Day 8 - 建立 Azure Kubernetes Service (AKS) 叢集 - iT 邦幫忙::一起幫忙解決難題，拯救 IT 人的一天

2019 iT 邦幫忙鐵人賽

DAY 8

Kubernetes

15 分鐘學習系列 - 第一次學 Kubernetes 就上手系列第 8 篇

Day 8 - 建立 Azure Kubernetes Service (AKS) 叢集

2019鐵人賽 kubernetes k8s azure kubernetes service aks

山姆大叔

團隊17一起GOGOGO !! 🏊🚴‍🏃

2018-10-23 00:20:02

8643 瀏覽

分享至

上一篇我們已經將 Image 推送到 Azure Container Registry (ACR), 本篇筆記將介紹如何設定 Service principle 創建一個 AKS 叢集, 使 AKS 具有存取 ACR 的 image 的權限.

建立 Azure Kubernetes Service (AKS) 叢集

(部分資訊將會遮罩)

使用命令 az ad sp create-for-rbac --skip-assignment, 建立一個應用程式服務帳戶 (service principle), AKS 將使用這個服務帳戶存取 ACR

{
  "appId": "3f45ecdb-ea70-45f5-bddc-????????????",
  "displayName": "azure-cli-2018-10-14-13-08-57",
  "name": "http://azure-cli-2018-10-14-13-08-57",
  "password": "37e13294-7790-4e82-a693-????????????",
  "tenant": "293a593f-cc57-451b-b293-????????????"
}

設定 AKS 可以存取 ACR images 的步驟如下:
a. 使用命令 az acr show --name 15maksacr -g 15maksrg --query "id" 取得 ACR Id, 並將 ACR Id 指派到 $acrid 變數

PS C:\k8s> az acr show --name 15maksacr -g 15maksrg --query "id"
"/subscriptions/11e5233d-dbe1-4167-ac91-????????????/resourceGroups/15maksrg/providers/Microsoft.ContainerRegistry/registries/15maksacr"
PS C:\k8s> $acrid = az acr show --name 15maksacr -g 15maksrg --query "id" --output tsv

b. 使用命令 az role assignment create --assignee "3f45ecdb-ea70-45f5-bddc-????????????" --role Reader --scope $acrid 將帳號設定為 Reader 的腳色指派, 其中 "3f45ecdb-ea70-45f5-bddc-????????????" 是步驟 1 的 appId

PS C:\k8s> az role assignment create --assignee "3f45ecdb-ea70-45f5-bddc-d30cb4899ab
2" --role Reader --scope $acrid
{
  "canDelegate": null,
  "id": "/subscriptions/11e5233d-dbe1-4167-ac91-????????????/resourceGroups/15maksrg/providers/Microsoft.ContainerRegistry/registries/15maksacr/providers/Microsoft.Authorization/roleAssignments/3b65c87b-287f-4a5e-899e-????????????",
  "name": "3b65c87b-287f-4a5e-899e-????????????",
  "principalId": "fdfb8234-761b-4672-9230-????????????",
  "resourceGroup": "15maksrg",
  "roleDefinitionId": "/subscriptions/11e5233d-dbe1-4167-ac91-????????????/providers/Microsoft.Authorization/roleDefinitions/acdd72a7-3385-48ef-bd42-????????????",
  "scope": "/subscriptions/11e5233d-dbe1-4167-ac91-????????????/resourceGroups/15maksrg/providers/Microsoft.ContainerRegistry/registries/15maksacr",
  "type": "Microsoft.Authorization/roleAssignments"
}

使用命令 az aks create --name 15makscls --resource-group 15maksrg --node-count 1 --generate-ssh-keys --service-principal "3f45ecdb-ea70-45f5-bddc-????????????" --client-secret "37e13294-7790-4e82-a693-????????????" 建立 Azure Kubernetes Service, 其中
--service-principal "3f45ecdb-ea70-45f5-bddc-????????????" 是步驟 1 的 appId
--client-secret "37e13294-7790-4e82-a693-????????????" 是步驟 1 的 password
(請耐心等待大約 15 分鐘完成叢集建立)

PS C:\k8s> az aks create --name 15makscls --resource-group 15maksrg --node-count 1 -
-generate-ssh-keys --service-principal "3f45ecdb-ea70-45f5-bddc-????????????" --client-secret "37e13294-7790-4e82-a693-????????????"
{
  "aadProfile": null,
  "addonProfiles": null,
  "agentPoolProfiles": [
    {
      "count": 1,
      "maxPods": 110,
      "name": "nodepool1",
      "osDiskSizeGb": null,
      "osType": "Linux",
      "storageProfile": "ManagedDisks",
      "vmSize": "Standard_DS2_v2",
      "vnetSubnetId": null
    }
  ],
  "dnsPrefix": "a15makscls-15maksrg-11e523",
  "enableRbac": true,
  "fqdn": "a15makscls-15maksrg-11e523-????????????.hcp.southeastasia.azmk8s.io",
  "id": "/subscriptions/11e5233d-dbe1-4167-ac91-????????????/resourcegroups/15maksrg/providers/Microsoft.ContainerService/managedClusters/15makscls",
  "kubernetesVersion": "1.9.9",
  "linuxProfile": {
    "adminUsername": "azureuser",
    "ssh": {
      "publicKeys": [
        {
          "keyData": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLHKDspxhg5mViXToaAwchZU+aFgnOpYKIFqn9Jy55PakxcrW08Goq5kVNz8jOYlAREeUpemx/s8pR/Zop1avkpBBqScNqH/dCZTvac1tc6EwE2977iD8XyJcZokrUKwdJ4U99z9vYsnOW+MMsYh+XH/3qOpCCmFcPjqNCwd4UV5QeFHsREShIz7jTJnArcgkImDRfx5eQZracHjydXWG9Z4rryW3eB0pgjg9To8N2LzTXK0/J+suPiYWiBBLGQStpsw8Q01EaKQGLWl9jKaqZ13fUgwes9bk7JWuy0bBNoHP5s+mHDuuyQer+qdEDtj6+kp6Vj4Ydp6X????????????M5"
        }
      ]
    }
  },
  "location": "southeastasia",
  "name": "15makscls",
  "networkProfile": {
    "dnsServiceIp": "10.0.0.10",
    "dockerBridgeCidr": "172.17.0.1/16",
    "networkPlugin": "kubenet",
    "networkPolicy": null,
    "podCidr": "10.244.0.0/16",
    "serviceCidr": "10.0.0.0/16"
  },
  "nodeResourceGroup": "MC_15maksrg_15makscls_southeastasia",
  "provisioningState": "Succeeded",
  "resourceGroup": "15maksrg",
  "servicePrincipalProfile": {
    "clientId": "3f45ecdb-ea70-45f5-bddc-????????????",
    "secret": null
  },
  "tags": null,
  "type": "Microsoft.ContainerService/ManagedClusters"
}

使用命令 az aks get-credentials --name 15makscls -g 15maksrg 連線到 AKS

PS C:\k8s> az aks get-credentials --name 15makscls -g 15maksrg
Merged "15makscls" as current context in C:\Users\username\.kube\config

取得 AKS 叢集資訊

PS C:\k8s> cat C:\Users\username\.kube\config | sls "15makscls"
    server: https://a15makscls-15maksrg-11e523-????????.hcp.southeastasia.azmk8s.io
:443
  name: 15makscls
    cluster: 15makscls
    user: clusterUser_15maksrg_15makscls
  name: 15makscls
current-context: 15makscls
- name: clusterUser_15maksrg_15makscls

使用命令 kubectl get nodes 確認 node 狀態

PS C:\k8s> kubectl get nodes
NAME                       STATUS    ROLES     AGE       VERSION
aks-nodepool1-25432928-0   Ready     agent     13m       v1.9.9

我們完成了在 Azure 上建立 Azure Kubernetes Service 叢集囉.

小叮嚀: 本篇筆記建立的是 1 個節點的配置, 最小的使用 VM Size 是 Standard_DS2_v2, 建立完成後便會開始計費喔. 請記得練習完成後, 記得到 Azure Portal 上去刪除, 節省一下成本.