我已经使用了一个Microsoft templates for CI/CD:Jenkins,Docker(ACS),Kubernetes(AKS)。此模板附带一个管道示例,但在尝试启动它时,我尝试与Azure Kubernetes(AKS)集成时出现以下错误:
Starting Azure Container Service / Kubernetes Service Deployment
Delete Kubernetes management config file
/var/lib/jenkins/workspace/hello-world/kubeconfig-7112538207763465492
ERROR: ERROR: Status code 403, {"error":
{"code":"AuthorizationFailed","message":"The client '7912b768-a178-4996-
b6e6-38912a9b90da' with object id '7912b768-a178-4996-b6e6-38912a9b90da'
does not have authorization to perform action
'Microsoft.ContainerService/managedClusters/accessProfiles
/listCredential/action' over scope '/subscriptions/4e601d44-4d18-4e49-
95001793e668f9e0/resourcegroups/SystemBackend_Resource/
providers/Microsoft.ContainerService/managedClusters/aksa5ru5sgbdaum2/
accessProfiles/clusterAdmin'."}}
任何的想法?
错误说明了这一点,您用来访问AKS群集的客户端(凭据)没有权限在该群集上使用listCredentials操作。您需要授予该客户端这些权限。最简单的方法是将7912b768-a178-4996-b6e6-38912a9b90da
的贡献者权利授予SystemBackend_Resource
资源组。
New-AzureRmRoleAssignment -ObjectId 7912b768-a178-4996-b6e6-38912a9b90da `
-RoleDefinitionName "Contributor" `
-Scope '/subscriptions/4e601d44-4d18-4e49-95001793e668f9e0/resourcegroups/SystemBackend_Resource/'
显然,您可以使用自定义角色仅向该实体授予该权限,但这只是一个示例