As organizations start to create and maintain clusters in AKS (Azure Kubernetes Service), they also need to use cloud-based identity and access management service to access other Azure cloud resources and services. The Azure Active Directory (AAD) pod identity is a service that gives users this control by assigning identities to individual pods.
Without these controls, accounts may get access to resources and services they don’t require. And it can also become hard for IT teams to track which set of credentials were used to make changes.
Azure AD Pod identity is just one small part of the container and Kubernetes management process and as you delve deeper, you will realize the true power that Kubernetes and Containers bring to your DevOps ecosystem.
Here is a more detailed look at how to use AAD pod identity for connecting pods in AKS cluster with Azure Key Vault.
Integrate your key management system with Kubernetes using pod identity. Secrets, certificates, and keys in a key management system become a volume accessible to pods. The volume is mounted into the pod, and its data is available directly in the container file system for your application.
On an existing AKS cluster –
Deploy Key Vault FlexVolume to your AKS cluster with this command:
Run this command to create the aad-pod-identity
deployment on an RBAC-enabled cluster:
Or run this command to deploy to a non-RBAC cluster:
Create azure managed identity
Command:- az identity create -g ResourceGroupNameOfAKsService -n aks-pod-identity(ManagedIdentity)
Output:-
{
"clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ",
"clientSecretUrl": "https://control-westus.identity.azure.net/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/aks_dev_rg_wu/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-pod-identity/credentials?tid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&oid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx&aid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ",
"id": "/subscriptions/xxxxxxxx-xxxx-XXXX-XXXX-XXXXXXXXXXXX/resourcegroups/aks_dev_rg_wu/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-pod-identity",
"location": "westus",
"name": "aks-pod-identity",
"principalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"resourceGroup": "au10515_aks_dev_rg_wu",
"tags": {},
"tenantId": XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX ",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
Assign Cluster SPN Role
Command for Getting AKSServicePrincipalID:- az aks show -g <resourcegroup> -n <name> –query servicePrincipalProfile.clientId -o tsv
Command:-az role assignment create –role “Managed Identity Operator” –assignee <AKSServicePrincipalId> –scope < ID of Managed identity>
Assign Azure Identity Roles
Command:- az role assignment create –role Reader –assignee <Principal ID of Managed identity> –scope <KeyVault Resource ID>
Set policy to access keys in your Key Vault
Command:- az keyvault set-policy -n dev-kv –key-permissions get –spn <Client ID of Managed identity>
Set policy to access secrets in your Key Vault
Command:- az keyvault set-policy -n dev-kv –secret-permissions get –spn <Client ID of Managed identity>
Set policy to access certs in your Key Vault
Command:- az keyvault set-policy -n dev-kv –certificate-permissions get –spn <Client ID of Managed identity>
Save this Kubernetes manifest to a file named aadpodidentity.yaml:
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: <a-idname>
spec:
type: 0
ResourceID: /subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>
ClientID: <clientId>
Replace the placeholders with your user identity values. Set type: 0 for user-assigned MSI or type: 1 for Service Principal.
Finally, save your changes to the file, then create the AzureIdentity resource in your cluster:
kubectl apply -f aadpodidentity.yaml
Save this Kubernetes manifest to a file named aadpodidentitybinding.yaml:
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: demo1-azure-identity-binding
spec:
AzureIdentity: <a-idname>
Selector: <label value to match>
Replace the placeholders with your values. Ensure that the AzureIdentity name matches the one in aadpodidentity.yaml.
Finally, save your changes to the file, then create the AzureIdentityBinding resource in your cluster:
kubectl apply -f aadpodidentitybinding.yaml
Save this sample nginx pod manifest file named nginx-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flex-kv-podid
aadpodidbinding:
name: nginx-flex-kv-podid
spec:
containers:
- name: nginx-flex-kv-podid
image: nginx
volumeMounts:
- name: test
mountPath: /kvmnt
readOnly: true
volumes:
- name: test
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true" # [OPTIONAL] if not provided, will default to "false"
keyvaultname: "" # the name of the KeyVault
keyvaultobjectnames: "" # list of KeyVault object names (semi-colon separated)
keyvaultobjecttypes: secret # list of KeyVault object types: secret, key or cert (semi-colon separated)
keyvaultobjectversions: "" # [OPTIONAL] list of KeyVault object versions (semi-colon separated), will get latest if empty
resourcegroup: "" # the resource group of the KeyVault
subscriptionid: "" # the subscription ID of the KeyVault
tenantid: "" # the tenant ID of the KeyVault
Share this:
CloudIQ is a leading Cloud Consulting and Solutions firm that helps businesses solve today’s problems and plan the enterprise of tomorrow by integrating intelligent cloud solutions. We help you leverage the technologies that make your people more productive, your infrastructure more intelligent, and your business more profitable.
LATEST THINKING
INDIA
Chennai One IT SEZ,
Module No:5-C, Phase ll, 2nd Floor, North Block, Pallavaram-Thoraipakkam 200 ft road, Thoraipakkam, Chennai – 600097
© 2023 CloudIQ Technologies. All rights reserved.
Get in touch
Please contact us using the form below
USA
INDIA