0

I'm trying to create an ARM template to provision an Azure Kubernetes Service cluster with Azure workload identity pre-configure, similar to the result that the cmdlet below would produce:

az aks create -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --enable-oidc-issuer --enable-workload-identity

I managed to enable OIDC issuer and workload identity in my ARM template:

       {
            "apiVersion": "2019-06-01",
            "dependsOn": [],
            "type": "Microsoft.ContainerService/managedClusters",
            "location": "[parameters('location')]",
            "name": "[parameters('resourceName')]",
            "properties": {
               [...]
               "oidcIssuerProfile": {
                    "enabled": true
                },
                "workloadIdentity": {
                    "enabled": true
                },
                "securityProfile": {
                    "workloadIdentity": {
                        "enabled": true
                    }
                },
                [...],
            }
       }

But, after the script has executed, I can't see the azure-wi-webhook-controller-manager pods running under the kube-system namespace - It seems that the arm template does not install this component, that is required for Azure Workload Identity to work.

Is there a way I can install it through ARM?

Thanks a lot

GordonBy
  • 3,099
  • 6
  • 31
  • 53
A. C.
  • 45
  • 7

1 Answers1

2

The problem with your ARM template is the API version, workloadIdentity was not added until 2023-01-02-preview. You're using 2019-06-01. See https://learn.microsoft.com/en-us/azure/templates/microsoft.containerservice/change-log/managedclusters#2023-01-02-preview

For a reference, the AKS Construction bicep implements workload identity and most other AKS features.

GordonBy
  • 3,099
  • 6
  • 31
  • 53