基于这个暗示
issue
:
步骤1-向VMS添加标识
扩展群集的ARM模板
Microsoft.Compute/virtualMachineScaleSets
资源。添加
identity
元素,如
properties
...
"identity": {
"type": "SystemAssigned"
},
...
(重新)部署集群。
步骤2-将路由添加到容器
在Windows容器中,到MSI端点的路由在默认情况下不起作用。为此,我添加了一个入口脚本,例如entry.PS1(不要忘记添加容器的原始入口点)-
ServiceMonitor.exe
在我的情况下,因为我有一个IIS容器):
Write-Host "adding route for Managed Service Identity"
$gateway = (Get-NetRoute | Where-Object {$_.DestinationPrefix -eq '0.0.0.0/0'}).NextHop
$arguments = 'add','169.254.169.0','mask','255.255.255.0',$gateway
&'route' $arguments
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net%2F' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
Write-Host "MSI StatusCode :" $response.StatusCode
C:\ServiceMonitor.exe w3svc
...
ENTRYPOINT ["powershell.exe","C:\\entry.PS1"]
背景:添加
route add
not at entry point level将在生成时执行语句并将路由添加到生成主机/容器
步骤3-可选重新映像VMS节点
Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net%2F' -Method GET -Headers @{Metadata="true"} -UseBasicParsing
Invoke-WebRequest : Unable to connect to the remote server
At line:1 char:1
+ Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oaut ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
re-image the VMSS nodes
