aks-baseline icon indicating copy to clipboard operation
aks-baseline copied to clipboard

Published 20 hours ago verified publisher icon mspnp

Workload identity

Open joachimnielandt opened this issue 2 years ago • 4 comments

Hello all,

I am using a modified version of this repository as the basis of my cluster. I noticed recent upgrades mention having to switch over from 'pod managed identity' to 'workload identity', which impacts, e.g., Traefik's aadpodidbinding. Are there plans to modify this repository to reflect this advised change, or can you advise on how to migrate correctly?

I understood that there are some required labels and annotations, but I also see mention of sidecars and migration paths to eliminate the 'pod managed identity' capability altogether, so I figured I'd better ask to have the full picture before doing anything untoward.

Best regards and thanks in advance

related docs:

  • https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#service-account-labels
  • https://github.com/Azure/AKS/pull/3445/files

joachimnielandt avatar Feb 14 '23 13:02 joachimnielandt

This repo is already using workload identity. There might be a lingering aadpodbinding annotation still in the manifest. If that's the case, let me know and we can remove that annotation/metadata that is no longer needed.

ckittel avatar Feb 15 '23 14:02 ckittel

Good to hear, seeing that annotation and linking it to the notice confused me.

The annotations can be found here:

  • https://github.com/mspnp/aks-baseline/blob/9cdd1618c461e28d88e07115365906364f0425b9/workload/traefik.yaml#L191
  • https://github.com/mspnp/aks-baseline/blob/9cdd1618c461e28d88e07115365906364f0425b9/workload/traefik.yaml#L212

So, for my understanding: the notice mentions having to include azure.workload.identity/use on serviceaccounts and pods (as a temporary measure to switch from pod identity?). This would not be necessary as it's already set up properly to begin with?

joachimnielandt avatar Feb 15 '23 14:02 joachimnielandt

Don't need to add that additional annotation (azure.workload.identity/use) -- that's for code-level usage of workload identity. Traefik doesn't do that, it just uses pre-mounted secrets. The AKS Key Vault Provider is the one that is using workload identity for this. So it's already all set up to go.

Thanks. I'll leave this github issue open as a signal to delete those two legacy pod identity annotations -- sorry for the confusion!

ckittel avatar Feb 15 '23 18:02 ckittel

Great, once again thanks for the explanation!

joachimnielandt avatar Feb 16 '23 07:02 joachimnielandt