Azure Key Vault 和Kubernetes上的Managed Identities
配置
要设置Azure Key Vault密钥仓库,请创建一个类型为secretstores.azure.keyvault的组件。 See this guide on how to create and apply a secretstore configuration. See this guide on referencing secrets to retrieve and use the secret with Dapr components.
在Kubernetes中,将服务主体的证书存储到Kubernetes Secret Store中,然后用Kubernetes secretstore中的这个证书启用Azure Key Vault密钥仓库。
组件yaml使用你的密钥仓库的名称和托管标识的Cliend ID来配置密钥仓库。
apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
name: azurekeyvault
namespace: default
spec:
type: secretstores.azure.keyvault
version: v1
metadata:
- name: vaultName
value: [your_keyvault_name]
- name: spnClientId
value: [your_managed_identity_client_id]
Warning
以上示例将密钥明文存储, It is recommended to use a local secret store such as Kubernetes secret store or a local file to bootstrap secure key storage.元数据字段规范
| 字段 | 必填 | 详情 | Example |
|---|---|---|---|
| vaultName | Y | Azure Key Vault名称 | "mykeyvault" |
| spnClientId | Y | 你的托管标识客户端ID | "yourId" |
设置Managed Identity和 Azure Key Vault
先决条件
步骤
登录到 Azure 并设置默认订阅
# Log in Azure az login # Set your subscription to the default subscription az account set -s [your subscription id]在一个区域中创建 Azure Key Vault
az keyvault create --location [region] --name [your keyvault] --resource-group [your resource group]创建托管标识(可选)
只有当AKS集群没有"–enable-managed-identity “标志时,才需要进行这一步。 If the cluster is provisioned with managed identity, than it is suggested to use the autogenerated managed identity that is associated to the Resource Group MC_*.
$identity = az identity create -g [your resource group] -n [your managed identity name] -o json | ConvertFrom-JsonBelow is the command to retrieve the managed identity in the autogenerated scenario:
az aks show -g <AKSResourceGroup> -n <AKSClusterName>有关将 AKS 与 Azure 服务集成的角色分配的更多详细信息 角色分配。
检索托管标识ID
主要有两种情况:
- 服务主体(Service Principal),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
$clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query servicePrincipalProfile.clientId -otsv- 托管标识(Managed Identity),在这种情况下,AKS服务集群(AKS Service Cluster) 部署在资源组(Resource Group) 中
$clientId= az aks show -g <AKSResourceGroup> -n <AKSClusterName> --query identityProfile.kubeletidentity.clientId -otsv将Reader角色分配给被托管标识
对于AKS集群来说,集群资源组指的是带有MC_前缀的资源组,它包含了与集群相关的所有基础设施资源,如VM/VMSS。
az role assignment create --role "Reader" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]将托管标识管理员(Managed Identity Operator) 的角色分配给AKS服务主体(AKS Service Principal) 参考上一步关于要使用的资源组和要分配的标识的内容
az role assignment create --role "Managed Identity Operator" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group] az role assignment create --role "Virtual Machine Contributor" --assignee $clientId --scope /subscriptions/[your subscription id]/resourcegroups/[your resource group]为 Key Vault 添加策略,使托管标识可以读取密钥
az keyvault set-policy --name [your keyvault] --spn $clientId --secret-permissions get list在AKS上启用AAD Pod身份
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml # For AKS clusters, deploy the MIC and AKS add-on exception by running - kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/mic-exception.yaml配置Azure Identity和AzureIdentityBinding yaml
在azure-identity-config.yaml中保存以下内容:
apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentity metadata: name: [your managed identity name] spec: type: 0 resourceID: [your managed identity id] clientID: [your managed identity Client ID] --- apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentityBinding metadata: name: [your managed identity name]-identity-binding spec: azureIdentity: [your managed identity name] selector: [your managed identity selector]部署azure-identity-config.yaml:
kubectl apply -f azure-identity-config.yaml
参考资料
- Azure CLI Keyvault CLI
- 使用 Azure CLI 创建 Azure 服务主体
- AAD Pod Identity
- 密钥构建块
- 指南:获取密钥
- 指南:在Dapr组件中引用密钥
- 密钥 API 参考