企业官网建设流程全解析

While initially setting up Azure Directory integration with Hosted Rancher, you may encounter the following error in the UI:
在最初设置 Azure Directory 与 Hosted Rancher 集成时，你可能会在界面中遇到以下错误：

<span style="color:#000000"><span style="background-color:#ffffff"><span style="background-color:#efefef"><code>admission webhook "<a>Cause: Privilege Escalation
原因：特权升级
This error is due to privilege escalation being blocked by Rancher.
这个错误是因为 Rancher 阻止了权限升级。
The initial local admin is assigned theHosted Administratorglobal role. This role does not have the necessary wildcard permission to grant the genericAdministratorglobal role. The system prevents a user from granting permissions they do not possess.
初始的本地管理员被分配为托管管理员全局角色。该角色没有授予通用管理员全局角色所需的万用符权限。系统阻止用户授予他们不具备的权限。
Resolution 结局
To successfully grant the necessary administrative rights without triggering the privilege escalation error, you must first authenticate a user who is already recognized by Azure AD and allow Rancher to assign them permissions automatically.
要成功授予必要的管理权限而不触发权限升级错误，您必须先认证一个已被 Azure AD 识别的用户，并允许 Rancher 自动分配权限。
Step 1: 第一步：
Keep your local admin session open as a backup
保持本地管理员会话作为备份
Open a new Incognito/Private window or a different web browser
打开新的无痕/私密窗口或不同的网页浏览器
Navigate to your Rancher UI login page
导航到你的 Rancher UI 登录页面
Click the "Log in with Azure AD" button and authenticate using an Azure AD user account that you intend to be the primary Rancher Administrator
点击“使用 Azure AD 登录”按钮，使用你打算作为主要牧场管理员的 Azure AD 用户账户进行认证
On this first login, Rancher will automatically grant this Azure AD user the necessary administrative permissions
在首次登录时，Rancher 会自动授予该 Azure AD 用户必要的管理权限
Step 2: 第二步：
While logged in as the new Azure AD administrator, navigate toUsers & Authentication>Global Roles.
登录为新的 Azure AD 管理员时，进入“用户与认证>全局角色”。
Select your desired Azure AD group
选择你想要的 Azure AD 组
When assigning the role do not select the generic Administrator role
分配角色时不要选择通用管理员角色
You must select the role specifically designed for this environment:Hosted Administrator
您必须选择专门为该环境设计的角色：托管管理员
Selecting theHosted AdministratorRole will grant your Azure AD group the full administrative rights needed for your tenant without attempting to grant the wildcard permission that trigger the privilege escalation block.
选择托管管理员角色后，你的 Azure AD 组将获得租户所需的全部管理权限，而无需尝试授予触发权限升级块的通配符权限。

Hosted Rancher 主持的牧场主