Saltar al contenido

¿Cómo otorgar permisos a AKS para acceder a ACR a través de terraform?

Te damos la bienvenida a nuestro sitio, en este lugar encontrarás la resolución que estás buscando.

Solución:

Este código funcionó para mí.


resource "azuread_application" "aks_sp" 
  name = "sp-aks-$local.cluster_name"


resource "azuread_service_principal" "aks_sp" 
  application_id               = azuread_application.aks_sp.application_id
  app_role_assignment_required = false


resource "azuread_service_principal_password" "aks_sp" 
  service_principal_id = azuread_service_principal.aks_sp.id
  value                = random_string.aks_sp_password.result
  end_date_relative    = "8760h" # 1 year

  lifecycle 
    ignore_changes = [
      value,
      end_date_relative
    ]
  


resource "azuread_application_password" "aks_sp" 
  application_object_id = azuread_application.aks_sp.id
  value                 = random_string.aks_sp_secret.result
  end_date_relative     = "8760h" # 1 year

  lifecycle 
    ignore_changes = [
      value,
      end_date_relative
    ]
  


data "azurerm_container_registry" "pyp" 
  name                = var.container_registry_name
  resource_group_name = var.container_registry_resource_group_name


resource "azurerm_role_assignment" "aks_sp_container_registry" 
  scope                = data.azurerm_container_registry.pyp.id
  role_definition_name = "AcrPull"
  principal_id         = azuread_service_principal.aks_sp.object_id


# requires Azure Provider 1.37+
resource "azurerm_kubernetes_cluster" "pyp" 
  name                = local.cluster_name
  location            = azurerm_resource_group.pyp.location
  resource_group_name = azurerm_resource_group.pyp.name
  dns_prefix          = local.env_name_nosymbols
  kubernetes_version  = local.kubernetes_version

  default_node_pool 
    name            = "default"
    node_count      = 1
    vm_size         = "Standard_D2s_v3"
    os_disk_size_gb = 80
  

  windows_profile 
    admin_username = "winadm"
    admin_password = random_string.windows_profile_password.result
  

  network_profile 
    network_plugin     = "azure"
    dns_service_ip     = cidrhost(local.service_cidr, 10)
    docker_bridge_cidr = "172.17.0.1/16"
    service_cidr       = local.service_cidr
    load_balancer_sku  = "standard"
  

  service_principal 
    client_id     = azuread_service_principal.aks_sp.application_id
    client_secret = random_string.aks_sp_password.result
  

  addon_profile 
    oms_agent 
      enabled                    = true
      log_analytics_workspace_id = azurerm_log_analytics_workspace.pyp.id
    
  

  tags = local.tags

fuente https://github.com/giuliov/pipeline-your-pipelines/tree/master/src/kubernetes/terraform

(Hice la respuesta anterior)

Solo agregando una forma más simple en la que no necesita crear una entidad de servicio para cualquier otra persona que pueda necesitarla.

resource "azurerm_kubernetes_cluster" "kubweb" 
  name                = local.cluster_web
  location            = local.rgloc
  resource_group_name = local.rgname
  dns_prefix          = "$local.cluster_web-dns"
  kubernetes_version  = local.kubversion

  # used to group all the internal objects of this cluster
  node_resource_group = "$local.cluster_web-rg-node"

  # azure will assign the id automatically
  identity 
    type = "SystemAssigned"
  

  default_node_pool 
    name                 = "nodepool1"
    node_count           = 4
    vm_size              = local.vm_size
    orchestrator_version = local.kubversion
  

  role_based_access_control 
    enabled = true
  

  addon_profile 
    kube_dashboard 
      enabled = true
    
  

  tags = 
    environment = local.env
  


resource "azurerm_container_registry" "acr" 
  name                = "acr1"
  resource_group_name = local.rgname
  location            = local.rgloc
  sku                 = "Standard"
  admin_enabled       = true

  tags = 
    environment = local.env
  


# add the role to the identity the kubernetes cluster was assigned
resource "azurerm_role_assignment" "kubweb_to_acr" 
  scope                = azurerm_container_registry.acr.id
  role_definition_name = "AcrPull"
  principal_id         = azurerm_kubernetes_cluster.kubweb.kubelet_identity[0].object_id

Comentarios y valoraciones

Si posees algún recelo o disposición de aclarar nuestro tutorial puedes ejecutar una reseña y con deseo lo estudiaremos.

¡Haz clic para puntuar esta entrada!
(Votos: 0 Promedio: 0)



Utiliza Nuestro Buscador

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *