您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

教程:部署 Azure Kubernetes 服务 (AKS) 群集Tutorial: Deploy an Azure Kubernetes Service (AKS) cluster

Kubernetes 为容器化应用程序提供一个分布式平台。Kubernetes provides a distributed platform for containerized applications. 使用 AKS 可以快速创建生产就绪的 Kubernetes 群集。With AKS, you can quickly create a production ready Kubernetes cluster. 在本教程的第 3 部分(共 7 部分)中,在 AKS 中部署了 Kubernetes 群集。In this tutorial, part three of seven, a Kubernetes cluster is deployed in AKS. 学习如何:You learn how to:

  • 创建用于资源交互的服务主体Create a service principal for resource interactions
  • 部署一个 Kubernetes AKS 群集Deploy a Kubernetes AKS cluster
  • 安装 Kubernetes CLI (kubectl)Install the Kubernetes CLI (kubectl)
  • 配置 kubectl,以便连接到 AKS 群集Configure kubectl to connect to your AKS cluster

在其他教程中,Azure 投票应用程序将部署到群集,并进行缩放和更新。In additional tutorials, the Azure Vote application is deployed to the cluster, scaled, and updated.

开始之前Before you begin

在以前的教程中,已创建容器映像并上传到 Azure 容器注册表实例。In previous tutorials, a container image was created and uploaded to an Azure Container Registry instance. 如果尚未完成这些步骤,并且想要逐一完成,请先阅读教程 1 - 创建容器映像If you haven't done these steps, and would like to follow along, start at Tutorial 1 – Create container images.

此教程需要运行 Azure CLI 2.0.53 或更高版本。This tutorial requires that you're running the Azure CLI version 2.0.53 or later. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

创建服务主体Create a service principal

若要允许 AKS 群集与其他 Azure 资源交互,请使用 Azure Active Directory 服务主体。To allow an AKS cluster to interact with other Azure resources, an Azure Active Directory service principal is used. 可以通过 Azure CLI 或门户自动创建此服务主体,也可以预先创建一个服务主体并分配其他权限。This service principal can be automatically created by the Azure CLI or portal, or you can pre-create one and assign additional permissions. 在本教程中,你将创建一个服务主体,授予对上一教程中创建的 Azure 容器注册表 (ACR) 实例的访问权限,然后创建 AKS 群集。In this tutorial, you create a service principal, grant access to the Azure Container Registry (ACR) instance created in the previous tutorial, then create an AKS cluster.

使用 az ad sp create-for-rbac 命令创建服务主体。Create a service principal using the az ad sp create-for-rbac command. --skip-assignment 参数限制分配任何其他权限。The --skip-assignment parameter limits any additional permissions from being assigned. 默认情况下,此服务主体的有效期为一年。By default, this service principal is valid for one year.

az ad sp create-for-rbac --skip-assignment

输出类似于以下示例:The output is similar to the following example:

{
  "appId": "e7596ae3-6864-4cb8-94fc-20164b1588a9",
  "displayName": "azure-cli-2018-06-29-19-14-37",
  "name": "http://azure-cli-2018-06-29-19-14-37",
  "password": "52c95f25-bd1e-4314-bd31-d8112b293521",
  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db48"
}

记下 appIdpasswordMake a note of the appId and password. 后续步骤会用到这些值。These values are used in the following steps.

配置 ACR 身份验证Configure ACR authentication

若要访问 ACR 中存储的映像,必须授予 AKS 服务主体从 ACR 提取映像的适当权限。To access images stored in ACR, you must grant the AKS service principal the correct rights to pull images from ACR.

首先,使用 az acr show 获取 ACR 资源 ID。First, get the ACR resource ID using az acr show. <acrName> 注册表名称更新为 ACR 实例和 ACR 实例所在的资源组的名称。Update the <acrName> registry name to that of your ACR instance and the resource group where the ACR instance is located.

az acr show --resource-group myResourceGroup --name <acrName> --query "id" --output tsv

若要为 AKS 群集授予正确的访问权限来拉取 ACR 中存储的映像,请使用 az role assignment create 命令分配 AcrPull 角色。To grant the correct access for the AKS cluster to pull images stored in ACR, assign the AcrPull role using the az role assignment create command. <appId> 和 <acrId> 替换为在前两个步骤中收集的值。Replace <appId> and <acrId> with the values gathered in the previous two steps.

az role assignment create --assignee <appId> --scope <acrId> --role acrpull

创建 Kubernetes 群集Create a Kubernetes cluster

AKS 群集可以使用 Kubernetes 基于角色的访问控制 (RBAC)。AKS clusters can use Kubernetes role-based access controls (RBAC). 可以使用这些控制根据分配给用户的角色定义资源访问权限。These controls let you define access to resources based on roles assigned to users. 权限可以组合(如果为用户分配了多个角色),可以局限于单个命名空间,也可以涵盖整个群集。Permissions are combined if a user is assigned multiple roles, and permissions can be scoped to either a single namespace or across the whole cluster. 默认情况下,Azure CLI 会在你创建 AKS 群集时自动启用 RBAC。By default, the Azure CLI automatically enables RBAC when you create an AKS cluster.

使用 az aks create 创建 AKS 群集。Create an AKS cluster using az aks create. 以下示例在名为 myResourceGroup 的资源组中创建名为 myAKSCluster 的群集。The following example creates a cluster named myAKSCluster in the resource group named myResourceGroup. 此资源组是在上一教程中创建的。This resource group was created in the previous tutorial. 提供前面在创建服务主体时指定的 <appId><password>Provide your own <appId> and <password> from the previous step where the service principal was created.

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-count 2 \
    --service-principal <appId> \
    --client-secret <password> \
    --generate-ssh-keys

几分钟后,部署完成并返回有关 AKS 部署的 JSON 格式信息。After a few minutes, the deployment completes, and returns JSON-formatted information about the AKS deployment.

备注

若要确保群集能够可靠运行,应至少运行 2(两个)节点。To ensure your cluster to operate reliably, you should run at least 2 (two) nodes.

安装 Kubernetes CLIInstall the Kubernetes CLI

若要从本地计算机连接到 Kubernetes 群集,请使用 kubectl(Kubernetes 命令行客户端)。To connect to the Kubernetes cluster from your local computer, you use kubectl, the Kubernetes command-line client.

如果使用的是 Azure Cloud Shell,则 kubectl 已安装。If you use the Azure Cloud Shell, kubectl is already installed. 也可使用 az aks install-cli 命令在本地安装它:You can also install it locally using the az aks install-cli command:

az aks install-cli

使用 kubectl 连接到群集Connect to cluster using kubectl

若要将 kubectl 配置为连接到 Kubernetes 群集,请使用 az aks get-credentials 命令。To configure kubectl to connect to your Kubernetes cluster, use the az aks get-credentials command. 以下示例获取 myResourceGroup 中名为“myAKSCluster” 的 AKS 群集的凭据:The following example gets credentials for the AKS cluster named myAKSCluster in the myResourceGroup:

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

若要验证与群集之间的连接,请运行 kubectl get nodes 命令:To verify the connection to your cluster, run the kubectl get nodes command:

$ kubectl get nodes

NAME                       STATUS   ROLES   AGE   VERSION
aks-nodepool1-12345678-0   Ready    agent   32m   v1.13.10

后续步骤Next steps

本教程在 AKS 中部署了一个 Kubernetes 群集并将 kubectl 配置为连接到该群集。In this tutorial, a Kubernetes cluster was deployed in AKS, and you configured kubectl to connect to it. 你已了解如何:You learned how to:

  • 创建用于资源交互的服务主体Create a service principal for resource interactions
  • 部署一个 Kubernetes AKS 群集Deploy a Kubernetes AKS cluster
  • 安装 Kubernetes CLI (kubectl)Install the Kubernetes CLI (kubectl)
  • 配置 kubectl,以便连接到 AKS 群集Configure kubectl to connect to your AKS cluster

请继续学习下一教程,了解如何将应用程序部署到群集。Advance to the next tutorial to learn how to deploy an application to the cluster.