edited readme

HoussemDellai · Aug 17, 2024 · c7180a2 · c7180a2
1 parent 770cda5
commit c7180a2
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/410_acr_abac/Readme.md b/410_acr_abac/Readme.md
@@ -2,6 +2,8 @@
 
 `Azure attribute-based access control` (Azure `ABAC`) enables you to scope permissions within your registry by scoping roles to specific repositories. This approach enhances your security by allowing permissions for particular repositories, rather than the entire registry. This approach strengthens the security posture of your container registry by limiting access, thereby reducing the risk of unauthorized access or data breaches.
 
+![](images/architecture.png)
+
 ABAC conditions can narrow down role assignment permissions to specific repositories within the registry based on set conditions. For example, you might grant access solely to repositories that start with a certain prefix or exactly match a given name, providing a more secure and controlled access management system.
 
 To create role assignments with `ABAC` conditions, you must first switch to `ABAC-enabled` repository permissions mode in your registry settings.

diff --git a/410_acr_abac/images/architecture.png b/410_acr_abac/images/architecture.png
diff --git a/410_acr_abac/terraform/aks.tf b/410_acr_abac/terraform/aks.tf
@@ -17,9 +17,11 @@ resource "azurerm_kubernetes_cluster" "aks" {
     vm_size    = "Standard_B2als_v2"
     os_sku     = "AzureLinux"
   }
-  
+
   kubelet_identity {
     user_assigned_identity_id = azurerm_user_assigned_identity.identity_aks_kubelet.id
+    client_id                 = azurerm_user_assigned_identity.identity_aks_kubelet.client_id
+    object_id                 = azurerm_user_assigned_identity.identity_aks_kubelet.principal_id
   }
 
   identity {
@@ -32,6 +34,8 @@ resource "azurerm_kubernetes_cluster" "aks" {
       default_node_pool.0.upgrade_settings
     ]
   }
+
+  depends_on = [ azurerm_role_assignment.role_managed_identity_operator ]
 }
 
 resource "azurerm_user_assigned_identity" "identity_aks" {
@@ -46,6 +50,13 @@ resource "azurerm_user_assigned_identity" "identity_aks_kubelet" {
   name                = "identity-aks-kubelet"
 }
 
+# The cluster using user-assigned managed identity must be granted 'Managed Identity Operator' role to assign kubelet identity.
+resource "azurerm_role_assignment" "role_managed_identity_operator" {
+  scope                = azurerm_user_assigned_identity.identity_aks_kubelet.id
+  role_definition_name = "Managed Identity Operator"
+  principal_id         = azurerm_user_assigned_identity.identity_aks.principal_id
+}
+
 resource "terraform_data" "aks-get-credentials" {
   triggers_replace = [
     azurerm_kubernetes_cluster.aks.id
@@ -54,4 +65,4 @@ resource "terraform_data" "aks-get-credentials" {
   provisioner "local-exec" {
     command = "az aks get-credentials -n ${azurerm_kubernetes_cluster.aks.name} -g ${azurerm_kubernetes_cluster.aks.resource_group_name} --overwrite-existing"
   }
-}
+}
diff --git a/410_acr_abac/terraform/role_assignment.tf → ...r_abac/terraform/role_assignments-abac.tf b/410_acr_abac/terraform/role_assignment.tf → ...r_abac/terraform/role_assignments-abac.tf