[英]Azure kubernetes - multiple managed identity?
We are planning to deploy multiple applications on our single Azure kubernetes cluster, each application will have its own set of Azure resources - eg: Key vault, Storage.我们计划在我们的单个 Azure kubernetes 集群上部署多个应用程序,每个应用程序都将拥有自己的一组 Azure 资源 - 例如:密钥保管库、存储。
I am planning to provision individual managed identities per application and provide access to the relevant resources.我计划为每个应用程序提供单独的托管身份并提供对相关资源的访问。
I know that AZURE AAD POD identify is the way to configure the pod to make use of the managed identity to access the Azure resources.我知道 AZURE AAD POD 标识是配置 pod 以利用托管标识访问 Azure 资源的方法。
However how do I add multiple managed identity into the Azure kubernetes cluster?但是,如何将多个托管标识添加到 Azure kubernetes 集群中? and is this the right of implementing?
这是执行的权利吗?
As I mentioned before, I don't think you can add multiple MSIs to the cluster, you can just use a system-assigned MSI or user-assigned MSI for it.正如我之前提到的,我认为您不能向集群添加多个 MSI,您可以只使用系统分配的 MSI 或用户分配的 MSI。
Reference -Use managed identities in Azure Kubernetes Service参考 -在 Azure Kubernetes 服务中使用托管标识
In your case, if you want to use different service principals to authenticate(essentially MSI is also a service principal managed by Azure), you can create multiple AD Apps along with the service principals.在您的情况下,如果您想使用不同的服务主体进行身份验证(本质上 MSI 也是 Azure 管理的服务主体),您可以创建多个 AD 应用程序以及服务主体。
Reference - How to: Use the portal to create an Azure AD application and service principal that can access resources参考 - 如何:使用门户创建可以访问资源的 Azure AD 应用程序和服务主体
Then in the code of every application, use ClientSecretCredential
to authenticate.然后在每个应用程序的代码中,使用
ClientSecretCredential
进行身份验证。
ClientSecretCredential credential1 = new ClientSecretCredentialBuilder()
.tenantId(tenantId)
.clientId(clientId)
.clientSecret(clientSecret)
.build();
Then use the credential to create a client eg SecretClient .然后使用凭证创建一个客户端,例如 SecretClient 。
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl("<your-key-vault-url>")
.credential(credential1)
.buildClient();
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.