无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

huangapple go评论65阅读模式
英文:

Cannot attach Azure container registries to Azure kubernetes service

问题

尝试附加 ACR 到 Azure 的 AKS,但出现以下错误:

无法为 ACR 创建角色分配。您在此订阅上是所有者吗?

以下是我遵循的步骤:

  1. 登录:az login
  2. 移动 servicePrincipal.json:az ad sp create-for-rbac --skip-assignment
  3. 获取服务主体对象 ID:az ad sp list --display-name acrrgdevfahim 并从结果中获取 ID:
{
  "appId": "18843c4f-b406-4f0d-9fa3-219058a0f23a",
  "displayName": "azure-cli-2023-03-12-09-56-37",
  "password": "ACQ8Q~Oh.3_R~nqlqtek0ndYeOAAzJg6njU9mbi2",
  "tenant": "8aa57581-5266-4503-a692-a10815c0a5a6"
}
  1. 分配拉取权限:az role assignment create --assignee-object-id c465e0ec-dba8-4783-bbff-ee9944a69763 --scope /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim --role acrpull
  2. 最后:az aks update -n aksclusterfahim -g RG-dev --attach-acr acrrgdevfahim

结果是:

无法为 ACR 创建角色分配。您在此订阅上是所有者吗?

现在从我的门户中,我可以在订阅页面看到自己被标记为订阅的所有者。我该如何解决这个问题?

更新 1:

对于以下两个查询的进一步调查:

  1. az role assignment list --all --include-classic-administrators --query "[?principalName=='fhoque.arnob@outlook.com']" 结果: []

  2. az role assignment list --all --output table

结果:

Principal                                                Role         Scope
-------------------------------------------------------- -----------  ------------------------------------------------------------------------
fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com  Owner        /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4
a48be5d4-727b-444b-99d9-e8b03ab75c16                              Contributor  /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/MC_RG-dev_aksclusterfahim_centralindia
fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com  Owner        /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev
c119ef5d-7f74-4a5d-a83d-dfae0bbbca61                              AcrPull      /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
6b19686e-30f0-4805-806f-c4ca9ed8bbd4                              AcrPull      /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
英文:

Trying to attach ACR to AKS in azure but getting

Could not create a role assignment for ACR. Are you an Owner on this subscription?

Here are the steps I followed:

  1. Login: az login
  2. To move servicePrincipal.json: az ad sp create-for-rbac --skip-assignment
  3. To get the service principal object id: az ad sp list --display-name acrrgdevfahim and got the id from result:
{
  "appId": "18843c4f-b406-4f0d-9fa3-219058a0f23a",
  "displayName": "azure-cli-2023-03-12-09-56-37",
  "password": "ACQ8Q~Oh.3_R~nqlqtek0ndYeOAAzJg6njU9mbi2",
  "tenant": "8aa57581-5266-4503-a692-a10815c0a5a6"
}
fahimhoque@Arnob ~ % az ad sp list --display-name acrrgdevfahim
[
  {
    "accountEnabled": true,
    "addIns": [],
    "alternativeNames": [
      "isExplicit=False",
      "/subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourcegroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim"
    ],
    "appDescription": null,
    "appDisplayName": null,
    "appId": "6b19686e-30f0-4805-806f-c4ca9ed8bbd4",
    "appOwnerOrganizationId": null,
    "appRoleAssignmentRequired": false,
    "appRoles": [],
    "applicationTemplateId": null,
    "createdDateTime": "2023-03-12T06:54:39Z",
    "deletedDateTime": null,
    "description": null,
    "disabledByMicrosoftStatus": null,
    "displayName": "acrrgdevfahim",
    "homepage": null,
    "id": "c465e0ec-dba8-4783-bbff-ee9944a69763",
    "info": null,
    "keyCredentials": [
      {
        "customKeyIdentifier": "4E9BFDB4314ADD4B76713CE558593C75874AD534",
        "displayName": "CN=6b19686e-30f0-4805-806f-c4ca9ed8bbd4",
        "endDateTime": "2023-06-10T06:49:00Z",
        "key": null,
        "keyId": "661bb2e7-d8d1-41b8-980d-7728875554b2",
        "startDateTime": "2023-03-12T06:49:00Z",
        "type": "AsymmetricX509Cert",
        "usage": "Verify"
      }
    ],
    "loginUrl": null,
    "logoutUrl": null,
    "notes": null,
    "notificationEmailAddresses": [],
    "oauth2PermissionScopes": [],
    "passwordCredentials": [],
    "preferredSingleSignOnMode": null,
    "preferredTokenSigningKeyThumbprint": null,
    "replyUrls": [],
    "resourceSpecificApplicationPermissions": [],
    "samlSingleSignOnSettings": null,
    "servicePrincipalNames": [
      "6b19686e-30f0-4805-806f-c4ca9ed8bbd4",
      "https://identity.azure.net//ob5N0+Wkcw9erM4VGKOVJ1T/5bYaBWcqVa1x47nLZo="
    ],
    "servicePrincipalType": "ManagedIdentity",
    "signInAudience": null,
    "tags": [],
    "tokenEncryptionKeyId": null,
    "verifiedPublisher": {
      "addedDateTime": null,
      "displayName": null,
      "verifiedPublisherId": null
    }
  }
]
  1. Assigning pull permission az role assignment create --assignee-object-id c465e0ec-dba8-4783-bbff-ee9944a69763 --scope /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim --role acrpull
  2. Finally: az aks update -n aksclusterfahim -g RG-dev --attach-acr acrrgdevfahim

which gives the result:

Could not create a role assignment for ACR. Are you an Owner on this subscription?

Now from my portal in subscriptions page I can see myself marked as owner of the subscription. How do I resolve this issue?

Update 1:

Upon further investigation for this two queries:

  1. az role assignment list --all --include-classic-administrators
    --query "[?principalName=='fhoque.arnob@outlook.com']"
    Result: []

  2. az role assignment list --all --output table

Result:

    Role         Scope
    ----------------------------------------------------------------  -----------  ---------------------------------------------------------------------------------------------------------------------------------------- fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com 
    Owner        /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4
    a48be5d4-727b-444b-99d9-e8b03ab75c16                             
    Contributor 
    /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/MC_RG-dev_aksclusterfahim_centralindia
    fhoque.arnob_outlook.com#EXT#@fhoquearnoboutlook.onmicrosoft.com 
    Owner       
    /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev
    c119ef5d-7f74-4a5d-a83d-dfae0bbbca61                             
    AcrPull     
    /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
    6b19686e-30f0-4805-806f-c4ca9ed8bbd4                             
    AcrPull     
    /subscriptions/45f28bb3-dd53-47e9-b42b-38a49f7a8ec4/resourceGroups/RG-dev/providers/Microsoft.ContainerRegistry/registries/acrrgdevfahim
   

</details>


# 答案1
**得分**: 1

_**我尝试在我的环境中重现,并获得以下结果:**_

尝试在Windows PowerShell ISE中运行以下命令以验证您是否具有使用CLI创建角色分配所需的权限,如下所示:

```powershell
Az login 
az role assignment list --all --include-classic-administrators --query "[?principalName=='<your-email-address>']"

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

在Azure活动目录中 -> 应用注册 -> 尝试像下面这样添加服务主体:

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

要检查服务主体的现有情况:

az role assignment list --all --assignee <service-principal-object-id>

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

确保检查 Registry ID

az acr show --name <ACRName> --query id --output tsv

当我尝试分配权限以成功分配角色给服务主体时,如下所示:

az role assignment create --assignee <service-principal-object-id> --scope <RegistryID> --role AcrPull

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

要将ACR附加到AKS群集,请使用以下命令:

# 使用acr-name附加
az aks update -n myAKSCluster -g myResourceGroup --attach-acr <acr-name>

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

要在门户中确认Acrpull角色分配如下:

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

要验证ACR和AKS之间的连接,我在ACR中创建了一个存储库,并在kubectl部署中引用了该映像。它成功地拉取了映像,启动并运行。

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务
无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

参考

将Azure容器注册表与Azure Kubernetes服务集成 - Azure Kubernetes服务 | 微软学习

英文:

I tried to reproduce the same in my environment and got the results like below:

Try to run the below cmd in windows powershell ISE to Verify that you have the necessary permissions to create role assignments using CLI like below:

Az login 
az role assignment list --all --include-classic-administrators --query &quot;[?principalName==&#39;&lt;your-email-address&gt;&#39;]&quot;

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

In azure active directory -> App registration -> Try to add service principal like below:

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

To check existing for the service principal:

az role assignment list --all --assignee &lt;service-principal-object-id&gt;

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

Make sure to check the Registry ID

az acr show --name &lt;ACRName&gt; --query id --output tsv

When I try to assign to grant the necessary permissions to the service principal it assign role successfully below:

az role assignment create --assignee &lt;service-principal-object-id&gt; --scope &lt;RegistryID&gt; --role AcrPull

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

To attach ACR to the AKS cluster make use of below command:

#Attach using acr-name
az aks update -n myAKSCluster -g myResourceGroup --attach-acr &lt;acr-name&gt;

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

To confirm in portal Acrpull role assignment assigned like below:

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

To verfiy the connectivity between the ACR and AKS, i have created one repository in the ACR and referred that image in the kubectl deployment. It is successfully pulled the image, up and running.

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务
无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

无法将 Azure 容器注册表附加到 Azure Kubernetes 服务

Reference:

Integrate Azure Container Registry with Azure Kubernetes Service - Azure Kubernetes Service | Microsoft Learn

huangapple
  • 本文由 发表于 2023年3月12日 18:15:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/75712431.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定