Azure 服务主体重置
我有一个在 Azure 中运行的 k8s 集群,并且始终使用 Azure CLI 重置服务主体凭据: az ad sp credential Reset --name
对于生产环境,我想避免在重置凭据后重新启动集群,因此我考虑使用与以前相同的密码。所以旧密码=新密码。这是通过使用 az ad sp credential Reset --name
现在我的问题是:即使我使用与以前相同的密码,我是否应该使用新的服务主体凭据更新 AKS 集群?以前有人尝试过这个吗?
I have a k8s cluster running in Azure and I have always reset the service principal credentials by using Azure CLI: az ad sp credential reset --name <xyz> --years 2. Afterwards I have updated the AKS cluster with the new service principal credentials, see update AKS Cluster credentials. After this the cluster will be restarted.
For a production environment I want to avoid restarting the cluster after resetting the credentials, so I was thinking to use the same password as before. So old password=new password. This is achieved using az ad sp credential reset --name <xyz> --years 2 --password <1234>
Now my question is: should I update the AKS cluster with new service principal credentials even if I use the same password as before? Has anyone tried this before?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
据我所知,即使您使用与以前相同的密码,也不需要使用新的服务主体凭据更新或重新启动 AKS 群集。
由于您在 AKS 级别使用相同的密码,并且仅在服务主体级别使用相同的密码重置,以免密码过期。
注意:如果您使用的密码与当前使用的密码不同,则必须更新并重置 AKS 集群。
为了获得好处,您可以使用 管理身份而不是像rickvdbosch和Philip Welz那样的服务原则建议在评论本身。
现在可以使用以下 CLI 命令更新当前使用服务主体的 AKS 群集以使用托管标识。
AFAIK it's not require to update or restart the AKS cluster with new service principal credentials even if you are using the same password as before.
Since you are using the same password at AKS level and only reseting with same password at service principal level for sake of not to expire password.
Note : If you were resting with different password as you are using currently in that case you have to update and reset the AKS cluster.
For the benifits You can use of managed identity rather than service principle as rickvdbosch and Philip Welz Suggested in the comment itself.
You can now update an AKS cluster currently working with service principals to work with managed identities by using the following CLI commands.