將 Azure Stack HCI 叢集上的 Azure Kubernetes Service 連線到適用于 Kubernetes 的 Azure ArcConnect an Azure Kubernetes Service on Azure Stack HCI cluster to Azure Arc for Kubernetes

適用于: AKS on Azure Stack HCI、Windows Server 2019 Datacenter 上的 AKS runtimeApplies to: AKS on Azure Stack HCI, AKS runtime on Windows Server 2019 Datacenter

當 Azure Stack HCI 叢集上的 Azure Kubernetes Service 附加到 Azure Arc 時,它會出現在 Azure 入口網站中。When an Azure Kubernetes Service on Azure Stack HCI cluster is attached to Azure Arc, it will appear in the Azure portal. 該叢集會具有 Azure Resource Manager 識別碼和受控識別。It will have an Azure Resource Manager ID and a managed identity. 叢集會附加至標準 Azure 訂用帳戶 (位於資源群組中),且可以如同任何其他 Azure 資源接收標籤。Clusters are attached to standard Azure subscriptions, are located in a resource group, and can receive tags just like any other Azure resource.

若要將 Kubernetes 叢集連線到 Azure,叢集管理員必須部署代理程式。To connect a Kubernetes cluster to Azure, the cluster administrator needs to deploy agents. 這些代理程式會在名為 azure-arc 的 Kubernetes 命名空間中執行,且為標準 Kubernetes 部署。These agents run in a Kubernetes namespace named azure-arc and are standard Kubernetes deployments. 代理程式會負責連線至 Azure、收集 Azure Arc 記錄和計量,以及監看設定要求。The agents are responsible for connectivity to Azure, collecting Azure Arc logs and metrics, and watching for configuration requests.

已啟用 Azure Arc 的 Kubernetes 支援業界標準 SSL 來保護傳輸中的資料。Azure Arc enabled Kubernetes supports industry-standard SSL to secure data in transit. 此外,資料會以待用加密方式儲存在 Azure Cosmos DB 資料庫中,以確保資料機密性。Also, data is stored encrypted at rest in an Azure Cosmos DB database to ensure data confidentiality.

下列步驟提供將 Azure Stack HCI 叢集上的 Azure Kubernetes Service 上架至 Azure Arc 的逐步解說。 如果您已透過 Windows Admin Center 上線您的 Kubernetes 叢集以 Azure Arc,則可以略過這些步驟。The following steps provide a walkthrough on onboarding Azure Kubernetes Service on Azure Stack HCI clusters to Azure Arc. You may skip these steps if you've already onboarded your Kubernetes cluster to Azure Arc through Windows Admin Center.

開始之前Before you begin

確認您已備妥下列需求:Verify you've the following requirements ready:

  • Azure Stack HCI 叢集上的 Azure Kubernetes Service,其中至少有一個已啟動且正在執行的 Linux 背景工作節點。An Azure Kubernetes Service on Azure Stack HCI cluster with at least one Linux worker node that is up and running.

  • 您將需要 kubeconfig 檔案,才能存取叢集中的叢集和叢集管理員角色,以部署已啟用 Arc 的 Kubernetes 代理程式。You'll need a kubeconfig file to access the cluster and cluster-admin role on the cluster for deployment of Arc enabled Kubernetes agents.

  • 已安裝 Azure Stack HCI PowerShell 模組上的 Azure Kubernetes Service。Have the Azure Kubernetes Service on Azure Stack HCI PowerShell module installed.

  • 安裝 Azure Arc 的 Kubernetes CLI 擴充功能需要 Azure CLI 2.3 + 版。Azure CLI version 2.3+ is required for installing the Azure Arc enabled Kubernetes CLI extensions. 安裝 Azure CLIInstall Azure CLI. 您也可以更新至最新版本,以確保您有 Azure CLI 2.3 + 版。You can also update to the latest version to ensure that you have Azure CLI version 2.3+.

  • 您是擁有者或參與者的 Azure 訂用帳戶。An Azure subscription on which you're an owner or contributor.

