整合 Azure Active Directory 與 Azure Kubernetes ServiceIntegrate Azure Active Directory with Azure Kubernetes Service

Azure Kubernetes Service (AKS)可以設定為使用 Azure Active Directory (Azure AD)進行使用者驗證。Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (Azure AD) for user authentication. 在此設定中,您可以使用 Azure AD 驗證權杖來登入 AKS 叢集。In this configuration, you can sign in to an AKS cluster by using your Azure AD authentication token.

叢集系統管理員可以根據使用者的身分識別或目錄群組成員資格,設定 Kubernetes 角色型存取控制(RBAC)。Cluster administrators can configure Kubernetes role-based access control (RBAC) based on a user's identity or directory group membership.

本文說明如何:This article explains how to:

  • 部署 AKS 和 Azure AD 的必要條件。Deploy the prerequisites for AKS and Azure AD.
  • 部署已啟用 Azure AD 的叢集。Deploy an Azure AD-enabled cluster.
  • 使用 Azure 入口網站,在 AKS 叢集中建立基本的 RBAC 角色。Create a basic RBAC role in the AKS cluster by using the Azure portal.

您也可以使用Azure CLI來完成這些步驟。You can also complete these steps by using the Azure CLI.

注意

只有當您建立已啟用 RBAC 的新叢集時,才可以啟用 Azure AD。Azure AD can only be enabled when you create a new RBAC-enabled cluster. 您無法在現有的 AKS 叢集上啟用 Azure AD。You can't enable Azure AD on an existing AKS cluster.

驗證詳細資料Authentication details

Azure AD 驗證會提供給具有 OpenID Connect 的 AKS 叢集。Azure AD authentication is provided to AKS clusters that have OpenID Connect. OpenID Connect 是以 OAuth 2.0 通訊協定為建置基礎的身分識別層。OpenID Connect is an identity layer built on top of the OAuth 2.0 protocol.

如需 OpenID Connect 的詳細資訊,請參閱使用 Openid connect 和 Azure AD 授權存取 web 應用程式For more information about OpenID Connect, see Authorize access to web applications using OpenID Connect and Azure AD.

在 Kubernetes 叢集中,會使用 webhook 權杖驗證來驗證權杖。Inside a Kubernetes cluster, webhook token authentication is used to authentication tokens. Webhook 權杖驗證已設定並當作 AKS 叢集的一部分管理。Webhook token authentication is configured and managed as part of the AKS cluster.

如需 webhook 權杖驗證的詳細資訊,請參閱 Kubernetes 檔中的Webhook 權杖驗證一節。For more information about webhook token authentication, see the Webhook Token Authentication section in Kubernetes Documentation.

為了提供 AKS 叢集的 Azure AD 驗證,會建立兩個 Azure AD 的應用程式。To provide Azure AD authentication for an AKS cluster, two Azure AD applications are created. 第一個應用程式是提供使用者驗證的伺服器元件。The first application is a server component that provides user authentication. 第二個應用程式是一種用戶端元件,當 CLI 提示您進行驗證時,會使用它。The second application is a client component that's used when you're prompted by the CLI for authentication. 此用戶端應用程式會使用伺服器應用程式來實際驗證用戶端所提供的認證。This client application uses the server application for the actual authentication of the credentials provided by the client.

注意

當您設定 AKS authentication 的 Azure AD 時,會設定兩個 Azure AD 的應用程式。When you configure Azure AD for AKS authentication, two Azure AD applications are configured. 為每個應用程式委派許可權的步驟必須由 Azure 租使用者系統管理員完成。The steps to delegate permissions for each application must be completed by an Azure tenant administrator.

