我在 AKS 创建了一个部署:
apiVersion: apps/v1
kind: Deployment
metadata:
name: frontend
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: frontend
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: frontend
spec:
containers:
- image: app:latest
name: frontend
volumeMounts:
- mountPath: /app/db
name: db
- mountPath: /root/.aspnet/https
name: https
readOnly: true
env:
- name: ASPNETCORE_URLS
value: "https://+;http://+"
- name: ASPNETCORE_HTTPS_PORT
value: "443"
- name: ASPNETCORE_Kestrel__Certificates__Default__Path
value: "/root/.aspnet/https/cert.pfx"
- name: ASPNETCORE_Kestrel__Certificates__Default__Password
valueFrom:
secretKeyRef:
name: certificate-pass
key: pass
restartPolicy: Always
serviceAccountName: ""
volumes:
- name: db
persistentVolumeClaim:
claimName: db
- name: https
secret:
secretName: certificate
items:
- key: file
path: cert.pfx
和服务:
apiVersion: v1
kind: Service
metadata:
name: frontend-service
spec:
selector:
io.kompose.service: frontend
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: https
protocol: TCP
port: 443
targetPort: 443
type: LoadBalancer
现在我想将此 IP 设为静态。有一个官方文档说明如何制作:Use a static public IP address and DNS label with the Azure Kubernetes Service (AKS) load balancer
还有一篇文章在技术上复制了文档,但有更多细节:Use a static public IP address outside of the node resource group with the Azure Kubernetes Service (AKS) load balancer
我能够创建一个 IP 地址,但是当我到达 az role assignment create
命令时它失败了(这里的 $GROUP 只是实际资源组文字的占位符):
$ CLIENT_ID=$(az aks show --resource-group Default --name k8s --query "servicePrinci
palProfile.clientId" --output tsv)
$ SUB_ID=$(az account show --query "id" --output tsv)
$ az role assignment create --assignee $CLIENT_ID --role "Network Contributor" --scope /subscriptions/$SUB_ID/resourceGroups/$GROUP
If the assignee is an appId, make sure the corresponding service principal is created with 'az ad sp create --id $CLIENT_ID
当我尝试建议的命令失败时:
$ az ad sp create --id $CLIENT_ID
Another object with the same value for property servicePrincipalNames already exists.
我在 GitHub Azure/azure-cli repo 上发现了类似的问题,但没有答案。
如果我跳过这一步并在配置级别设置 loadBalancerIP: XXX.XXX.XXX.XXX
,负载均衡器有一个新属性 Load balancer IP
,但外部 IP 没有改变:
如何缓解此错误?
答案 0 :(得分:0)
根据您提供的消息,我对您为什么需要运行命令 az ad sp create --id $CLIENT_ID
感到非常困惑,两个文档都没有显示运行此命令的必要性。
据我所知,您只需将 AKS 节点组以外的组的“网络贡献者”角色分配给 AKS 的服务主体。这是您需要做的正确步骤。我认为您需要更加注意再次阅读文档。
答案 1 :(得分:0)
我不得不使用文字值而不是变量 $CLIENT_ID
。这有帮助。