Supported only on Linux
Prerequisites
💡 Make sure you have installed pod identity to your Kubernetes cluster
This project makes use of the aad-pod-identity project located here to handle the identity management of the pods. Reference the aad-pod-identity README if you need further instructions on any of these steps.
Not all steps need to be followed on the instructions for the aad-pod-identity project as we will also complete some of the steps on our installation here.
-
Install the aad-pod-identity components to your cluster
-
Install the RBAC enabled aad-pod-identiy infrastructure components:
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
-
💡 Follow the Role assignment documentation to setup all the required roles for aad-pod-identity components.
-
-
Create an Azure User Identity
Create an Azure User Identity with the following command. Get
clientId
andid
from the output.az identity create -g <resourcegroup> -n <idname>
-
Assign permissions to new identity Ensure your Azure user identity has all the required permissions to read the keyvault instance and to access content within your key vault instance. If not, you can run the following using the Azure cli:
# Assign Reader Role to new Identity for your keyvault az role assignment create --role Reader --assignee <principalid> --scope /subscriptions/<subscriptionid>/resourcegroups/<resourcegroup>/providers/Microsoft.KeyVault/vaults/<keyvaultname> # set policy to access keys in your keyvault az keyvault set-policy -n $KEYVAULT_NAME --key-permissions get --spn <YOUR AZURE USER IDENTITY CLIENT ID> # set policy to access secrets in your keyvault az keyvault set-policy -n $KEYVAULT_NAME --secret-permissions get --spn <YOUR AZURE USER IDENTITY CLIENT ID> # set policy to access certs in your keyvault az keyvault set-policy -n $KEYVAULT_NAME --certificate-permissions get --spn <YOUR AZURE USER IDENTITY CLIENT ID>
-
Add a new
AzureIdentity
for the new identity to your clusterEdit and save this as
aadpodidentity.yaml
Set
type: 0
for Managed Service Identity;type: 1
for Service Principal In this case, we are using managed service identity,type: 0
. Create a new name for the AzureIdentity. SetresourceID
toid
of the Azure User Identity created from the previous step.apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentity metadata: name: <any-name> spec: type: 0 resourceID: /subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<idname> clientID: <clientid>
kubectl create -f aadpodidentity.yaml
-
Add a new
AzureIdentityBinding
for the new Azure identity to your clusterEdit and save this as
aadpodidentitybinding.yaml
apiVersion: "aadpodidentity.k8s.io/v1" kind: AzureIdentityBinding metadata: name: <any-name> spec: azureIdentity: <name of AzureIdentity created from previous step> selector: <label value to match in your app>
kubectl create -f aadpodidentitybinding.yaml
-
Add the following to this deployment yaml:
Include the
aadpodidbinding
label matching theselector
value set in the previous step so that this pod will be assigned an identitymetadata: labels: aadpodidbinding: <AzureIdentityBinding Selector created from previous step>
-
Update this sample deployment to create a
secretproviderclasses
resource withusePodIdentity: "true"
to provide Azure-specific parameters for the Secrets Store CSI driver.Make sure to update
usepodidentity
totrue
usepodidentity: "true"
-
Deploy your app
kubectl apply -f ../examples/nginx-pod-secrets-store-inline-volume-secretproviderclass-podid.yaml
NOTE When using the Pod Identity
option mode, there can be some amount of delay in obtaining the objects from keyvault. During the pod creation time, in this particular mode aad-pod-identity
will need to create the AzureAssignedIdentity
for the pod based on the AzureIdentity
and AzureIdentityBinding
, retrieve token for keyvault. This process can take time to complete and it's possible for the pod volume mount to fail during this time. When the volume mount fails, kubelet will keep retrying until it succeeds. So the volume mount will eventually succeed after the whole process for retrieving the token is complete.