建立伺服器應用程式Create the server application

會套用第一個 Azure AD 應用程式,以取得使用者的 Azure AD 群組成員資格。The first Azure AD application is applied to get a user's Azure AD group membership. 若要在 Azure 入口網站中建立此應用程式:To create this application in the Azure portal:

  1. 選取 [Azure Active Directory] > [應用程式註冊] > [新註冊]。Select Azure Active Directory > App registrations > New registration.

    a.a. 提供應用程式的名稱,例如AKSAzureADServerGive the application a name, such as AKSAzureADServer.

    b.b. 針對支援的帳戶類型,請選取 [僅此組織目錄中的帳戶]。For Supported account types, select Accounts in this organizational directory only.

    c.c. 針對 [重新導向 URI 類型] 選擇 [ Web ],然後輸入任何 URI 格式的值 https://aksazureadserver ,例如。Choose Web for the Redirect URI type, and then enter any URI-formatted value, such as https://aksazureadserver.

    d.d. 當您完成時,請選取 [註冊]。Select Register when you're finished.

  2. 選取 [資訊清單],然後編輯 [ groupMembershipClaims: ] 值為 [全部]。Select Manifest, and then edit the groupMembershipClaims: value as All. 當您完成更新時,請選取 [儲存]。When you're finished with the updates, select Save.

    將群組成員資格更新為全部

  3. 在 Azure AD 應用程式的左窗格中,選取 [憑證 & 秘密]。In the left pane of the Azure AD application, select Certificates & secrets.

    a.a. 選取 [ + 新增用戶端密碼]。Select + New client secret.

    b.b. 新增金鑰描述,例如AKS Azure AD serverAdd a key description, such as AKS Azure AD server. 選擇 [到期時間],然後選取 [新增]。Choose an expiration time, and then select Add.

    c.c. 請注意,這次只會顯示金鑰值。Note the key value, which is displayed only at this time. 當您部署已啟用 Azure AD 的 AKS 叢集時,這個值稱為「伺服器應用程式密碼」。When you deploy an Azure AD-enabled AKS cluster, this value is called the server application secret.

  4. 在 Azure AD 應用程式的左窗格中,選取 [ API 許可權],然後選取 [ + 新增許可權]。In the left pane of the Azure AD application, select API permissions, and then select + Add a permission.

    a.a. 在 [ Microsoft api] 底下,選取 [ Microsoft Graph]。Under Microsoft APIs, select Microsoft Graph.

    b.b. 選取 [委派的許可權],然後選取 [目錄] > [目錄] 旁的核取方塊。 [全部] (讀取目錄資料)Select Delegated permissions, and then select the check box next to Directory > Directory.Read.All (Read directory data).

    c.c. 如果使用者 > [讀取(登入和讀取使用者設定檔) ] 的預設委派許可權不存在,請選取它旁邊的核取方塊。If a default delegated permission for User > User.Read (Sign in and read user profile) doesn't exist, select the check box next to it.

    d.d. 選取 [應用程式許可權],然後選取 [目錄] > [目錄] 旁的核取方塊 。 [全部] (讀取目錄資料)Select Application permissions, and then select the check box next to Directory > Directory.Read.All (Read directory data).

    設定圖形許可權

    e.e. 選取 [新增許可權] 以儲存更新。Select Add permissions to save the updates.

    f.f. [授與同意] 底下,選取 [授與系統管理員同意]。Under Grant consent, select Grant admin consent. 目前使用的帳戶未列為租使用者系統管理員,因此無法使用此按鈕。This button won't be available the current account being used is not listed as a tenant admin.

    成功授與許可權後,入口網站中會顯示下列通知:When permissions are successfully granted, the following notification is displayed in the portal:

    成功授與權限的通知

  5. 在 Azure AD 應用程式的左窗格中,選取 [公開 API],然後選取 [ + 新增領域]。In the left pane of the Azure AD application, select Expose an API, and then select + Add a scope.

    a.a. 輸入領域名稱、系統管理員同意顯示名稱,以及系統管理員同意描述,例如AKSAzureADServerEnter a Scope name, an Admin consent display name, and then an Admin consent description such as AKSAzureADServer.

    b.b. 請確定 [狀態] 設定為 [已啟用]。Make sure State is set to Enabled.