  • 在 PowerShell 系統管理視窗中執行這份檔中的命令。Run the commands in this document in a PowerShell administrative window.

網路需求Network requirements

Azure Arc 代理程式需要下列通訊協定/連接埠/輸出 URL 才能運作。Azure Arc agents require the following protocols/ports/outbound URLs to function.

  • 連接埠 443 上的 TCP --> https://:443TCP on port 443 --> https://:443
  • 連接埠 9418 上的 TCP --> git://:9418TCP on port 9418 --> git://:9418
端點 (DNS)Endpoint (DNS) 描述Description
https://management.azure.com 代理程式連線到 Azure 並註冊叢集所需Required for the agent to connect to Azure and register the cluster
https://eastus.dp.kubernetesconfiguration.azure.com, https://westeurope.dp.kubernetesconfiguration.azure.comhttps://eastus.dp.kubernetesconfiguration.azure.com, https://westeurope.dp.kubernetesconfiguration.azure.com 代理程式的資料平面端點,用來推送狀態和擷取設定資訊Data plane endpoint for the agent to push status and fetch configuration information
https://docker.io 提取容器映像所需Required to pull container images
https://github.com,git://github.comhttps://github.com, git://github.com 範例 GitOps 存放庫裝載於 GitHub 上。Example GitOps repos are hosted on GitHub. 設定代理程式需要連線到您指定的任何 git 端點。Configuration agent requires connectivity to whichever git endpoint you specify.
https://login.microsoftonline.com 擷取和更新 Azure Resource Manager 權杖所需Required to fetch and update Azure Resource Manager tokens
https://azurearcfork8s.azurecr.io 提取 Azure Arc 代理程式的容器映像時所需Required to pull container images for Azure Arc agents
https://eus.his.arc.azure.com, https://weu.his.arc.azure.comhttps://eus.his.arc.azure.com, https://weu.his.arc.azure.com 提取系統指派的受控識別憑證所需Required to pull system-assigned managed identity certificates

步驟1:登入 AzureStep 1: Log in to Azure

登入 Azure,並在登入後,設定您是擁有者或參與者作為預設訂用帳戶的 Azure 訂用帳戶。Log in to Azure and after logging in, set an Azure subscription on which you're an owner or contributor as your default subscription.

az login
az account set --subscription "00000000-aaaa-bbbb-cccc-000000000000"

步驟2:為 Azure Arc 啟用 Kubernetes 註冊兩個提供者:Step 2: Register the two providers for Azure Arc enabled Kubernetes:

如果您已在訂用帳戶上為 Azure Arc 啟用的 Kubernetes 服務註冊了兩個提供者,則可以略過此步驟。You can skip this step if you've already registered the two providers for Azure Arc enabled Kubernetes service on your subscription. 註冊是非同步處理常式,每個訂用帳戶必須要有一次。Registration is an asynchronous process and needs to be once per subscription. 註冊可能約需要 10 分鐘。Registration may take approximately 10 minutes.

az provider register --namespace Microsoft.Kubernetes
az provider register --namespace Microsoft.KubernetesConfiguration

您可以使用下列命令來檢查您是否已註冊:You can check if you're registered with the following commands:

az provider show -n Microsoft.Kubernetes -o table
az provider show -n Microsoft.KubernetesConfiguration -o table

步驟3:建立資源群組Step 3: Create a resource group

您需要一個資源群組來保存已連線的叢集資源。You need a resource group to hold the connected cluster resource. 您可以使用美國東部或西歐位置的現有資源群組。You can use an existing resource group in East US or West Europe locations. 如果您在美國東部或西歐位置沒有現有的資源群組,請使用下列命令來建立新的資源群組:If you do not have an existing resource group in the East US or West Europe location, use the following command to create a new resource group:

az group create --name AzureArcTest -l EastUS -o table

步驟4:建立新的服務主體Step 4: Create a new service principal

如果您已經建立具有角色的服務主體, contributor 並知道服務主體的 appID、密碼和租使用者值,您可以略過此步驟。You can skip this step if you've already created a service principal with contributor role and know the service principal's appID, password, and tenant values.

