当前,我正在尝试在Azure的AKS kubernetes群集内部署应用程序。
对于部署管道,我想使用通过azure活动目录(例如服务主体)进行管理的服务帐户。
我已经通过Azure CLI创建了服务主体。
在AKS群集中将该服务主体称为服务帐户的正确方法是什么?
之所以需要一个服务帐户,而不是一个用户帐户,是因为我想从我的devops管道中使用它而不需要登录,但是仍然能够通过活动目录进行管理。
当前,我正在使用默认服务帐户将容器部署在名称空间内,此方法有效,但是该帐户仅在名称空间内是已知的,而不是集中管理。
# This binding enables a cluster account to deploy on kubernetes
# You can confirm this with
# kubectl --as="${USER}" auth can-i create deployments
# See also: https://github.com/honestbee/drone-kubernetes/issues/8
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: default-deploy
rules:
- apiGroups: ["extensions"]
resources: ["deployments"]
verbs: ["get","list","patch","update", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: role-default-deploy
namespace: default
roleRef:
kind: Role
name: default-deploy
apiGroup: rbac.authorization.k8s.io
subjects:
# working, the default account configured with deploy permissions
- name: default
kind: ServiceAccount
namespace: default
# works, if the service principal is configured as a User
- name: "111111-0000-1111-0000-********"
apiGroup: rbac.authorization.k8s.io
kind: User
# this does not work, the service principal is configured as a Service Account
- name: "111111-0000-1111-0000-********"
apiGroup: rbac.authorization.k8s.io
kind: ServiceAccount
我希望也能够通过RBAC配置服务帐户,但是出现以下错误: RoleBinding的“ role-default-deploy”无效: subject [1] .apiGroup:不支持的值: “ rbac.authorization.k8s.io”:支持的值:“”