使用 Azure CLI 建立和設定 Azure Kubernetes Service (AKS) 叢集以使用虛擬節點Create and configure an Azure Kubernetes Services (AKS) cluster to use virtual nodes using the Azure CLI

若要在 Azure Kubernetes Service (AKS) 叢集中快速地調整應用程式工作負載,您可以使用虛擬節點。To rapidly scale application workloads in an Azure Kubernetes Service (AKS) cluster, you can use virtual nodes. 透過虛擬節點,您可以快速佈建 Pod,而且只需在節點執行時付費 (以秒計算)。With virtual nodes, you have quick provisioning of pods, and only pay per second for their execution time. 您不需要等候 Kubernetes 叢集自動調整程式來部署 VM 計算節點以執行其他 Pod。You don't need to wait for Kubernetes cluster autoscaler to deploy VM compute nodes to run the additional pods. 只有 Linux pod 和節點支援虛擬節點。Virtual nodes are only supported with Linux pods and nodes.

本文會示範如何建立和設定虛擬網路資源與 AKS 叢集,然後啟用虛擬節點。This article shows you how to create and configure the virtual network resources and AKS cluster, then enable virtual nodes.

開始之前Before you begin

虛擬節點能夠進行在 ACI 與 AKS 叢集中執行的 pod 之間的網路通訊。Virtual nodes enable network communication between pods that run in ACI and the AKS cluster. 為了提供此通訊功能,需要建立虛擬網路子網路並指派委派權限。To provide this communication, a virtual network subnet is created and delegated permissions are assigned. 虛擬節點只能與使用「進階」網路所建立的 AKS 叢集搭配運作。Virtual nodes only work with AKS clusters created using advanced networking. 但根據預設,系統會使用「基本」網路來建立 AKS 叢集。By default, AKS clusters are created with basic networking. 本文說明如何建立虛擬網路和子網路,然後部署使用進階網路的 AKS 叢集。This article shows you how to create a virtual network and subnets, then deploy an AKS cluster that uses advanced networking.

如果您先前未使用 ACI,請向您的訂用帳戶註冊服務提供者。If you have not previously used ACI, register the service provider with your subscription. 您可以使用az provider list命令來檢查 ACI 提供者註冊的狀態, 如下列範例所示:You can check the status of the ACI provider registration using the az provider list command, as shown in the following example:

az provider list --query "[?contains(namespace,'Microsoft.ContainerInstance')]" -o table

Microsoft.ContainerInstance 提供者應該回報為 Registered,如以下範例輸出所示:The Microsoft.ContainerInstance provider should report as Registered, as shown in the following example output:

Namespace                    RegistrationState
---------------------------  -------------------
Microsoft.ContainerInstance  Registered

如果提供者顯示為NotRegistered, 請使用az provider register註冊提供者, 如下列範例所示:If the provider shows as NotRegistered, register the provider using the az provider register as shown in the following example:

az provider register --namespace Microsoft.ContainerInstance

區域可用性Regional availability

虛擬節點部署支援下欄區域:The following regions are supported for virtual node deployments:

  • 澳大利亞東部 (australiaeast)Australia East (australiaeast)
  • 美國中部 (centralus)Central US (centralus)
  • 美國東部 (eastus)East US (eastus)
  • 美國東部 2 (eastus2)East US 2 (eastus2)
  • 日本東部 (japaneast)Japan East (japaneast)
  • 北歐 (northeurope)North Europe (northeurope)
  • 東南亞 (southeastasia)Southeast Asia (southeastasia)
  • 美國中西部 (westcentralus)West Central US (westcentralus)
  • 西歐 (westeurope)West Europe (westeurope)
  • 美國西部 (westus)West US (westus)
  • 美國西部 2 (westus2)West US 2 (westus2)

已知限制Known limitations

虛擬節點功能非常依賴 ACI 的功能集。Virtual Nodes functionality is heavily dependent on ACI's feature set. 虛擬節點尚未支援下列案例The following scenarios are not yet supported with Virtual Nodes

啟動 Azure Cloud ShellLaunch Azure Cloud Shell

Azure Cloud Shell 是免費的互動式 Shell,可讓您用來執行本文中的步驟。The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. 它具有預先安裝和設定的共用 Azure 工具,可與您的帳戶搭配使用。It has common Azure tools preinstalled and configured to use with your account.

若要開啟 Cloud Shell,請選取程式碼區塊右上角的 [試試看]。To open the Cloud Shell, select Try it from the upper right corner of a code block. 您也可以移至 https://shell.azure.com/bash,從另一個瀏覽器索引標籤啟動 Cloud Shell。You can also launch Cloud Shell in a separate browser tab by going to https://shell.azure.com/bash. 選取 [複製] 即可複製程式碼區塊,將它貼到 Cloud Shell 中,然後按 enter 鍵加以執行。Select Copy to copy the blocks of code, paste it into the Cloud Shell, and press enter to run it.

如果您偏好在本機安裝和使用 CLI,本文需要有 Azure CLI 2.0.49 版或更新版本。If you prefer to install and use the CLI locally, this article requires Azure CLI version 2.0.49 or later. 執行 az --version 以尋找版本。Run az --version to find the version. 如果您需要安裝或升級,請參閱安裝 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

建立資源群組Create a resource group

Azure 資源群組是在其中部署與管理 Azure 資源的邏輯群組。An Azure resource group is a logical group in which Azure resources are deployed and managed. 使用 az group create 命令來建立資源群組。Create a resource group with the az group create command. 下列範例會在 westus 位置建立名為 myResourceGroup 的資源群組。The following example creates a resource group named myResourceGroup in the westus location.

az group create --name myResourceGroup --location westus

建立虛擬網路Create a virtual network

使用 az network vnet create 命令來建立虛擬網路。Create a virtual network using the az network vnet create command. 下列範例會建立名為 myVnet 的虛擬網路 (位址首碼為 10.0.0.0/8),以及名為 myAKSSubnet 的子網路。The following example creates a virtual network name myVnet with an address prefix of 10.0.0.0/8, and a subnet named myAKSSubnet. 這個子網路的位址首碼預設為 10.240.0.0/16:The address prefix of this subnet defaults to 10.240.0.0/16:

az network vnet create \
    --resource-group myResourceGroup \
    --name myVnet \
    --address-prefixes 10.0.0.0/8 \
    --subnet-name myAKSSubnet \
    --subnet-prefix 10.240.0.0/16

現在, 使用az network vnet subnet create命令, 為虛擬節點建立額外的子網。Now create an additional subnet for virtual nodes using the az network vnet subnet create command. 下列範例會建立名為 myVirtualNodeSubnet 且位址首碼為 10.241.0.0/16 的子網路。The following example creates a subnet named myVirtualNodeSubnet with the address prefix of 10.241.0.0/16.

az network vnet subnet create \
    --resource-group myResourceGroup \
    --vnet-name myVnet \
    --name myVirtualNodeSubnet \
    --address-prefixes 10.241.0.0/16

建立服務主體Create a service principal

為了允許 AKS 叢集與其他 Azure 資源互動,則會使用 Azure Active Directory 服務主體。To allow an AKS cluster to interact with other Azure resources, an Azure Active Directory service principal is used. 此服務主體可由 Azure CLI 或入口網站自動建立,或者您可以預先建立一個並指派其他權限。This service principal can be automatically created by the Azure CLI or portal, or you can pre-create one and assign additional permissions.

使用 az ad sp create-for-rbac 命令建立服務主體。Create a service principal using the az ad sp create-for-rbac command. --skip-assignment 參數會限制指派任何其他權限。The --skip-assignment parameter limits any additional permissions from being assigned.

az ad sp create-for-rbac --skip-assignment

輸出類似於下列範例:The output is similar to the following example:

{
  "appId": "bef76eb3-d743-4a97-9534-03e9388811fc",
  "displayName": "azure-cli-2018-11-21-18-42-00",
  "name": "http://azure-cli-2018-11-21-18-42-00",
  "password": "1d257915-8714-4ce7-a7fb-0e5a5411df7f",
  "tenant": "72f988bf-86f1-41af-91ab-2d7cd011db48"
}

記下 appId 和密碼。Make a note of the appId and password. 下列步驟中會使用這些值。These values are used in the following steps.

對虛擬網路指派權限Assign permissions to the virtual network

若要允許叢集使用及管理虛擬網路,您必須對 AKS 服務主體授與正確權限,使其可以使用網路資源。To allow your cluster to use and manage the virtual network, you must grant the AKS service principal the correct rights to use the network resources.

首先, 使用az network vnet show取得虛擬網路資源識別碼:First, get the virtual network resource ID using az network vnet show:

az network vnet show --resource-group myResourceGroup --name myVnet --query id -o tsv

若要授與 AKS 叢集使用虛擬網路的正確存取權, 請使用az role 指派 create命令來建立角色指派。To grant the correct access for the AKS cluster to use the virtual network, create a role assignment using the az role assignment create command. 以在前兩個步驟中蒐集的值取代 <appId<vnetId>Replace <appId> and <vnetId> with the values gathered in the previous two steps.

az role assignment create --assignee <appId> --scope <vnetId> --role Contributor

建立 AKS 叢集Create an AKS cluster

您必須將 AKS 叢集部署到上一個步驟所建立的 AKS 子網路。You deploy an AKS cluster into the AKS subnet created in a previous step. 使用az network vnet subnet show取得此子網的識別碼:Get the ID of this subnet using az network vnet subnet show:

az network vnet subnet show --resource-group myResourceGroup --vnet-name myVnet --name myAKSSubnet --query id -o tsv

