As organizations start to create and maintain clusters in AKS (Azure Kubernetes Service), they also need to use cloud-based identity and access management service to access other Azure cloud resources and services. The Azure Active Directory (AAD) pod identity is a service that gives users this control by assigning identities to individual pods.
Without these controls, accounts may get access to resources and services they don’t require. And it can also become hard for IT teams to track which set of credentials were used to make changes.
Azure AD Pod identity is just one small part of the container and Kubernetes management process and as you delve deeper, you will realize the true power that Kubernetes and Containers bring to your DevOps ecosystem.
Here is a more detailed look at how to use AAD pod identity for connecting pods in AKS cluster with Azure Key Vault.
Pod Identity
Integrate your key management system with Kubernetes using pod identity. Secrets, certificates, and keys in a key management system become a volume accessible to pods. The volume is mounted into the pod, and its data is available directly in the container file system for your application.
On an existing AKS cluster –
Deploy Key Vault FlexVolume to your AKS cluster with this command:
- kubectl create -f https://raw.githubusercontent.com/Azure/kubernetes-keyvault-flexvol/master/deployment/kv-flexvol-installer.yaml
1. Create the Deployment
Run this command to create the aad-pod-identity
deployment on an RBAC-enabled cluster:
- kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml
Or run this command to deploy to a non-RBAC cluster:
- kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml
2. Create an Azure Identity
Create azure managed identity
Command:- az identity create -g ResourceGroupNameOfAKsService -n aks-pod-identity(ManagedIdentity)
Output:-
{
"clientId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ",
"clientSecretUrl": "https://control-westus.identity.azure.net/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/aks_dev_rg_wu/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-pod-identity/credentials?tid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx&oid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx&aid=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx ",
"id": "/subscriptions/xxxxxxxx-xxxx-XXXX-XXXX-XXXXXXXXXXXX/resourcegroups/aks_dev_rg_wu/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-pod-identity",
"location": "westus",
"name": "aks-pod-identity",
"principalId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"resourceGroup": "au10515_aks_dev_rg_wu",
"tags": {},
"tenantId": XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX ",
"type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
Assign Cluster SPN Role
Command for Getting AKSServicePrincipalID:- az aks show -g <resourcegroup> -n <name> –query servicePrincipalProfile.clientId -o tsv
Command:-az role assignment create –role “Managed Identity Operator” –assignee <AKSServicePrincipalId> –scope < ID of Managed identity>
Assign Azure Identity Roles
Command:- az role assignment create –role Reader –assignee <Principal ID of Managed identity> –scope <KeyVault Resource ID>
Set policy to access keys in your Key Vault
Command:- az keyvault set-policy -n dev-kv –key-permissions get –spn <Client ID of Managed identity>
Set policy to access secrets in your Key Vault
Command:- az keyvault set-policy -n dev-kv –secret-permissions get –spn <Client ID of Managed identity>
Set policy to access certs in your Key Vault
Command:- az keyvault set-policy -n dev-kv –certificate-permissions get –spn <Client ID of Managed identity>
3. Install the Azure Identity
Save this Kubernetes manifest to a file named aadpodidentity.yaml:
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: <a-idname>
spec:
type: 0
ResourceID: /subscriptions/<subid>/resourcegroups/<resourcegroup>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<name>
ClientID: <clientId>
Replace the placeholders with your user identity values. Set type: 0 for user-assigned MSI or type: 1 for Service Principal.
Finally, save your changes to the file, then create the AzureIdentity resource in your cluster:
kubectl apply -f aadpodidentity.yaml
4. Install the Azure Identity Binding
Save this Kubernetes manifest to a file named aadpodidentitybinding.yaml:
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: demo1-azure-identity-binding
spec:
AzureIdentity: <a-idname>
Selector: <label value to match>
Replace the placeholders with your values. Ensure that the AzureIdentity name matches the one in aadpodidentity.yaml.
Finally, save your changes to the file, then create the AzureIdentityBinding resource in your cluster:
kubectl apply -f aadpodidentitybinding.yaml
Sample Nginx Deployment for accessing key vault secret using Pod Identity
Save this sample nginx pod manifest file named nginx-pod.yaml:
apiVersion: v1
kind: Pod
metadata:
labels:
app: nginx-flex-kv-podid
aadpodidbinding:
name: nginx-flex-kv-podid
spec:
containers:
- name: nginx-flex-kv-podid
image: nginx
volumeMounts:
- name: test
mountPath: /kvmnt
readOnly: true
volumes:
- name: test
flexVolume:
driver: "azure/kv"
options:
usepodidentity: "true" # [OPTIONAL] if not provided, will default to "false"
keyvaultname: "" # the name of the KeyVault
keyvaultobjectnames: "" # list of KeyVault object names (semi-colon separated)
keyvaultobjecttypes: secret # list of KeyVault object types: secret, key or cert (semi-colon separated)
keyvaultobjectversions: "" # [OPTIONAL] list of KeyVault object versions (semi-colon separated), will get latest if empty
resourcegroup: "" # the resource group of the KeyVault
subscriptionid: "" # the subscription ID of the KeyVault
tenantid: "" # the tenant ID of the KeyVault
Azure AD Pod Identity points to remember when implementing in cluster
- Azure AD Pod Identity is currently bound to the default namespace. Deploying an Azure Identity and it’s binding to other namespaces, will not work!
- Pods from all namespaces can be executed in the context of an Azure Identity deployed to the default namespace (related to point 1)
- Every Pod Developer can add the aadpodidbinding label to his/her pod and use your Azure Identity
- Azure Identity Binding is not using default Kubernetes label selection mechanism