    將伺服器應用程式公開為與其他服務搭配使用的 API

    c.c. 選取 [新增領域]。Select Add scope.

  6. 返回 [應用程式總覽] 頁面,並記下應用程式(用戶端)識別碼Return to the application Overview page and note the Application (client) ID. 當您部署已啟用 Azure AD 的 AKS 叢集時,這個值稱為伺服器應用程式識別碼。When you deploy an Azure AD-enabled AKS cluster, this value is called the server application ID.

    取得應用程式識別碼

建立用戶端應用程式Create the client application

當您使用 Kubernetes CLI (kubectl)登入時,會使用第二個 Azure AD 應用程式。The second Azure AD application is used when you sign in with the Kubernetes CLI (kubectl).

  1. 選取 [Azure Active Directory] > [應用程式註冊] > [新註冊]。Select Azure Active Directory > App registrations > New registration.

    a.a. 提供應用程式的名稱,例如AKSAzureADClientGive the application a name, such as AKSAzureADClient.

    b.b. 針對支援的帳戶類型,請選取 [僅此組織目錄中的帳戶]。For Supported account types, select Accounts in this organizational directory only.

    c.c. 針對 [重新導向 URI 類型] 選取 [ Web ],然後輸入任何 URI 格式的 https://aksazureadclient 值,例如。Select Web for the Redirect URI type, and then enter any URI-formatted value such as https://aksazureadclient.

    d.d. 當您完成時,請選取 [註冊]。Select Register when you're finished.

  2. 在 Azure AD 應用程式的左窗格中,選取 [ API 許可權],然後選取 [ + 新增許可權]。In the left pane of the Azure AD application, select API permissions, and then select + Add a permission.

    a.a. 選取 [我的 api],然後選擇您在上一個步驟中建立的 Azure AD 伺服器應用程式,例如AKSAzureADServerSelect My APIs, and then choose your Azure AD server application created in the previous step, such as AKSAzureADServer.

    b.b. 選取 [委派的許可權],然後選取 Azure AD 伺服器應用程式旁的核取方塊。Select Delegated permissions, and then select the check box next to your Azure AD server app.

    設定應用程式權限

    c.c. 選取 [新增許可權]。Select Add permissions.

    d.d. [授與同意] 底下,選取 [授與系統管理員同意]。Under Grant consent, select Grant admin consent. 如果目前的帳戶不是租使用者系統管理員,則無法使用此按鈕。授與許可權時,入口網站中會顯示下列通知:This button isn't available if the current account isn't a tenant admin. When permissions are granted, the following notification is displayed in the portal:

    成功授與權限的通知

  3. 在 Azure AD 應用程式的左窗格中,選取 [驗證]。In the left pane of the Azure AD application, select Authentication.

    • 在 [預設用戶端類型] 底下,選取 [是] ,將用戶端視為公用用戶端Under Default client type, select Yes to Treat the client as a public client.
  4. 在 Azure AD 應用程式的左窗格中,記下 [應用程式識別碼]。In the left pane of the Azure AD application, note the application ID. 當您部署已啟用 Azure AD 的 AKS 叢集時,這個值稱為用戶端應用程式識別碼。When you deploy an Azure AD-enabled AKS cluster, this value is called the client application ID.

    取得應用程式識別碼

取得租用戶識別碼Get the tenant ID

接下來,取得 Azure 租使用者的識別碼。Next, get the ID of your Azure tenant. 當您建立 AKS 叢集時,會使用此值。This value is used when you create the AKS cluster.

從 Azure 入口網站中,選取 Azure Active Directory > 屬性,並記下目錄識別碼From the Azure portal, select Azure Active Directory > Properties and note the Directory ID. 當您建立已啟用 Azure AD 的 AKS 叢集時,這個值稱為租使用者識別碼。When you create an Azure AD-enabled AKS cluster, this value is called the tenant ID.

