{"id":13512,"date":"2019-12-01T21:44:20","date_gmt":"2019-12-01T21:44:20","guid":{"rendered":"https:\/\/www.cloudiqtech.com\/?p=13512"},"modified":"2019-12-09T13:50:42","modified_gmt":"2019-12-09T13:50:42","slug":"implementing-azure-ad-pod-identity-in-aks-cluster","status":"publish","type":"post","link":"https:\/\/www.cloudiqtech.com\/implementing-azure-ad-pod-identity-in-aks-cluster\/","title":{"rendered":"Implementing Azure AD Pod Identity in AKS Cluster"},"content":{"rendered":"\n
As organizations start to create and\nmaintain clusters in AKS (Azure Kubernetes Service), they also need to use\ncloud-based identity and access management service to access other Azure cloud\nresources and services. The Azure Active Directory (AAD) pod identity is a service\nthat gives users this control by assigning identities to individual pods. <\/p>\n\n\n\n
Without these controls, accounts may get\naccess to resources and services they don’t require. And it can also become\nhard for IT teams to track which set of credentials were used to make changes.<\/p>\n\n\n\n
Azure AD Pod identity is just one small part of the container and Kubernetes management process and as you delve deeper, you will realize the true power that Kubernetes and Containers bring to your DevOps ecosystem. <\/p>\n\n\n\n
Here is a more detailed look at how to use AAD pod identity for connecting pods in AKS cluster with Azure Key Vault.<\/p>\n\n\n\n
Integrate your key management system with Kubernetes using pod identity. Secrets, certificates, and keys in a key management system become a volume accessible to pods. The volume is mounted into the pod, and its data is available directly in the container file system for your application.<\/p>\n\n\n\n
On an existing AKS cluster –<\/p>\n\n\n\n
Deploy Key Vault FlexVolume to your AKS cluster with this command:<\/p>\n\n\n\n
Run this command to create the Or run this command to deploy to a non-RBAC cluster:<\/p>\n\n\n\n Create azure managed identity<\/strong><\/p>\n\n\n\n Command:- az identity create -g ResourceGroupNameOfAKsService<\/strong> -n aks-pod-identity(ManagedIdentity)<\/strong><\/p>\n\n\n\n Output:- <\/p>\n\n\n\n Assign Cluster SPN Role<\/strong><\/p>\n\n\n\n Command for Getting AKSServicePrincipalID:- az aks show -g <resourcegroup> -n <name> –query servicePrincipalProfile.clientId -o tsv<\/p>\n\n\n\n Command:-az role assignment create –role “Managed Identity Operator” –assignee <AKSServicePrincipalId> –scope < ID of Managed identity><\/p>\n\n\n\n Assign Azure Identity Roles<\/strong><\/p>\n\n\n\n Command:- az role assignment create –role Reader –assignee <Principal ID of Managed identity> –scope <KeyVault Resource ID><\/p>\n\n\n\n Set policy to access keys in your Key Vault<\/strong><\/p>\n\n\n\n Command:- az keyvault set-policy -n dev-kv –key-permissions get –spn <Client ID of Managed identity><\/p>\n\n\n\n Set policy to access secrets in your Key Vault<\/strong><\/p>\n\n\n\n Command:- az keyvault set-policy -n dev-kv –secret-permissions get –spn <Client ID of Managed identity><\/p>\n\n\n\n Set policy to access certs in your Key Vault<\/strong><\/p>\n\n\n\n Command:- az keyvault set-policy -n dev-kv –certificate-permissions get \u2013spn <Client ID of Managed identity><\/p>\n\n\n\n Save this Kubernetes manifest to a file named aadpodidentity.yaml:<\/p>\n\n\n\n Replace the\nplaceholders with your user identity values. Set type: 0 for user-assigned MSI\nor type: 1 for Service Principal.<\/p>\n\n\n\n Finally, save\nyour changes to the file, then create the AzureIdentity resource in your\ncluster:<\/p>\n\n\n\n kubectl apply -f aadpodidentity.yaml<\/p>\n\n\n\n Save this Kubernetes manifest to a file named aadpodidentitybinding.yaml:<\/p>\n\n\n\n Replace the\nplaceholders with your values. Ensure that the AzureIdentity name matches the\none in aadpodidentity.yaml.<\/p>\n\n\n\n Finally, save\nyour changes to the file, then create the AzureIdentityBinding resource in your\ncluster:<\/p>\n\n\n\n kubectl apply -f aadpodidentitybinding.yaml<\/p>\n\n\n\n Save this sample nginx pod manifest file named nginx-pod.yaml:<\/p>\n\n\n\n As organizations start to create and maintain clusters in AKS (Azure Kubernetes Service), they also need to use cloud-based identity and access management service to access other Azure cloud resources and services. The Azure Active Directory (AAD) pod identity is a service that gives users this control by assigning identities to individual pods. Without […]<\/p>\n","protected":false},"author":3,"featured_media":13694,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[29],"tags":[76],"yoast_head":"\naad-pod-identity<\/code> deployment on an RBAC-enabled cluster:<\/p>\n\n\n\n
2. Create an Azure Identity<\/strong><\/h5>\n\n\n\n
{\n\"clientId\": \"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \",\n\"clientSecretUrl\": \"https:\/\/control-westus.identity.azure.net\/subscriptions\/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\/resourcegroups\/aks_dev_rg_wu\/providers\/Microsoft.ManagedIdentity\/userAssignedIdentities\/aks-pod-identity\/credentials?tid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&oid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx&aid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx \",\n\"id\": \"\/subscriptions\/xxxxxxxx-xxxx-XXXX-XXXX-XXXXXXXXXXXX\/resourcegroups\/aks_dev_rg_wu\/providers\/Microsoft.ManagedIdentity\/userAssignedIdentities\/aks-pod-identity\",\n\"location\": \"westus\",\n\"name\": \"aks-pod-identity\",\n\"principalId\": \"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\",\n\"resourceGroup\": \"au10515_aks_dev_rg_wu\",\n\"tags\": {},\n\"tenantId\": XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX \",\n\"type\": \"Microsoft.ManagedIdentity\/userAssignedIdentities\"\n}\n<\/code><\/pre>\n\n\n\n
3. Install the Azure Identity<\/strong><\/h5>\n\n\n\n
apiVersion: \"aadpodidentity.k8s.io\/v1\"\nkind: AzureIdentity\nmetadata:\nname: <a-idname>\nspec:\ntype: 0\nResourceID: \/subscriptions\/<subid>\/resourcegroups\/<resourcegroup>\/providers\/Microsoft.ManagedIdentity\/userAssignedIdentities\/<name>\nClientID: <clientId><\/code><\/pre>\n\n\n\n
4. Install the Azure Identity Binding<\/h5>\n\n\n\n
apiVersion: \"aadpodidentity.k8s.io\/v1\"\nkind: AzureIdentityBinding\nmetadata:\n name: demo1-azure-identity-binding\nspec:\n AzureIdentity: <a-idname>\n Selector: <label value to match><\/code><\/pre>\n\n\n\n
Sample Nginx Deployment for accessing key vault secret using Pod Identity<\/strong><\/h5>\n\n\n\n
apiVersion: v1\nkind: Pod\nmetadata:\n labels:\n app: nginx-flex-kv-podid\n aadpodidbinding: \n name: nginx-flex-kv-podid\nspec:\n containers:\n - name: nginx-flex-kv-podid\n image: nginx\n volumeMounts:\n - name: test\n mountPath: \/kvmnt\n readOnly: true\n volumes:\n - name: test\n flexVolume:\n driver: \"azure\/kv\"\n options:\n usepodidentity: \"true\" # [OPTIONAL] if not provided, will default to \"false\"\n keyvaultname: \"\" # the name of the KeyVault\n keyvaultobjectnames: \"\" # list of KeyVault object names (semi-colon separated)\n keyvaultobjecttypes: secret # list of KeyVault object types: secret, key or cert (semi-colon separated)\n keyvaultobjectversions: \"\" # [OPTIONAL] list of KeyVault object versions (semi-colon separated), will get latest if empty\n resourcegroup: \"\" # the resource group of the KeyVault\n subscriptionid: \"\" # the subscription ID of the KeyVault\n tenantid: \"\" # the tenant ID of the KeyVault<\/code><\/pre>\n\n\n\n
Azure AD Pod Identity points to remember when implementing in cluster<\/strong><\/h5>\n\n\n\n