使用資訊名稱建立新的服務主體。Create a new service principal with an informative name. 此名稱對於您的 Azure Active Directory 租使用者而言必須是唯一的。This name must be unique for your Azure Active Directory tenant. 服務主體的預設角色為 ContributorThe default role for a service principal is Contributor. 此角色具有讀取和寫入至 Azure 帳戶的完整權限。This role has full permissions to read and write to an Azure account. 您也可以重複使用此服務主體來 Azure Arc 的多個叢集。將服務主體的範圍設定為訂用帳戶 /資源群組You can also reuse this service principal to on-board multiple clusters to Azure Arc. Set the scope of your service principal to subscriptions/resource-group. 請務必儲存服務主體的 appID、密碼和租使用者值,因為後續步驟中將會需要這些詳細資料。Make sure you save the service principal's appID, password, and tenant values as you will need these details in subsequent steps.

az ad sp create-for-RBAC --name "azure-arc-for-k8s" --scope /subscriptions/{Subscription ID}/resourceGroups/{Resource Group Name}

輸出:Output:

{
  "appId": "00000000-0000-0000-0000-000000000000",
  "displayName": "azure-arc-for-k8s",
  "name": "https://azure-arc-for-k8s",
  "password": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
  "tenant": "ffffffff-gggg-hhhh-iiii-jjjjjjjjjjjj"
}

步驟5:儲存服務主體詳細資料Step 5: Save service principal details

儲存所建立服務主體的 appId、密碼和租使用者值,以及叢集名稱、Azure 訂用帳戶識別碼、資源組名,以及 PowerShell 變數中的位置。Save the created service principal's appId, password and tenant values, and cluster name, Azure subscription ID, resource group name, and location in PowerShell variables. 這可確保您可以重複使用其他教學課程中的詳細資料。This will ensure you can reuse the details in other tutorials. 如果您想要關閉您的 PowerShell 會話,請確定您也將這些值儲存在 [記事本] 中。Ensure that you also save these values in a notepad in case you want to close your PowerShell session.

$clusterName = #<name of your Kubernetes cluster>
$resourceGroup = #<Azure resource group to store your connected Kubernetes cluster in Azure Arc>
$location = #<Azure resource group location. This can only be eastus or westeurope for Azure Arc for Kubernetes>
$subscriptionId = #<Azure subscription Id>
$appId = #<appID from the service principal created above>
$password = #<password from the service principal created above>
$tenant = #<tenant from the service principal created above>

藉由執行下列動作,確定您已將正確的值指派給變數:Ensure that you have assigned the right values to the variables by running:

echo $clusterName 
echo $resourceGroup
echo $location 
echo $subscriptionId 
echo $appId 
echo $password 
echo $tenant 

步驟6:使用服務主體和 Aks-Hci PowerShell 模組連接到 Azure ArcStep 6: Connect to Azure Arc using service principal and the Aks-Hci PowerShell module

接下來,我們會使用服務主體和 Aks-Hci PowerShell 模組,將我們的 Kubernetes 叢集連接至 Azure。Next, we will connect our Kubernetes cluster to Azure using service principal and the Aks-Hci PowerShell module. 此步驟會部署 Azure Arc 代理程式,以 Kubernetes 到 azure-arc 命名空間。This step deploys Azure Arc agents for Kubernetes into the azure-arc namespace.

參考新建立的服務主體,然後執行 Install-AksHciArcOnboarding Aks-Hci PowerShell 模組中可用的命令。Reference the newly created service principal and run the Install-AksHciArcOnboarding command available in the Aks-Hci PowerShell module.

Install-AksHciArcOnboarding -clusterName $clusterName -resourcegroup $resourceGroup -location $location -subscriptionid $subscriptionId -clientid $appId -clientsecret $password -tenantid $tenant

驗證已連線的叢集Verify connected cluster

您可以在 Azure 入口網站上查看您的 Kubernetes 叢集資源。You can view your Kubernetes cluster resource on the Azure portal. 當您在瀏覽器中開啟入口網站之後,請流覽至資源群組,並根據先前在 PowerShell 命令中使用的資源名稱和資源組名輸入,流覽至已啟用 Azure Arc 的 Kubernetes 資源 Install-AksHciArcOnboardingOnce you have the portal open in your browser, navigate to the resource group and the Azure Arc-enabled Kubernetes resource that's based on the resource name and resource group name inputs used earlier in the Install-AksHciArcOnboarding PowerShell command.

注意

將叢集上線之後,需要大約5到10分鐘的時間,叢集中繼資料 (叢集版本、代理程式版本、節點數目) ,以在 Azure 入口網站中 Azure Arc 啟用 Kubernetes 資源的 [總覽] 頁面上呈現。After onboarding the cluster, it takes around 5 to 10 minutes for the cluster metadata (cluster version, agent version, number of nodes) to surface on the overview page of the Azure Arc enabled Kubernetes resource in Azure portal.

若要刪除您的叢集,或者如果您的叢集位於輸出 proxy 伺服器後方,請將它連線,請造訪 Azure Arc 啟用的 Kubernetes叢集。To delete your cluster, or to connect your cluster if it is behind an outbound proxy server, visit Connect an Azure Arc-enabled Kubernetes cluster.

適用於 Kubernetes 的 Azure Arc 代理程式Azure Arc agents for Kubernetes

啟用 Azure Arc 的 Kubernetes 會在 azure-arc 命名空間內部署幾個運算子。Azure Arc enabled Kubernetes deploys a few operators into the azure-arc namespace. 您可以在這裡檢視這些部署和 Pod:You can view these deployments and pods here:

kubectl -n azure-arc get deployments,pods

啟用 Azure Arc 的 Kubernetes 是由幾個代理程式 (運算子) 所組成,其會在您部署到 azure-arc 命名空間的叢集中執行。Azure Arc enabled Kubernetes consists of a few agents (operators) that run in your cluster deployed to the azure-arc namespace.

  • deployment.apps/config-agent:監看已連線的叢集,以了解叢集上套用的原始檔控制設定資源和更新合規性狀態deployment.apps/config-agent: watches the connected cluster for source control configuration resources applied on the cluster and updates compliance state
  • deployment.apps/controller-manager:是運算子的運算子,且可協調 Azure Arc 元件之間的互動deployment.apps/controller-manager: is an operator of operators and orchestrates interactions between Azure Arc components
  • deployment.apps/metrics-agent:收集其他 Arc 代理程式的計量,以確保這些代理程式呈現最佳效能deployment.apps/metrics-agent: collects metrics of other Arc agents to ensure that these agents are exhibiting optimal performance
  • deployment.apps/cluster-metadata-operator:收集叢集中繼資料-叢集版本、節點計數和 Azure Arc 代理程式版本deployment.apps/cluster-metadata-operator: gathers cluster metadata - cluster version, node count, and Azure Arc agent version
  • deployment.apps/resource-sync-agent:將上述叢集中繼資料同步處理至 Azuredeployment.apps/resource-sync-agent: syncs the above mentioned cluster metadata to Azure
  • deployment.apps/clusteridentityoperator: Azure Arc 啟用的 Kubernetes 目前支援系統指派的身分識別。deployment.apps/clusteridentityoperator: Azure Arc enabled Kubernetes currently supports system assigned identity. clusteridentityoperator 會維護其他代理程式用來與 Azure 進行通訊的受控服務身分識別 (MSI) 憑證。clusteridentityoperator maintains the managed service identity (MSI) certificate used by other agents for communication with Azure.
  • deployment.apps/flux-logs-agent:從部署為原始檔控制設定一部分的 flux 運算子收集記錄deployment.apps/flux-logs-agent: collects logs from the flux operators deployed as a part of source control configuration

後續步驟Next steps