使用 az aks create 命令來建立 AKS 叢集。Use the az aks create command to create an AKS cluster. 下列範例會建立名為 myAKSCluster 並包含一個節點的叢集。The following example creates a cluster named myAKSCluster with one node. <subnetId> 替換為上一個步驟所取得的識別碼,然後將 <appId><password> 替換為Replace <subnetId> with the ID obtained in the previous step, and then <appId> and <password> with the

az aks create \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --node-count 1 \
    --network-plugin azure \
    --service-cidr 10.0.0.0/16 \
    --dns-service-ip 10.0.0.10 \
    --docker-bridge-address 172.17.0.1/16 \
    --vnet-subnet-id <subnetId> \
    --service-principal <appId> \
    --client-secret <password>

幾分鐘之後,此命令就會完成,並以 JSON 格式傳回叢集的相關資訊。After several minutes, the command completes and returns JSON-formatted information about the cluster.

啟用虛擬節點增益集Enable virtual nodes addon

若要啟用虛擬節點, 現在請使用az aks 附加元件命令。To enable virtual nodes, now use the az aks enable-addons command. 下列範例會使用上一個步驟所建立的子網路,其名稱為 myVirtualNodeSubnet:The following example uses the subnet named myVirtualNodeSubnet created in a previous step:

az aks enable-addons \
    --resource-group myResourceGroup \
    --name myAKSCluster \
    --addons virtual-node \
    --subnet-name myVirtualNodeSubnet

連接到叢集Connect to the cluster

若要設定 kubectl 以連線到 Kubernetes 叢集,請使用 az aks get-credentials 命令。To configure kubectl to connect to your Kubernetes cluster, use the az aks get-credentials command. 此步驟會下載憑證並設定 Kubernetes CLI 以供使用。This step downloads credentials and configures the Kubernetes CLI to use them.

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

若要驗證叢集的連線,請使用 kubectl get 命令來傳回叢集節點的清單。To verify the connection to your cluster, use the kubectl get command to return a list of the cluster nodes.

kubectl get nodes

下列輸出範例顯示單一 VM 節點已建立,然後是適用於 Linux 的虛擬節點 (virtual-node-aci-linux):The following example output shows the single VM node created and then the virtual node for Linux, virtual-node-aci-linux:

$ kubectl get nodes

NAME                          STATUS    ROLES     AGE       VERSION
virtual-node-aci-linux        Ready     agent     28m       v1.11.2
aks-agentpool-14693408-0      Ready     agent     32m       v1.11.2

部署範例應用程式Deploy a sample app

建立名為 virtual-node.yaml 的檔案,然後將下列 YAML 複製進來。Create a file named virtual-node.yaml and copy in the following YAML. 若要排程節點上的容器, 請定義nodeSelectortolerationTo schedule the container on the node, a nodeSelector and toleration are defined.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: aci-helloworld
spec:
  replicas: 1
  selector:
    matchLabels:
      app: aci-helloworld
  template:
    metadata:
      labels:
        app: aci-helloworld
    spec:
      containers:
      - name: aci-helloworld
        image: microsoft/aci-helloworld
        ports:
        - containerPort: 80
      nodeSelector:
        kubernetes.io/role: agent
        beta.kubernetes.io/os: linux
        type: virtual-kubelet
      tolerations:
      - key: virtual-kubelet.io/provider
        operator: Exists
      - key: azure.com/aci
        effect: NoSchedule

使用kubectl apply命令來執行應用程式。Run the application with the kubectl apply command.

kubectl apply -f virtual-node.yaml

使用kubectl get pod 命令-o wide搭配引數, 以輸出 pod 清單和已排程節點。Use the kubectl get pods command with the -o wide argument to output a list of pods and the scheduled node. 請注意,aci-helloworld pod 已排定在 virtual-node-aci-linux 節點上。Notice that the aci-helloworld pod has been scheduled on the virtual-node-aci-linux node.

$ kubectl get pods -o wide

NAME                            READY     STATUS    RESTARTS   AGE       IP           NODE
aci-helloworld-9b55975f-bnmfl   1/1       Running   0          4m        10.241.0.4   virtual-node-aci-linux

Pod 會從 Azure 虛擬網路的子網路 (為搭配使用虛擬節點而委派) 獲派內部 IP 位址。The pod is assigned an internal IP address from the Azure virtual network subnet delegated for use with virtual nodes.