取得 Azure 租用戶識別碼

部署 AKS 叢集Deploy the AKS cluster

使用az group create命令來建立 AKS 叢集的資源群組。Use the az group create command to create a resource group for the AKS cluster.

az group create --name myResourceGroup --location eastus

使用az aks create命令來部署 aks 叢集。Use the az aks create command to deploy the AKS cluster. 接下來,取代下列範例命令中的值。Next, replace the values in the following sample command. 當您為伺服器應用程式識別碼、應用程式密碼、用戶端應用程式識別碼和租使用者識別碼建立 Azure AD 應用程式時,請使用所收集的值。Use the values collected when you created the Azure AD applications for the server app ID, app secret, client app ID, and tenant ID.

az aks create \
  --resource-group myResourceGroup \
  --name myAKSCluster \
  --generate-ssh-keys \
  --aad-server-app-id b1536b67-29ab-4b63-b60f-9444d0c15df1 \
  --aad-server-app-secret wHYomLe2i1mHR2B3/d4sFrooHwADZccKwfoQwK2QHg= \
  --aad-client-app-id 8aaf8bd5-1bdd-4822-99ad-02bfaa63eea7 \
  --aad-tenant-id 72f988bf-0000-0000-0000-2d7cd011db47

AKS 叢集需要幾分鐘的時間來建立。An AKS cluster takes a few minutes to create.

建立 RBAC 系結Create an RBAC binding

注意

叢集角色系結名稱會區分大小寫。The cluster role binding name is case sensitive.

使用 Azure Active Directory 帳戶搭配 AKS 叢集之前,您必須先建立角色系結或叢集角色系結。Before you use an Azure Active Directory account with an AKS cluster, you must create role-binding or cluster role-binding. 角色會定義要授與的許可權,而系結會將其套用至所需的使用者。Roles define the permissions to grant, and bindings apply them to desired users. 這些指派可以套用至指定的命名空間或在整個叢集中套用。These assignments can be applied to a given namespace, or across the entire cluster. 如需詳細資訊,請參閱使用 RBAC 授權For more information, see Using RBAC authorization.

首先,使用az aks get-認證命令--admin搭配引數,以使用系統管理員存取權登入叢集。First, use the az aks get-credentials command with the --admin argument to sign in to the cluster with admin access.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin

接下來,針對您想要授與 AKS 叢集存取權的 Azure AD 帳戶建立 ClusterRoleBinding。Next, create ClusterRoleBinding for an Azure AD account that you want to grant access to the AKS cluster. 下列範例會為帳戶提供叢集中所有命名空間的完整存取權:The following example gives the account full access to all namespaces in the cluster:

  • 如果您授與的 RBAC 系結的使用者位於相同的 Azure AD 租使用者中,請根據使用者主要名稱(UPN)指派許可權。If the user you grant the RBAC binding for is in the same Azure AD tenant, assign permissions based on the user principal name (UPN). 繼續進行步驟,以建立 ClusterRoleBinding 的 YAML 資訊清單。Move on to the step to create the YAML manifest for ClusterRoleBinding.

  • 如果使用者位於不同的 Azure AD 租使用者中,請改為查詢並使用objectId屬性。If the user is in a different Azure AD tenant, query for and use the objectId property instead. 如有需要,請使用az ad user show命令取得所需使用者帳戶的 objectId。If needed, get the objectId of the required user account by using the az ad user show command. 提供所需帳戶的使用者主要名稱(UPN):Provide the user principal name (UPN) of the required account:

    az ad user show --upn-or-object-id user@contoso.com --query objectId -o tsv
    

建立檔案(例如rbac-aad-user. yaml),然後貼上下列內容。Create a file, such as rbac-aad-user.yaml, and then paste the following contents. 在最後一行中,將userPrincipalName_or_objectId取代為 UPN 或物件識別碼。On the last line, replace userPrincipalName_or_objectId with the UPN or object ID. 選擇取決於使用者是否為相同的 Azure AD 租使用者。The choice depends on whether the user is the same Azure AD tenant or not.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: contoso-cluster-admins
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: userPrincipalName_or_objectId

使用kubectl apply命令套用系結,如下列範例所示:Apply the binding by using the kubectl apply command as shown in the following example:

kubectl apply -f rbac-aad-user.yaml

此外,也可以為 Azure AD 群組的所有成員建立角色繫結。A role binding can also be created for all members of an Azure AD group. Azure AD 群組是使用群組物件識別碼所指定,如下列範例所示。Azure AD groups are specified by using the group object ID, as shown in the following example.

建立一個檔案(例如yaml),然後貼上下列內容。Create a file, such as rbac-aad-group.yaml, and then paste the following contents. 以 Azure AD 租用戶中的群組物件識別碼來更新使用者名稱。Update the group object ID with one from your Azure AD tenant:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
 name: contoso-cluster-admins
roleRef:
 apiGroup: rbac.authorization.k8s.io
 kind: ClusterRole
 name: cluster-admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: "894656e1-39f8-4bfe-b16a-510f61af6f41"

使用kubectl apply命令套用系結,如下列範例所示:Apply the binding by using the kubectl apply command as shown in the following example:

kubectl apply -f rbac-aad-group.yaml

如需使用 RBAC 保護 Kubernetes 叢集的詳細資訊,請參閱使用 Rbac 授權For more information on securing a Kubernetes cluster with RBAC, see Using RBAC Authorization.

使用 Azure AD 存取叢集Access the cluster with Azure AD

使用az aks get-認證命令,提取非系統管理員使用者的內容。Pull the context for the non-admin user by using the az aks get-credentials command.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

執行kubectl命令之後,系統會提示您使用 Azure 進行驗證。After you run the kubectl command, you'll be prompted to authenticate by using Azure. 依照畫面上的指示完成程式,如下列範例所示:Follow the on-screen instructions to finish the process, as shown in the following example:

$ kubectl get nodes

To sign in, use a web browser to open https://microsoft.com/devicelogin. Next, enter the code BUJHWDGNL to authenticate.

NAME                       STATUS    ROLES     AGE       VERSION
aks-nodepool1-79590246-0   Ready     agent     1h        v1.13.5
aks-nodepool1-79590246-1   Ready     agent     1h        v1.13.5
aks-nodepool1-79590246-2   Ready     agent     1h        v1.13.5

當程式完成時,就會快取驗證權杖。When the process is finished, the authentication token is cached. 當令牌過期時,系統只會提示您登入,或重新建立 Kubernetes 設定檔。You're only prompted to sign in again when the token expires, or the Kubernetes config file is re-created.

如果您在成功登入後看到授權錯誤訊息,請檢查下列準則:If you see an authorization error message after you successfully sign in, check the following criteria:

error: You must be logged in to the server (Unauthorized)
  • 您已定義適當的物件識別碼或 UPN,視使用者帳戶是否位於相同的 Azure AD 租使用者而定。You defined the appropriate object ID or UPN, depending on if the user account is in the same Azure AD tenant or not.
  • 使用者不是超過200個群組的成員。The user isn't a member of more than 200 groups.
  • 在 [應用程式註冊] 中定義的密碼,符合使用--aad-server-app-secret設定的值。The secret defined in the application registration for server matches the value configured by using --aad-server-app-secret.

後續步驟Next steps

若要使用 Azure AD 的使用者和群組來控制叢集資源的存取權,請參閱使用角色型存取控制來控制對叢集資源的存取,並在 AKS 中 Azure AD身分識別。To use Azure AD users and groups to control access to cluster resources, see Control access to cluster resources using role-based access control and Azure AD identities in AKS.

如需如何保護 Kubernetes 叢集的詳細資訊,請參閱AKS 的存取和身分識別選項For more information about how to secure Kubernetes clusters, see Access and identity options for AKS.

若要深入瞭解身分識別和資源控制,請參閱AKS 中驗證和授權的最佳作法To learn more about identity and resource control, see Best practices for authentication and authorization in AKS.