教學課程:部署 Azure Kubernetes Service (AKS) 叢集Tutorial: Deploy an Azure Kubernetes Service (AKS) cluster

Kubernetes 會提供容器化應用程式的分散式平台。Kubernetes provides a distributed platform for containerized applications. 透過 AKS,您可以快速地建立生產環境就緒的 Kubernetes 叢集。With AKS, you can quickly create a production ready Kubernetes cluster. 在本教學課程 (3/7 部分) 中,將 Kubernetes 叢集部署在 AKS 中。In this tutorial, part three of seven, a Kubernetes cluster is deployed in AKS. 您會了解如何:You learn how to:

  • 建立資源互動的服務主體Create a service principal for resource interactions
  • 部署 Kubernetes AKS 叢集Deploy a Kubernetes AKS cluster
  • 安裝 Kubernetes CLI (kubectl)Install the Kubernetes CLI (kubectl)
  • 設定 kubectl 以連線至您的 AKS 叢集Configure kubectl to connect to your AKS cluster

在其他教學課程中,Azure Vote 應用程式會部署至叢集、進行調整並加以更新。In additional tutorials, the Azure Vote application is deployed to the cluster, scaled, and updated.

開始之前Before you begin

在先前的教學課程中,已建立容器映像並上傳到 Azure Container Registry 執行個體。In previous tutorials, a container image was created and uploaded to an Azure Container Registry instance. 如果您尚未完成這些步驟,而且想要跟著做,請從教學課程 1 – 建立容器映像開始。If you haven't done these steps, and would like to follow along, start at Tutorial 1 – Create container images.

在本教學課程中,您必須執行 Azure CLI 2.0.53 版或更新版本。This tutorial requires that you're running the Azure CLI version 2.0.53 or later. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

建立服務主體Create a service principal

為了允許 AKS 叢集與其他 Azure 資源互動,則會使用 Azure Active Directory 服務主體。To allow an AKS cluster to interact with other Azure resources, an Azure Active Directory service principal is used. 此服務主體可由 Azure CLI 或入口網站自動建立,或者您可以預先建立一個並指派其他權限。This service principal can be automatically created by the Azure CLI or portal, or you can pre-create one and assign additional permissions. 在本教學課程中,您會建立服務主體、授與在前一個教學課程中建立的 Azure Container Registry (ACR) 執行個體存取權,然後建立 AKS 叢集。In this tutorial, you create a service principal, grant access to the Azure Container Registry (ACR) instance created in the previous tutorial, then create an AKS cluster.

使用 az ad sp create-for-rbac 命令建立服務主體。Create a service principal using the az ad sp create-for-rbac command. --skip-assignment 參數會限制指派任何其他權限。The --skip-assignment parameter limits any additional permissions from being assigned. 根據預設,此服務主體的有效期限為一年。By default, this service principal is valid for one year.

az ad sp create-for-rbac --skip-assignment

輸出類似於下列範例:The output is similar to the following example:

{
  "appId": "e7596ae3-6864-4cb8-94fc-20164b1588a9",
  "displayName": "azure-cli-2018-06-29-19-14-37",
  "name": "http://azure-cli-2018-06-29-19-14-37",
  "password": "52c95f25-bd1e-4314-bd31-d8112b293521",
  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db48"
}

記下 appId 和密碼 。Make a note of the appId and password. 下列步驟中會使用這些值。These values are used in the following steps.

設定 ACR 驗證Configure ACR authentication

若要存取儲存在 ACR 中的映像,您必須授與 AKS 服務主體從 ACR 提取映像的正確權限。To access images stored in ACR, you must grant the AKS service principal the correct rights to pull images from ACR.

首先,使用 az acr show 取得 ACR 資源識別碼。First, get the ACR resource ID using az acr show. <acrName> 登錄名稱更新為您 ACR 執行個體的登錄名稱,以及將資源群組更新為 ACR 執行個體所在的資源群組。Update the <acrName> registry name to that of your ACR instance and the resource group where the ACR instance is located.

az acr show --resource-group myResourceGroup --name <acrName> --query "id" --output tsv

若要授與 AKS 叢集提取 ACR 中所儲存映像的正確存取權,請使用 az role assignment create 命令指派 AcrPull 角色。To grant the correct access for the AKS cluster to pull images stored in ACR, assign the AcrPull role using the az role assignment create command. 以在前兩個步驟中蒐集的值取代 <appId<acrId>Replace <appId> and <acrId> with the values gathered in the previous two steps.

az role assignment create --assignee <appId> --scope <acrId> --role acrpull

建立 Kubernetes 叢集Create a Kubernetes cluster

AKS 叢集可使用 Kubernetes 角色型存取控制 (RBAC)。AKS clusters can use Kubernetes role-based access controls (RBAC). 這些控制可讓您根據指派給使用者的角色,來定義資源的存取權。These controls let you define access to resources based on roles assigned to users. 如果為使用者指派了多個角色,即會合併權限,而且可將權限的範圍設定為單一命名空間或整個叢集。Permissions are combined if a user is assigned multiple roles, and permissions can be scoped to either a single namespace or across the whole cluster. 根據預設,Azure CLI 會在您建立 AKS 叢集時自動啟用 RBAC。By default, the Azure CLI automatically enables RBAC when you create an AKS cluster.

使用 az aks create 建立 AKS 叢集。Create an AKS cluster using az aks create. 下列範例會在名為 myResourceGroup 的資源群組中建立名為 myAKSCluster 的叢集。The following example creates a cluster named myAKSCluster in the resource group named myResourceGroup. 我們已在先前的教學課程中建立此資源群組。This resource group was created in the previous tutorial. 提供您自己的 <appId><password> (來自於先前建立服務主體的步驟中)。Provide your own <appId> and <password> from the previous step where the service principal was created.

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-count 1 \
    --service-principal <appId> \
    --client-secret <password> \
    --generate-ssh-keys

部署會在數分鐘之後完成,並以 JSON 格式傳回 AKS 部署的相關資訊。After a few minutes, the deployment completes, and returns JSON-formatted information about the AKS deployment.

安裝 Kubernetes CLIInstall the Kubernetes CLI

若要從本機電腦連線至 Kubernetes 叢集,您應使用 kubectl (Kubernetes 命令列用戶端)。To connect to the Kubernetes cluster from your local computer, you use kubectl, the Kubernetes command-line client.

如果您使用 Azure Cloud Shell,則 kubectl 已安裝。If you use the Azure Cloud Shell, kubectl is already installed. 您也可以使用 az aks install-cli 命令將其安裝於本機:You can also install it locally using the az aks install-cli command:

az aks install-cli

使用 kubectl 連線至叢集Connect to cluster using kubectl

若要設定 kubectl 以連線到 Kubernetes 叢集,請使用 az aks get-credentials 命令。To configure kubectl to connect to your Kubernetes cluster, use the az aks get-credentials command. 下列範例會針對 myResourceGroup 中名為 myAKSCluster 的 AKS 叢集取得認證:The following example gets credentials for the AKS cluster named myAKSCluster in the myResourceGroup:

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

若要確認與叢集的連線,請執行 kubectl get nodes 命令:To verify the connection to your cluster, run the kubectl get nodes command:

$ kubectl get nodes

NAME                       STATUS   ROLES   AGE     VERSION
aks-nodepool1-28993262-0   Ready    agent   3m18s   v1.9.11

後續步驟Next steps

在本教學課程中,Kubernetes 叢集已部署在 AKS 中,且您已設定 kubectl 加以連線。In this tutorial, a Kubernetes cluster was deployed in AKS, and you configured kubectl to connect to it. 您已了解如何︰You learned how to:

  • 建立資源互動的服務主體Create a service principal for resource interactions
  • 部署 Kubernetes AKS 叢集Deploy a Kubernetes AKS cluster
  • 安裝 Kubernetes CLI (kubectl)Install the Kubernetes CLI (kubectl)
  • 設定 kubectl 以連線至您的 AKS 叢集Configure kubectl to connect to your AKS cluster

繼續進行下一個教學課程,以了解如何將應用程式部署至叢集。Advance to the next tutorial to learn how to deploy an application to the cluster.