注意

如果您使用儲存在 Azure Container Registry 中的映射, 請設定並使用 Kubernetes 秘密If you use images stored in Azure Container Registry, configure and use a Kubernetes secret. 目前的虛擬節點限制是您無法使用整合式 Azure AD 服務主體驗證。A current limitation of virtual nodes is that you can't use integrated Azure AD service principal authentication. 如果您未使用祕密,已在虛擬節點上排程的 Pod 就無法啟動並會回報錯誤 HTTP response status code 400 error code "InaccessibleImage"If you don't use a secret, pods scheduled on virtual nodes fail to start and report the error HTTP response status code 400 error code "InaccessibleImage".

測試虛擬節點 PodTest the virtual node pod

若要測試虛擬節點上執行的 Pod,請瀏覽至搭配 Web 用戶端的示範應用程式。To test the pod running on the virtual node, browse to the demo application with a web client. 由於 Pod 會獲派內部 IP 位址,因此您可以快速地從 AKS 叢集上其他 Pod 測試此連線。As the pod is assigned an internal IP address, you can quickly test this connectivity from another pod on the AKS cluster. 建立測試 Pod,並將終端機工作階段與它連結:Create a test pod and attach a terminal session to it:

kubectl run -it --rm virtual-node-test --image=debian

使用 apt-get 在 Pod 中安裝 curlInstall curl in the pod using apt-get:

apt-get update && apt-get install -y curl

現在您可以使用 curl (例如 http://10.241.0.4) 來存取 Pod 的位址。Now access the address of your pod using curl, such as http://10.241.0.4. 提供前述 kubectl get pods 命令中您自己的 IP 位址:Provide your own internal IP address shown in the previous kubectl get pods command:

curl -L http://10.241.0.4

示範應用程式會隨即顯示,如下列簡要範例輸出所示:The demo application is displayed, as shown in the following condensed example output:

$ curl -L 10.241.0.4

<html>
<head>
  <title>Welcome to Azure Container Instances!</title>
</head>
[...]

使用 exit 來關閉測試 Pod 的終端機工作階段。Close the terminal session to your test pod with exit. 當您的工作階段結束時,Pod 也會一併刪除。When your session is ended, the pod is the deleted.

移除虛擬節點Remove virtual nodes

如果您不想再使用虛擬節點, 您可以使用az aks disable-附加元件命令將它們停用。If you no longer wish to use virtual nodes, you can disable them using the az aks disable-addons command.

首先, 刪除在虛擬節點上執行的 helloworld pod:First, delete the helloworld pod running on the virtual node:

kubectl delete -f virtual-node.yaml

下列範例命令會停用 Linux 虛擬節點:The following example command disables the Linux virtual nodes:

az aks disable-addons --resource-group myResourceGroup --name myAKSCluster --addons virtual-node

現在,移除虛擬網路資源和資源群組:Now, remove the virtual network resources and resource group:

# Change the name of your resource group, cluster and network resources as needed
RES_GROUP=myResourceGroup
AKS_CLUSTER=myAKScluster
AKS_VNET=myVnet
AKS_SUBNET=myVirtualNodeSubnet

# Get AKS node resource group
NODE_RES_GROUP=$(az aks show --resource-group $RES_GROUP --name $AKS_CLUSTER --query nodeResourceGroup --output tsv)

# Get network profile ID
NETWORK_PROFILE_ID=$(az network profile list --resource-group $NODE_RES_GROUP --query [0].id --output tsv)

# Delete the network profile
az network profile delete --id $NETWORK_PROFILE_ID -y

# Get the service association link (SAL) ID
SAL_ID=$(az network vnet subnet show --resource-group $RES_GROUP --vnet-name $AKS_VNET --name $AKS_SUBNET --query id --output tsv)/providers/Microsoft.ContainerInstance/serviceAssociationLinks/default

# Delete the default SAL ID for the subnet
az resource delete --ids $SAL_ID --api-version 2018-07-01

# Delete the subnet delegation to Azure Container Instances
az network vnet subnet update --resource-group $RES_GROUP --vnet-name $AKS_VNET --name $AKS_SUBNET --remove delegations 0

後續步驟Next steps

在本文中,Pod 已在虛擬節點上進行排程,並獲派私人的內部 IP 位址。In this article, a pod was scheduled on the virtual node and assigned a private, internal IP address. 您可以改為建立服務部署,並透過負載平衡器或輸入控制器將流量路由到您的 Pod。You could instead create a service deployment and route traffic to your pod through a load balancer or ingress controller. 如需詳細資訊, 請參閱在 AKS 中建立基本輸入控制器For more information, see Create a basic ingress controller in AKS.

虛擬節點往往是 AKS 中調整解決方案的一個元件。Virtual nodes are often one component of a scaling solution in AKS. 如需有關調整解決方案的詳細資訊,請參閱下列文章:For more information on scaling solutions, see the following articles: