-
Notifications
You must be signed in to change notification settings - Fork 97
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FEATURE] Azure Workload Identity Support #378
Comments
Any chance this will get looked at in the near future? For us, this (along with external-dns) is a blocker to complete adoption of workload identity. If not, would you accept a PR for it? I'm not an expert in go but I would be willing to give it a shot. Upon a quick glance, it looks like it may be a matter of some updates to In either case, inspiration can be drawn from the go-msal AZWI keyvault example as well as KEDA's implementation linked in the OP. |
As of October 24th 2022 the https://github.com/Azure/aad-pod-identity was as deprecated. |
Since I have some experience with making adal work well with federated identity, decided to give it a go for this project as well. |
hello @weisdd, glad to hear that's working with workload identity, could you share the branch/tag so that we can test from our side as well ? |
Hi @mohamedmzid, This is my controller:
image:
repository: cgroschupp/akv2k8s-controller
tag: workload-identity-support
keyVaultAuth: environment
logLevel: debug
podLabels:
azure.workload.identity/use: "true"
serviceAccount:
create: true
labels:
azure.workload.identity/use: "true"
annotations:
azure.workload.identity/client-id: <replace>
env_injector:
enabled: false |
@mohamedmzid I was working on it locally, so haven't been posted before, but since you're interested, added it here: I haven't had time yet to test it against ACR and env injection, for the rest it should work just fine. @cgroschupp As you can see, it's done in a different way with explicit request to use Workload Identity. That's something that can be done in different ways, I guess it's up to maintainers to choose between the two. |
Tested secret creation, env injection, and private ACR access. The latter didn't work, required a tiny fix. I have a terraform lab prepared for the test environment + a modified chart (some changes that are not covered by SparebankenVest/public-helm-charts#84). I'll try to publish them this weekend, just need to write some instructions and reorganize the code a bit. |
Terraform lab with my custom builds is shared here: https://github.com/weisdd/akv2k8s-pr-443 |
For your information we're looking into adding support for Workload Identity now and we will review any pull requests and comments related to this. Will get back to you shortly. |
@torresdal workload identity support is already added, see #442 |
He😅 Been off this project a while and missed this. So this can be closed? |
Though AZWI support is not released yet, it's supposedly closed out with that PR. This issue has been around for a while. The PR should've been linked to this issue for closure purposes IMO. |
See now that it's available in 1.5-beta. I'll look into what's missing to get out a new 1.5 release. |
@torresdal We are missing support for authenticating with the ACR when using env-injector, when the command is not set in the k8s manifest. The code then needs to get the metadata from the container registry in order to fetch the entrypoint of the container so it can set the envs... |
I suspect k8schain from go-containerregistry is not playing well here... |
@181192 After adding the AcrPull role to the identity I used for the env_injector, it is working for me. Tested with 1.5.0-beta5 But you must do the same if you are using the pod identity. |
@181192 Have you tested it too? |
Yes I have, cant find any issues, so want to make a release |
Any plans when the new version will be released? |
I'm having troubles with this. I have created a User Assigned Managed Identity, and enabled Azure Workload Identity on a test cluster. On that cluster, I've installed AKV2K8S and configured it with the below values:
After deploying, the env-injector comes up properly and I can see the Azure Workload Identity webhook mutated the pod to include the projected volume for the workload identity token in addition to the normal service account token projected volume which is defined in the above values:
Edit: I hit submit too early. After verifying the above, I tried to deploy one of our services which uses AKV2K8S injected vars, and I'm getting the below on the replicaset for that service:
|
I discovered last week that we had an egress NetworkPolicy which blocked connectivity to the IMDS endpoint. Removing that seems to get me closer to a working state. It can connect to AD and gets rejected with a message indicating that the identity was not found. I'm working on adding the identity to the VMSS now which I hope will solve the issue. |
It would be great if the below happens:
|
Just writing to update that I got my setup working. It turns out I didn't need AZWI for my AKV2K8S use-case, as I am simply using a custom UMI, and AKV2K8S supports it natively in the helm chart. |
Azure recently added Azure Workload Identities (see https://github.com/Azure/azure-workload-identity and https://azure.github.io/azure-workload-identity/docs/) to AKS. It's currently technically in preview, but it is stable and there are many already using it in production. Currently in private-preview is support for managed identities (in addition to app registrations).
Important: This is the replacement to
aad pod-identity
and will be offered as a first-class add-on in AKSDescribe the solution you'd like
Support for Azure Workload Identity. I believe that this can be implemented on top of the existing environment-variable driven configuration with recognition of the new settings. I think it should mostly be handled by the azure client, though see linked issues below as there may be some monitoring that needs to occur.
We'd also need helm chart support to allow annotating service accounts, but I'll open that as a separate issue in the helm repo.
Additional context
See cert-manager and external-dns for similar requests
See here for support added in go/auto-rest
See here for implementation in KEDA for key-vault and Azure scalers
The text was updated successfully, but these errors were encountered: