并注册群集Required for the agent to connect to Azure and register the cluster
https://eastus.dp.kubernetesconfiguration.azure.com, https://westeurope.dp.kubernetesconfiguration.azure.comhttps://eastus.dp.kubernetesconfiguration.azure.com, https://westeurope.dp.kubernetesconfiguration.azure.com 代理的数据平面终结点,用于推送状态和提取配置信息Data plane endpoint for the agent to push status and fetch configuration information
https://docker.io 拉取容器映像所需Required to pull container images
https://github.com、git://github.comhttps://github.com, git://github.com 示例 GitOps 存储库托管在 GitHub 上。Example GitOps repos are hosted on GitHub. 配置代理需要连接到指定的任何 git 终结点。Configuration agent requires connectivity to whichever git endpoint you specify.
https://login.microsoftonline.com 提取和更新 Azure 资源管理器令牌所需Required to fetch and update Azure Resource Manager tokens
https://azurearcfork8s.azurecr.io 拉取 Azure Arc 代理的容器映像所需Required to pull container images for Azure Arc agents
https://eus.his.arc.azure.com, https://weu.his.arc.azure.comhttps://eus.his.arc.azure.com, https://weu.his.arc.azure.com 需要请求系统分配的托管标识证书Required to pull system-assigned managed identity certificates

步骤1:登录到 AzureStep 1: Log in to Azure

登录到 Azure,并在登录后,将你作为默认订阅的所有者或参与者设置为 Azure 订阅。Log in to Azure and after logging in, set an Azure subscription on which you're an owner or contributor as your default subscription.

az login
az account set --subscription "00000000-aaaa-bbbb-cccc-000000000000"

步骤2:注册启用了 Azure Arc Kubernetes 的两个提供程序:Step 2: Register the two providers for Azure Arc enabled Kubernetes:

如果已为订阅注册了两个启用了 Azure Arc 的 Kubernetes 服务的提供程序,则可以跳过此步骤。You can skip this step if you've already registered the two providers for Azure Arc enabled Kubernetes service on your subscription. 注册是一个异步过程,需要为每个订阅一次。Registration is an asynchronous process and needs to be once per subscription. 注册可能需要大约 10 分钟。Registration may take approximately 10 minutes.

az provider register --namespace Microsoft.Kubernetes
az provider register --namespace Microsoft.KubernetesConfiguration

可以检查是否已注册了以下命令:You can check if you're registered with the following commands:

az provider show -n Microsoft.Kubernetes -o table
az provider show -n Microsoft.KubernetesConfiguration -o table

步骤3:创建资源组Step 3: Create a resource group

需要一个资源组来容纳连接的群集资源。You need a resource group to hold the connected cluster resource. 可以在美国东部或西欧位置使用现有资源组。You can use an existing resource group in East US or West Europe locations. 如果在美国东部或西欧位置没有现有资源组,请使用以下命令创建新的资源组:If you do not have an existing resource group in the East US or West Europe location, use the following command to create a new resource group:

az group create --name AzureArcTest -l EastUS -o table

步骤4:创建新的服务主体Step 4: Create a new service principal

如果已使用角色创建了服务主体, contributor 并且知道了服务主体的 appID、password 和租户值,则可以跳过此步骤。You can skip this step if you've already created a service principal with contributor role and know the service principal's appID, password, and tenant values.

使用信息性名称创建一个新的服务主体。Create a new service principal with an informative name. 对于 Azure Active Directory 租户,此名称必须是唯一的。This name must be unique for your Azure Active Directory tenant. 服务主体的默认角色是 ContributorThe default role for a service principal is Contributor. 此角色具有读取和写入到 Azure 帐户的完全权限。This role has full permissions to read and write to an Azure account. 你还可以将此服务主体重新用于多个群集到 Azure Arc。将服务主体的作用域设置为 订阅/资源组You can also reuse this service principal to on-board multiple clusters to Azure Arc. Set the scope of your service principal to subscriptions/resource-group. 请确保保存了服务主体的 appID、password 和租户值,因为后续步骤中将需要这些详细信息。Make sure you save the service principal's appID, password, and tenant values as you will need these details in subsequent steps.

az ad sp create-for-RBAC --name "azure-arc-for-k8s" --scope /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}

输出:Output:

{
  "appId": "00000000-0000-0000-0000-000000000000",
  "displayName": "azure-arc-for-k8s",
  "name": "https://azure-arc-for-k8s",
  "password": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "tenant": "ffffffff-gggg-hhhh-iiii-jjjjjjjjjjjj"
}

步骤5:保存服务主体详细信息Step 5: Save service principal details

将创建的服务主体的 appId、password 和租户值以及群集名称、Azure 订阅 ID、资源组名称和位置保存在 PowerShell 变量中。Save the created service principal's appId, password and tenant values, and cluster name, Azure subscription ID, resource group name, and location in PowerShell variables. 这将确保你可以重复使用其他教程中的详细信息。This will ensure you can reuse the details in other tutorials. 请确保在记事本中保存这些值,以防需要关闭 PowerShell 会话。Ensure that you also save these values in a notepad in case you want to close your PowerShell session.

$clusterName = #<name of your Kubernetes cluster>
$resourceGroup = #<Azure resource group to store your connected Kubernetes cluster in Azure Arc>
$location = #<Azure resource group location. This can only be eastus or westeurope for Azure Arc for Kubernetes>
$subscriptionId = #<Azure subscription Id>
$appId = #<appID from the service principal created above>
$password = #<password from the service principal created above>
$tenant = #<tenant from the service principal created above>

请确保已通过运行以下操作将正确的值分配给变量:Ensure that you have assigned the right values to the variables by running:

echo $clusterName 
echo $resourceGroup
echo $location 
echo $subscriptionId 
echo $appId 
echo $password 
echo $tenant 

步骤6:使用服务主体和 Aks-Hci PowerShell 模块连接到 Azure ArcStep 6: Connect to Azure Arc using service principal and the Aks-Hci PowerShell module

接下来,我们将使用服务主体和 Aks-Hci PowerShell 模块将 Kubernetes 群集连接到 Azure。Next, we will connect our Kubernetes cluster to Azure using service principal and the Aks-Hci PowerShell module. 此步骤将 Kubernetes 的 Azure Arc 代理部署到 azure-arc 命名空间中。This step deploys Azure Arc agents for Kubernetes into the azure-arc namespace.

引用新创建的服务主体,并运行 Install-AksHciArcOnboarding Aks-Hci PowerShell 模块中提供的命令。Reference the newly created service principal and run the Install-AksHciArcOnboarding command available in the Aks-Hci PowerShell module.

Install-AksHciArcOnboarding -clusterName $clusterName -resourcegroup $resourceGroup -location $location -subscriptionid $subscriptionId -clientid $appId -clientsecret $password -tenantid $tenant

验证已连接的群集Verify connected cluster

可以在 Azure 门户上查看 Kubernetes 群集资源。You can view your Kubernetes cluster resource on the Azure portal. 在浏览器中打开门户后,请导航到资源组和启用了 Azure Arc 的 Kubernetes 资源,该资源基于之前在 PowerShell 命令中使用的资源名称和资源组名称输入 Install-AksHciArcOnboardingOnce you have the portal open in your browser, navigate to the resource group and the Azure Arc-enabled Kubernetes resource that's based on the resource name and resource group name inputs used earlier in the Install-AksHciArcOnboarding PowerShell command.

备注

载入群集后,在 Azure 门户中启用了 Azure Arc Kubernetes 资源的 "概述" 页上,大约需要5到10分钟的群集元数据 (群集版本、代理版本、) 的节点数。After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes) to surface on the overview page of the Azure Arc enabled Kubernetes resource in Azure portal.

若要删除群集,或在群集位于出站代理服务器后面时连接群集,请访问 连接启用了 Azure Arc 的 Kubernetes 群集To delete your cluster, or to connect your cluster if it is behind an outbound proxy server, visit Connect an Azure Arc-enabled Kubernetes cluster.

适用于 Kubernetes 的 Azure Arc 代理Azure Arc agents for Kubernetes

已启用 Azure Arc 的 Kubernetes 会将几个运算符部署到 azure-arc 命名空间中。Azure Arc enabled Kubernetes deploys a few operators into the azure-arc namespace. 可在此处查看这些部署和 Pod:You can view these deployments and pods here:

kubectl -n azure-arc get deployments,pods

启用了 Azure Arc 的 Kubernetes 由几个在部署到 azure-arc 命名空间的群集中运行的代理(运算符)组成。Azure Arc enabled Kubernetes consists of a few agents (operators) that run in your cluster deployed to the azure-arc namespace.

  • deployment.apps/config-agent:监视群集上应用的源代码管理配置资源的已连接群集并更新符合性状态deployment.apps/config-agent: watches the connected cluster for source control configuration resources applied on the cluster and updates compliance state
  • deployment.apps/controller-manager:是运算符的运算符,用于协调 Azure Arc 组件之间的交互deployment.apps/controller-manager: is an operator of operators and orchestrates interactions between Azure Arc components
  • deployment.apps/metrics-agent:收集其他 Arc 代理的指标,以确保这些代理表现出最佳性能deployment.apps/metrics-agent: collects metrics of other Arc agents to ensure that these agents are exhibiting optimal performance
  • deployment.apps/cluster-metadata-operator:收集分类元数据-群集版本、节点计数和 Azure Arc 代理版本deployment.apps/cluster-metadata-operator: gathers cluster metadata - cluster version, node count, and Azure Arc agent version
  • deployment.apps/resource-sync-agent:将上面提到的群集元数据同步到 Azuredeployment.apps/resource-sync-agent: syncs the above mentioned cluster metadata to Azure
  • deployment.apps/clusteridentityoperator:启用了 Azure Arc 的 Kubernetes 目前支持系统分配的标识。deployment.apps/clusteridentityoperator: Azure Arc enabled Kubernetes currently supports system assigned identity. clusteridentityoperator 维护其他代理用于与 Azure 进行通信的托管服务标识 (MSI) 证书。clusteridentityoperator maintains the managed service identity (MSI) certificate used by other agents for communication with Azure.
  • deployment.apps/flux-logs-agent:从源代码管理配置中部署的 flux 运算符收集日志deployment.apps/flux-logs-agent: collects logs from the flux operators deployed as a part of source control configuration

后续步骤Next steps