azure sdk java + Azure Kubernetes 集群 + Spring Boot 应用程序 + 系统分配的托管标识

Question

工作 场景：Spring Boot 应用程序 + Azure VM + Azure SDK Java + 系统分配的托管标识 + Azure Key Vault 说明：Spring Boot 应用程序能够通过系统分配的托管标识从 KeyVault 检索机密，应用程序正在 Azure VM 上运行

[2021-11-16T06:47:44.044Z] [java.util.logging.LoggingProxyImpl] [reactor-http-nio-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@67d5e1816 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_251}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T06:47:44.044Z] [java.util.logging.LoggingProxyImpl] [reactor-http-nio-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@5b2f224a5 pairs: {null: HTTP/1.1 200 OK}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 06:47:44 GMT}{Content-Length: 1683}
[2021-11-16T06:47:45.045Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-nio-2] [111] [INFO ] [] [] Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT

工作 场景：Spring Boot 应用程序 + Azure AKS + Azure SDK Java + 用户分配的托管标识 + Azure Key Vault 说明：Spring Boot 应用程序能够通过用户分配的托管标识从 KeyVault 检索机密，应用程序正在 Azure Kubernetes 服务上运行

[2021-11-16T08:16:32.032Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-3] [61] [DEBUG] [] [] sun.net.www.MessageHeader@37263346 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net&client_id=********************** HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_111}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T08:16:32.032Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-3] [61] [DEBUG] [] [] sun.net.www.MessageHeader@377d9d9f5 pairs: {null: HTTP/1.1 200 OK}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 08:16:32 GMT}{Content-Length: 1805}
[2021-11-16T08:16:32.032Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-epoll-3] [111] [INFO ] [] [] Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT

问题 场景：Spring Boot 应用程序 + Azure AKS+ Azure SDK Java + 系统分配的托管标识 + Azure Key Vault 说明：Spring Boot 应用程序无法通过系统分配的托管标识从 KeyVault 检索机密，应用程序正在 Azure Kubernetes 服务上运行 日志：

[2021-11-16T07:49:39.039Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@3d038e526 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_111}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T07:49:39.039Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@4c08a14b5 pairs: {null: HTTP/1.1 400 Bad Request}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 07:49:39 GMT}{Content-Length: 168}
[2021-11-16T07:49:39.039Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-epoll-2] [350] [ERROR] [] [] ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.

我参考了下面的链接并确认 AKS 已启用托管身份 https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#obtain-and-use-the-system-assigned-managed-identity-for-your-aks-cluster

我们正在使用 Harbor 来拉取 docker 镜像。

如何解决问题？如何检查我的节点是否启用了托管身份？

代码sn-p

SecretClient client = new SecretClientBuilder().vaultUrl(vaultUrl)
                .credential(new ManagedIdentityCredentialBuilder().build())
                .buildClient();
KeyVaultSecret secretKey = client.getSecret(secretName);

Answer 1

我将我的答案放在可能对其他人有用的任何情况下。

根据为 Azure - Using a Managed Identity to authenticate AKS to KeyVault and other resources 提供的答案，我在 VMSS 上启用了系统托管身份，提供了必要的 RBAC 角色（选择将访问权分配为托管身份）和对该 VMSS 的访问策略。现在，系统托管身份适用于我运行其中一个 pod 的应用程序。