在 Azure Kubernetes Service 中使用角色型存取控制與 Azure Active Directory 身分識別的叢集資源的控制存取Control access to cluster resources using role-based access control and Azure Active Directory identities in Azure Kubernetes Service

Azure Kubernetes Service (AKS) 可以設定為使用 Azure Active Directory (AD) 進行使用者驗證。Azure Kubernetes Service (AKS) can be configured to use Azure Active Directory (AD) for user authentication. 在此組態中,您可登入使用 Azure AD 驗證權杖的 AKS 叢集。In this configuration, you sign in to an AKS cluster using an Azure AD authentication token. 您也可以設定 Kubernetes 角色型存取控制 (RBAC) 來限制存取叢集資源會根據使用者的身分識別或群組成員資格。You can also configure Kubernetes role-based access control (RBAC) to limit access to cluster resources based a user's identity or group membership.

這篇文章會示範如何使用 Azure AD 群組成員資格來控制命名空間的存取權,以及叢集使用 AKS 叢集中的 Kubernetes RBAC 的資源。This article shows you how to use Azure AD group membership to control access to namespaces and cluster resources using Kubernetes RBAC in an AKS cluster. 例如,群組和使用者會建立在 Azure AD 中,然後在 AKS 叢集中,授與適當的權限,來建立及檢視資源會建立角色和 RoleBindings。Example groups and users are created in Azure AD, then Roles and RoleBindings are created in the AKS cluster to grant the appropriate permissions to create and view resources.

開始之前Before you begin

本文假設您有現有的 AKS 叢集與 Azure AD 的整合已啟用。This article assumes that you have an existing AKS cluster enabled with Azure AD integration. 如果您需要 AKS 叢集,請參閱整合 Azure Active Directory 與 AKSIf you need an AKS cluster, see Integrate Azure Active Directory with AKS.

您需要 Azure CLI 2.0.61 版或更新版本安裝並設定。You need the Azure CLI version 2.0.61 or later installed and configured. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

在 Azure AD 中建立示範群組Create demo groups in Azure AD

在本文中,讓我們建立兩個可用來顯示如何 Kubernetes RBAC 與 Azure AD 中控制叢集資源的存取權的使用者角色。In this article, let's create two user roles that can be used to show how Kubernetes RBAC and Azure AD control access to cluster resources. 使用下列兩個範例角色:The following two example roles are used:

  • 應用程式開發人員Application developer
    • 名為的使用者aksdev屬於appdev群組。A user named aksdev that is part of the appdev group.
  • 網站可靠性工程師Site reliability engineer
    • 名為的使用者akssre屬於opssre群組。A user named akssre that is part of the opssre group.

在生產環境中,您可以使用現有的使用者和群組內的 Azure AD 租用戶。In production environments, you can use existing users and groups within an Azure AD tenant.

首先,取得您 AKS 叢集使用的資源識別碼az aks 顯示命令。First, get the resource ID of your AKS cluster using the az aks show command. 將資源識別碼指派給名為的變數AKS_ID以便在其他的命令中參考它。Assign the resource ID to a variable named AKS_ID so that it can be referenced in additional commands.

AKS_ID=$(az aks show \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --query id -o tsv)

Azure AD 中建立第一個範例群組使用的應用程式開發人員az ad 群組建立命令。Create the first example group in Azure AD for the application developers using the az ad group create command. 下列範例會建立名為的群組appdev:The following example creates a group named appdev:

APPDEV_ID=$(az ad group create --display-name appdev --mail-nickname appdev --query objectId -o tsv)

現在,建立的 Azure 角色指派appdev群組使用az 角色指派建立命令。Now, create an Azure role assignment for the appdev group using the az role assignment create command. 此指派可讓使用任何成員的群組kubectl方式授與使用者互動與 AKS 叢集Azure Kubernetes 服務叢集使用者角色This assignment lets any member of the group use kubectl to interact with an AKS cluster by granting them the Azure Kubernetes Service Cluster User Role.

az role assignment create \
  --assignee $APPDEV_ID \
  --role "Azure Kubernetes Service Cluster User Role" \
  --scope $AKS_ID

提示

如果您收到錯誤,例如Principal 35bfec9328bd4d8d9b54dea6dac57b82 does not exist in the directory a5443dcd-cd0e-494d-a387-3039b419f0d5.,等候幾秒鐘,讓 Azure AD 群組物件識別碼,以透過目錄傳播,然後再次嘗試az role assignment create命令一次。If you receive an error such as Principal 35bfec9328bd4d8d9b54dea6dac57b82 does not exist in the directory a5443dcd-cd0e-494d-a387-3039b419f0d5., wait a few seconds for the Azure AD group object ID to propagate through the directory then try the az role assignment create command again.

建立第二個範例群組、 SREs 這一項名為opssre:Create a second example group, this one for SREs named opssre:

OPSSRE_ID=$(az ad group create --display-name opssre --mail-nickname opssre --query objectId -o tsv)

同樣地,建立 Azure 角色指派,以授與群組的成員Azure Kubernetes 服務叢集使用者角色:Again, create an Azure role assignment to grant members of the group the Azure Kubernetes Service Cluster User Role:

az role assignment create \
  --assignee $OPSSRE_ID \
  --role "Azure Kubernetes Service Cluster User Role" \
  --scope $AKS_ID

在 Azure AD 中建立示範使用者Create demo users in Azure AD

與 Azure AD 中建立我們的應用程式開發人員和 SREs 的兩個範例群組現在可讓建立兩個範例使用者。With two example groups created in Azure AD for our application developers and SREs, now lets create two example users. 若要測試在本文結尾處的 RBAC 整合,您可登入這些帳戶的 AKS 叢集。To test the RBAC integration at the end of the article, you sign in to the AKS cluster with these accounts.

在 Azure ad 中建立第一個使用者帳戶az ad 使用者建立命令。Create the first user account in Azure AD using the az ad user create command.

下列範例會建立顯示名稱的使用者AKS Dev和 使用者主體名稱 (UPN) aksdev@contoso.comThe following example creates a user with the display name AKS Dev and the user principal name (UPN) of aksdev@contoso.com. 更新包含已驗證的網域,您的 Azure AD 租用戶的 UPN (取代contoso.com使用您自己的網域),並提供您自己的安全--password認證:Update the UPN to include a verified domain for your Azure AD tenant (replace contoso.com with your own domain), and provide your own secure --password credential:

AKSDEV_ID=$(az ad user create \
  --display-name "AKS Dev" \
  --user-principal-name aksdev@contoso.com \
  --password P@ssw0rd1 \
  --query objectId -o tsv)

現在將使用者新增至appdev群組中先前的區段使用建立az ad 群組成員加入命令:Now add the user to the appdev group created in the previous section using the az ad group member add command:

az ad group member add --group appdev --member-id $AKSDEV_ID

建立第二個使用者帳戶。Create a second user account. 下列範例會建立顯示名稱的使用者AKS SRE和 使用者主體名稱 (UPN) akssre@contoso.comThe following example creates a user with the display name AKS SRE and the user principal name (UPN) of akssre@contoso.com. 同樣地,更新您的 Azure AD 租用戶包含已驗證的網域 UPN (取代contoso.com使用您自己的網域),並提供您自己的安全--password認證:Again, update the UPN to include a verified domain for your Azure AD tenant (replace contoso.com with your own domain), and provide your own secure --password credential:

# Create a user for the SRE role
AKSSRE_ID=$(az ad user create \
  --display-name "AKS SRE" \
  --user-principal-name akssre@contoso.com \
  --password P@ssw0rd1 \
  --query objectId -o tsv)

# Add the user to the opssre Azure AD group
az ad group member add --group opssre --member-id $AKSSRE_ID

建立 AKS 叢集資源的應用程式開發人員Create the AKS cluster resources for app devs

現在建立的 Azure AD 群組和使用者。The Azure AD groups and users are now created. Azure 角色指派所建立的群組成員能夠連線到 AKS 叢集的一般使用者身分。Azure role assignments were created for the group members to connect to an AKS cluster as a regular user. 現在,我們將設定 AKS 叢集,以允許這些不同的群組存取特定資源。Now, let's configure the AKS cluster to allow these different groups access to specific resources.

首先,取得叢集使用的系統管理員認證az aks get-credentials 來取得認證命令。First, get the cluster admin credentials using the az aks get-credentials command. 您可以在其中一個下列各節,取得一般使用者叢集以查看 Azure AD 驗證的認證運作中的流程。In one of the following sections, you get the regular user cluster credentials to see the Azure AD authentication flow in action.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin

建立 AKS 叢集使用的命名空間kubectl 建立命名空間命令。Create a namespace in the AKS cluster using the kubectl create namespace command. 下列範例會建立命名空間名稱開發人員:The following example creates a namespace name dev:

kubectl create namespace dev

在 Kubernetes 中,角色定義的權限授與,以及RoleBindings將它們套用至所需的使用者或群組。In Kubernetes, Roles define the permissions to grant, and RoleBindings apply them to desired users or groups. 這些指派可以套用至指定的命名空間或在整個叢集中套用。These assignments can be applied to a given namespace, or across the entire cluster. 如需詳細資訊,請參閱 < 使用 RBAC 授權For more information, see Using RBAC authorization.

首先,建立的角色開發人員命名空間。First, create a Role for the dev namespace. 此角色授與命名空間的完整權限。This role grants full permissions to the namespace. 在生產環境中,您可以指定不同的使用者或群組更細微的權限。In production environments, you can specify more granular permissions for different users or groups.

建立名為role-dev-namespace.yaml並貼上下列 YAML 資訊清單:Create a file named role-dev-namespace.yaml and paste the following YAML manifest:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dev-user-full-access
  namespace: dev
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]

建立角色使用kubectl 套用命令並指定您的 YAML 資訊清單的檔案名稱:Create the Role using the kubectl apply command and specify the filename of your YAML manifest:

kubectl apply -f role-dev-namespace.yaml

接下來,取得的資源識別碼appdev群組使用az ad 群組顯示命令。Next, get the resource ID for the appdev group using the az ad group show command. 此群組會設定為下一個步驟中 RoleBinding 的主旨。This group is set as the subject of a RoleBinding in the next step.

az ad group show --group appdev --query objectId -o tsv

現在,建立針對 RoleBinding appdev来用於命名空間存取先前建立的角色群組。Now, create a RoleBinding for the appdev group to use the previously created Role for namespace access. 建立名為 rolebinding-dev-namespace.yaml 的檔案,並貼上下列 YAML 資訊清單。Create a file named rolebinding-dev-namespace.yaml and paste the following YAML manifest. 在最後一行中,取代groupObjectId前一個命令的群組物件識別碼輸出:On the last line, replace groupObjectId with the group object ID output from the previous command:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: dev-user-access
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: dev-user-full-access
subjects:
- kind: Group
  namespace: dev
  name: groupObjectId

建立使用 RoleBinding kubectl 套用命令並指定您的 YAML 資訊清單的檔案名稱:Create the RoleBinding using the kubectl apply command and specify the filename of your YAML manifest:

kubectl apply -f rolebinding-dev-namespace.yaml

為 SREs 建立 AKS 叢集資源Create the AKS cluster resources for SREs

現在,重複上述步驟來建立命名空間、 角色和 RoleBinding SREs。Now, repeat the previous steps to create a namespace, Role, and RoleBinding for the SREs.

首先,建立的命名空間sre使用kubectl 建立命名空間命令:First, create a namespace for sre using the kubectl create namespace command:

kubectl create namespace sre

建立名為role-sre-namespace.yaml並貼上下列 YAML 資訊清單:Create a file named role-sre-namespace.yaml and paste the following YAML manifest:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: sre-user-full-access
  namespace: sre
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]

建立角色使用kubectl 套用命令並指定您的 YAML 資訊清單的檔案名稱:Create the Role using the kubectl apply command and specify the filename of your YAML manifest:

kubectl apply -f role-sre-namespace.yaml

取得的資源識別碼opssre群組使用az ad 群組顯示命令:Get the resource ID for the opssre group using the az ad group show command:

az ad group show --group opssre --query objectId -o tsv

建立針對 RoleBinding opssre来用於命名空間存取先前建立的角色群組。Create a RoleBinding for the opssre group to use the previously created Role for namespace access. 建立名為 rolebinding-sre-namespace.yaml 的檔案,並貼上下列 YAML 資訊清單。Create a file named rolebinding-sre-namespace.yaml and paste the following YAML manifest. 在最後一行中,取代groupObjectId前一個命令的群組物件識別碼輸出:On the last line, replace groupObjectId with the group object ID output from the previous command:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: sre-user-access
  namespace: sre
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: sre-user-full-access
subjects:
- kind: Group
  namespace: sre
  name: groupObjectId

建立使用 RoleBinding kubectl 套用命令並指定您的 YAML 資訊清單的檔案名稱:Create the RoleBinding using the kubectl apply command and specify the filename of your YAML manifest:

kubectl apply -f rolebinding-sre-namespace.yaml

使用 Azure AD 身分識別的叢集資源進行互動Interact with cluster resources using Azure AD identities

現在,當您建立和管理 AKS 叢集中的資源,讓我們來測試的預期權限的工作。Now, let's test the expected permissions work when you create and manage resources in an AKS cluster. 在這些範例中,您可以排程並檢視使用者的指派命名空間中的 pod。In these examples, you schedule and view pods in the user's assigned namespace. 然後,您嘗試指派的命名空間之外的排程和檢視 pod。Then, you try to schedule and view pods outside of the assigned namespace.

首先,重設kubeconfig內容中使用az aks get-credentials 來取得認證命令。First, reset the kubeconfig context using the az aks get-credentials command. 在上一節中,您將使用叢集系統管理員認證的內容。In a previous section, you set the context using the cluster admin credentials. 系統管理員使用者會略過 Azure AD 登入提示。The admin user bypasses Azure AD sign in prompts. 不含--admin參數,在使用者內容會套用所需的所有要求都必須使用 Azure AD 進行驗證。Without the --admin parameter, the user context is applied that requires all requests to be authenticated using Azure AD.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --overwrite-existing

基本的 NGINX pod 使用的排程執行 kubectl命令dev命名空間:Schedule a basic NGINX pod using the kubectl run command in the dev namespace:

kubectl run --generator=run-pod/v1 nginx-dev --image=nginx --namespace dev

登入提示字元中,為輸入的認證為您自己appdev@contoso.com本文開頭所建立的帳戶。As the sign in prompt, enter the credentials for your own appdev@contoso.com account created at the start of the article. 一旦您成功登入,帳戶語彙基元會快取,供未來kubectl命令。Once you are successfully signed in, the account token is cached for future kubectl commands. 已成功排程 NGINX,如下列範例輸出所示:The NGINX is successfully schedule, as shown in the following example output:

$ kubectl run --generator=run-pod/v1 nginx-dev --image=nginx --namespace dev

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code B24ZD6FP8 to authenticate.

pod/nginx-dev created

現在,使用kubectl get pods命令來檢視中的 pod dev命名空間。Now use the kubectl get pods command to view pods in the dev namespace.

kubectl get pods --namespace dev

下列範例輸出所示,NGINX pod 已順利執行:As shown in the following example output, the NGINX pod is successfully Running:

$ kubectl get pods --namespace dev

NAME        READY   STATUS    RESTARTS   AGE
nginx-dev   1/1     Running   0          4m

建立和檢視指派的命名空間外部的叢集資源Create and view cluster resources outside of the assigned namespace

現在試著檢視之外的 pod開發人員命名空間。Now try to view pods outside of the dev namespace. 使用kubectl get pods命令同樣地,若要查看這次--all-namespaces,如下所示:Use the kubectl get pods command again, this time to see --all-namespaces as follows:

kubectl get pods --all-namespaces

使用者的群組成員資格沒有 Kubernetes 角色,可讓此動作,如下列範例輸出所示:The user's group membership does not have a Kubernetes Role that allows this action, as shown in the following example output:

$ kubectl get pods --all-namespaces

Error from server (Forbidden): pods is forbidden: User "aksdev@contoso.com" cannot list resource "pods" in API group "" at the cluster scope

同樣地,在嘗試這類排程在不同的命名空間中的 pod sre命名空間。In the same way, try to schedule a pod in different namespace, such as the sre namespace. 使用者的群組成員資格未對齊的 Kubernetes 角色和 RoleBinding 授與這些權限,如下列範例輸出所示:The user's group membership does not align with a Kubernetes Role and RoleBinding to grant these permissions, as shown in the following example output:

$ kubectl run --generator=run-pod/v1 nginx-dev --image=nginx --namespace sre

Error from server (Forbidden): pods is forbidden: User "aksdev@contoso.com" cannot create resource "pods" in API group "" in the namespace "sre"

測試 SRE 存取 AKS 叢集資源Test the SRE access to the AKS cluster resources

若要確認,我們的 Azure AD 群組成員資格和 Kubernetes RBAC 可正確運作之間不同的使用者和群組,請嘗試先前的命令時的登入身分opssre使用者。To confirm that our Azure AD group membership and Kubernetes RBAC work correctly between different users and groups, try the previous commands when signed in as the opssre user.

重設kubeconfig內容中使用az aks get-credentials 來取得認證清除先前快取的驗證權杖的命令aksdev使用者:Reset the kubeconfig context using the az aks get-credentials command that clears the previously cached authentication token for the aksdev user:

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --overwrite-existing

嘗試在指派的排程和檢視 pod sre命名空間。Try to schedule and view pods in the assigned sre namespace. 出現提示時,使用登入您自己opssre@contoso.com本文開頭所建立的認證:When prompted, sign in with your own opssre@contoso.com credentials created at the start of the article:

kubectl run --generator=run-pod/v1 nginx-sre --image=nginx --namespace sre
kubectl get pods --namespace sre

下列範例輸出所示,您就可以成功建立,並檢視 pod:As shown in the following example output, you can successfully create and view the pods:

$ kubectl run --generator=run-pod/v1 nginx-sre --image=nginx --namespace sre

To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code BM4RHP3FD to authenticate.

pod/nginx-sre created

$ kubectl get pods --namespace sre

NAME        READY   STATUS    RESTARTS   AGE
nginx-sre   1/1     Running   0

現在,嘗試檢視或排程指派 SRE 命名空間之外的 pod:Now, try to view or schedule pods outside of assigned SRE namespace:

kubectl get pods --all-namespaces
kubectl run --generator=run-pod/v1 nginx-sre --image=nginx --namespace dev

這些kubectl命令失敗,如下列範例輸出所示。These kubectl commands fail, as shown in the following example output. 若要建立的權限或其他命名空間中的 manager 資源,避免授與使用者的群組成員資格和 Kubernetes 角色和 RoleBindings:The user's group membership and Kubernetes Role and RoleBindings don't grant permissions to create or manager resources in other namespaces:

$ kubectl get pods --all-namespaces
Error from server (Forbidden): pods is forbidden: User "akssre@contoso.com" cannot list pods at the cluster scope

$ kubectl run --generator=run-pod/v1 nginx-sre --image=nginx --namespace dev
Error from server (Forbidden): pods is forbidden: User "akssre@contoso.com" cannot create pods in the namespace "dev"

清除資源Clean up resources

在本文中,您會建立 AKS 叢集和使用者的資源和 Azure AD 中的群組。In this article, you created resources in the AKS cluster and users and groups in Azure AD. 若要清除所有這些資源,請執行下列命令:To clean up all these resources, run the following commands:

# Get the admin kubeconfig context to delete the necessary cluster resources
az aks get-credentials --resource-group myResourceGroup --name myAKSCluster --admin

# Delete the dev and sre namespaces. This also deletes the pods, Roles, and RoleBindings
kubectl delete namespace dev
kubectl delete namespace sre

# Delete the Azure AD user accounts for aksdev and akssre
az ad user delete --upn-or-object-id $AKSDEV_ID
az ad user delete --upn-or-object-id $AKSSRE_ID

# Delete the Azure AD groups for appdev and opssre. This also deletes the Azure role assignments.
az ad group delete --group appdev
az ad group delete --group opssre

後續步驟Next steps

如需如何保護 Kubernetes 叢集的詳細資訊,請參閱AKS 存取和身分識別選項)For more information about how to secure Kubernetes clusters, see Access and identity options for AKS).

如需身分識別和資源控制的最佳作法,請參閱AKS 中驗證和授權的最佳做法For best practices on identity and resource control, see Best practices for authentication and authorization in AKS.