1

Azure Kubernetes now seems to offer two ways to access other Azure resources. 1. AKS managed identity - https://learn.microsoft.com/en-us/azure/aks/use-managed-identity 2. AAD pod identity - https://github.com/Azure/aad-pod-identity

As an application running within the AKS, how can I request token for AKS cluster managed identity or AAD pod identity? When I call the IMDS endpoint for token, how will it know for which identity to generate token?

user3740951
  • 1,109
  • 2
  • 20
  • 39
  • Are you interested in providing each pod with their own identify when communicating with the API server ? Kubernetes as this concept layer using Kubernetes Service Principal, you get distinct Audit data for each operation each users (service account) : https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ – djsly Jun 15 '20 at 12:56
  • no I dont want to communicate with kubernetes api server. my question is about accessing other Azure resources. – user3740951 Jun 15 '20 at 13:16
  • so you are right that : https://github.com/Azure/aad-pod-identity is the piece of software you need. – djsly Jun 15 '20 at 14:54

3 Answers3

4

The AKS managed identity you mention in option 1 (https://learn.microsoft.com/en-us/azure/aks/use-managed-identity) is meant for the cluster internal use only. You cannot use that identity to access azure resources from your pods.

You can use Pod identity to achieve your needs. You need to create an Identity Binding (https://github.com/Azure/aad-pod-identity#5-deploy-azureidentitybinding) for the managed identity you want to use, and specify that identity binding in your pod spec (https://github.com/Azure/aad-pod-identity#6-deployment-and-validation).

When the pod requests a token from the IMDS endpoint, it does not need to specify the identity: that is figured out automatically by the NMI based on the identity binding in the pod spec for the pod making the request.

udayxhegde
  • 311
  • 1
  • 6
  • Ideally, I would use something fully supported by Microsoft but as it shows it is in preview https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity – Maulik Modi Nov 10 '21 at 09:27
1

Similarly, a host can make an authorization request to fetch Service Principal Token for a resource directly from the NMI host endpoint (http://127.0.0.1:2579/host/token/). The request must include the pod namespace podns and the pod name podname in the request header and the resource endpoint of the resource requesting the token. The NMI server identifies the pod based on the podns and podname in the request header and then queries k8s (through MIC) for a matching azure identity. Then NMI makes an ADAL request to get a token for the resource in the request, returning the token and the clientid as a response.

https://github.com/Azure/aad-pod-identity#node-managed-identity

djsly
  • 1,522
  • 11
  • 13
  • how about if for some use-case I dont want the pod identity token, but the AKS cluster managed identity token, how will I achieve that? Will not having the pod namespace header do? – user3740951 Jun 15 '20 at 17:43
  • right now, you would need to curl on the container service object using the Azure Management API – djsly Jun 16 '20 at 02:24
  • but it seems that the servicePrincipalProfile will return you an empty payload with client ID MSI, this is because right now AKS only supports dynamically provisioned token. They will be supporting bring your own token/key (bring your own user defined MSI). Once you have that you will be able to reuse the same in your POD right now, you can reuse the system assigned MSI using the AKs resource PRincipalID with Delegation see: https://learn.microsoft.com/en-us/azure/aks/kubernetes-service-principal#delegate-access-to-other-azure-resources – djsly Jun 16 '20 at 02:30
  • I'm not understanding. can you elaborate on how I can get token for AKS MSI - https://learn.microsoft.com/en-us/azure/aks/use-managed-identity? Usually the way to do it is to hit the IMDS endpoint(169.254.169.254). But if I have MIC and NMI running for some other pods to get token in the pod identity way, how can I also be able to get token for system assigned AKS MSI? – user3740951 Jun 16 '20 at 06:22
  • you cannot. right now it seems that the containerService object doesn't exposes the secret. – djsly Jun 16 '20 at 13:14
  • use resources.azure.com to look at the json object of your MSI enabled cluster, you will see in the servicePrincipalProfile the the secret should be NULL. – djsly Jun 16 '20 at 13:15
  • ok. but then why offer MSI at all if we can't use it? – user3740951 Jun 16 '20 at 16:29
  • its good for users who wants to avoid having to manage their own SerivcePrincipal for now. Early GA drop I think to get it available. User defined MSI is coming as a release 2 I have been told. – djsly Jun 16 '20 at 18:08
0

All the above answers are pointing towards using the AAD Pod Identity but we can use Aks Managed identity as well.

Just give rights/access/roles to AKS managed identity over azure resources and then we can use it to access Azure resources without the AAD pod identity.

builder.Configuration.AddAzureKeyVault(new Uri("https://<your_vault>.vault.azure.net/"), new DefaultAzureCredential());

As mentioned, I simply allowed AKS managed identity to read secrets from AzureKeyVault in portal. And registering the AzureVaultConfig provider in code was enough for me.

As you can see below AcrPull role to the ACR was already assigned to the AKS managed identity so there was no need to create image pull secrets to pull the images from private registry. Same thing i tried with AzureVault and i guess should work with other azure resources as well.

enter image description here

In particular i used aks agent-pool managedidentity to access KeyVault.

Taranpreet Matharu
  • 11
  • 3