将Azure Disk附加到AKS Pod时出现权限错误 [英] Permissions error when attaching Azure Disk to AKS pod
问题描述
我已经与这个错误作斗争了几个小时.找到几篇文章,但到目前为止没有任何帮助.
I've been battling this error for a few hours now. Found several articles but nothing that has helped so far.
我的工作基于操作指南"配置数据量> Azure磁盘-静态"来自 https://docs.microsoft.com/en-us /azure/aks/azure-disk-volume .据我所知,我没有错过任何步骤.
My work has been based on the "How-to guide > Configure data volumes > Azure Disk - Static" from https://docs.microsoft.com/en-us/azure/aks/azure-disk-volume. As far as I can tell, I've not missed any steps.
我已经在yAML文件中通过config定义了:
I have defined by config in a YAML file as so:
kind: Deployment
metadata:
name: phio-dep-db
namespace: production
spec:
selector:
matchLabels:
app: phio
replicas: 1
strategy:
type: RollingUpdate
template:
metadata:
labels:
app: phio
spec:
terminationGracePeriodSeconds: 1
volumes:
- name: dbvolume
azureDisk:
diskName: PHIO_DB_VOL
diskURI: /subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL
kind: Managed
containers:
- image: phioweb.azurecr.io/phiodb
name: db
ports:
- containerPort: 3306
volumeMounts:
- mountPath: /var/lib/mysql
name: dbvolume
但是,当我执行kubectl apply -f .yml时,pod永远不会启动.如果我执行"kubectl描述所有-n生产",我看到以下内容:
However, when I do kubectl apply -f .yml, the pod never starts. If I do a "kubectl describe all -n production" I see the following:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 31m default-scheduler Successfully assigned production/phio-dep-db-6c6ddc885-p4ntg to aks-nodepool1-18816840-vmss000001
Warning FailedAttachVolume 79s (x23 over 31m) attachdetach-controller AttachVolume.Attach failed for volume "dbvolume" : compute.DisksClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client '<GUID>' with object id '<same GUID>' does not have authorization to perform action 'Microsoft.Compute/disks/read' over scope '/subscriptions/<my-sub-id/resourceGroups/<my-grp>/providers/Microsoft.Compute/disks/PHIO_DB_VOL' or the scope is invalid. If access was recently granted, please refresh your credentials."
Warning FailedMount 23s (x14 over 29m) kubelet, aks-nodepool1-18816840-vmss000001 Unable to mount volumes for pod "phio-dep-db-6c6ddc885-p4ntg_production(0e326781-2936-4451-9446-9608a8f41439)": timeout expired waiting for volumes to attach or mount for pod "production"/"phio-dep-db-6c6ddc885-p4ntg". list of unmounted volumes=[dbvolume]. list of unattached volumes=[dbvolume default-token-s7svk]
MS文档中没有有关向Azure磁盘分配权限的任何内容,并且YAML中没有明显的参数.
There is nothing in the MS documentation about assigning permissions to the Azure Disk, and there are no apparent parameters I'm missing in the YAML.
有人知道我想念什么吗?
Anyone got any ideas what I'm missing?
非常感谢.
(我对输出进行了一些消毒,但是这全部经过了测试,即使完成后,Azure订阅也会进行合并,即使它说是生产的)
(I've sanitized the output a little, but it's all test and the Azure subscription will be binned after this work, even though it says production)
推荐答案
从文档
创建用于AKS的Azure磁盘时,可以在节点资源组中创建磁盘资源.这种方法允许AKS群集访问和管理磁盘资源.如果改为在单独的资源组中创建磁盘,则必须
授予您的Azure Kubernetes服务(AKS)服务主体
将贡献者角色群集到磁盘的资源组.
或者,您可以使用系统分配的托管身份来
权限而不是服务主体.欲获得更多信息,
请参见使用托管身份
When you create an Azure disk for use with AKS, you can create the disk resource in the node resource group. This approach allows the AKS cluster to access and manage the disk resource.If you instead create the disk in a separate resource group, you must
grant the Azure Kubernetes Service (AKS) service principal for your
cluster the Contributor role to the disk's resource group.
Alternatively, you can use the system assigned managed identity for
permissions instead of the service principal. For more information,
see Use managed identities 从docs 此处 您可能需要访问另一个资源组中的现有磁盘资源.分配以下一组角色权限之一: You may need to access existing Disk resources in another resource group. Assign one of the following set of role permissions: 这篇关于将Azure Disk附加到AKS Pod时出现权限错误的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!