You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Mutated pods using Workload Identity are unable to access keyvault without using Workload Identity proxy sidecar.
To Reproduce
Create managed identity - name wi-test in a subscription and resource group wi-test-rg
Deploy akv2k8s helm chart (with authentication service disabled):
controller:
enabled: falseenv_injector:
authService: false # Note: Auth service is disabled as each pod (multi-tenanted namespaces) will use own credentials to auth with own keyvaultenvImage:
repository: acrpath/akv2k8s/azure-keyvault-envtag: 1.6.1image:
repository: acrpath/akv2k8s/azure-keyvault-webhooktag: 1.6.1
apiVersion: spv.no/v2beta1kind: AzureKeyVaultSecretmetadata:
name: secret-inject-testnamespace: wi-testlabels:
app.kubernetes.io/akv2k8s: xxxxtestkeyvaultspec:
vault:
name: xxxxxtestkeyvault # name of key vaultobject:
name: akv2k8s-secret-test # name of the akv objecttype: secret # akv object type
Create Federated Identity Credential (associated with managed identity created earlier and with AKS cluster OIDC url)
Once deployed, pod starts up and the init container starts but fails to access keyvault and pod restarts after the keyvault access timeout expires (with error in the pod logs about failing to access keyvault)
By adding the below annotation to the pod, everything works as normal and keyvault secret is successfully retrieved
Pod starts up and successfully access keyvault secret.
Dependency on using the proxy side car suggest the init-container spvest/azure-keyvault-env is not using the latest version of Azure Identity client library or not working as expected
Additional context
All examples given for akv2k8s working with Workload Identity (including the feature release) appear to be limited to those with AuthService enabled whereby the env-injector pod is expected to authenticate using its own service account rather than authentication being initiated from client pods across multiple namespaces and each with its own managed identity, federated credential and service account as obtains in a multi-tenant setup.
The text was updated successfully, but these errors were encountered:
chrisorisawayi
changed the title
[BUG] Env-Injector with Workload Identity does not work without proxy sidecar if using separate credentials
[BUG] Env-Injector with Workload Identity does not work without proxy sidecar if using client auth
Mar 27, 2024
chrisorisawayi
changed the title
[BUG] Env-Injector with Workload Identity does not work without proxy sidecar if using client auth
[BUG] Env-Injector with Workload Identity does not work without proxy sidecar annotation
Mar 27, 2024
Components and versions
Select which component(s) the bug relates to with [X].
[ ] Controller, version:
x.x.x
(docker image tag)[x] Env-Injector (webhook), version:
1.6.0
(docker image tag)[ ] Other
Describe the bug
Mutated pods using Workload Identity are unable to access keyvault without using Workload Identity proxy sidecar.
To Reproduce
wi-test
in a subscription and resource groupwi-test-rg
Expected behavior
spvest/azure-keyvault-env
is not using the latest version of Azure Identity client library or not working as expectedAdditional context
All examples given for akv2k8s working with Workload Identity (including the feature release) appear to be limited to those with
AuthService
enabled whereby the env-injector pod is expected to authenticate using its own service account rather than authentication being initiated from client pods across multiple namespaces and each with its own managed identity, federated credential and service account as obtains in a multi-tenant setup.The text was updated successfully, but these errors were encountered: