Prerequisites

• Provisioning AKS Cluster
• User Managed Identity

Initialize environment variables (PowerShell ISE will be used to execute commands)

$Env:AzUserName = xxx
$Env:AzPassword = yyy
$Env:ResourceGroup = "MyResourceGroup"
$Env:AksClusterName = "MyAksCluster"
$Env:AksTargetNamespace = "MyAksNamespace"
$Env:ManagedIdentityName = "MyManagedIdentity"
 

AKS cluster credential (to execute commands in a terminal)

#
# Login to Azure
#
az login -u $Env:AzUserName -p $Env:AzPassword

#
# Get AKS cluster credential
#
az aks get-credentials --resource-group $Env:ResourceGroup --name $Env:AksClusterName --overwrite-existing

Create User Managed Identity

Create managed identity in Azure portal

• Go to: https://portal.azure.com/#create/Microsoft.ManagedIdentity
• Fillup details (i.e. name MyManagedIdentity)> Create

Create managed identity using Azure CLI

az identity create --name $Env:ManagedIdentityName --resource-group $Env:ResourceGroup

Get managed identity information (client id & resource id -> will be used to create pod-managed identity)

• Azure portal
  • Resource group > Managed identity
  • Client id : get it from overview page
  • Resource id : get it from properties page
• Azure CLI
  • Client id : az identity show --resource-group $Env:ResourceGroup --name $Env:ManagedIdentityName --query clientId -o tsv
  • Resource id : az identity show --resource-group $Env:ResourceGroup --name $Env:ManagedIdentityName --query id -o tsv

Save managed identity information in environment variables (will be used later)

# 
# ClientID of MyManagedIdentity 
# Can be used to assign access permission for other azure resource i.e. KeyVault
#
$Env:ManagedIdentityClientId = $(az identity show --resource-group $Env:ResourceGroup --name $Env:ManagedIdentityName --query clientId -o tsv)

#
# ResourceId of MyManagedIdentity
# It is needed to create 'managed-pod identity' (MyPodIdentity)
# 
$Env:ManagedIdentityResourceId = $(az identity show -g $Env:ResourceGroup -n $Env:ManagedIdentityName --query id -o tsv)

Managed-pod Identity Add-on

• Managed version of ‘AAD Pod Identity’
• As of May, 2021, it’s in preview mode

AKS preview features

#
# 'aks-preview' extension
#
az extension add --name aks-preview
az extension update --name aks-preview

Register EnablePodIdentityPreview feature

#
# EnablePodIdentityPreview feature registration
#
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService

Enable Managed-pod identity

#
# Enable 'managed-pod identity' add-on
#
# az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity
# az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity --network-plugin azure
#

az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity

Create managed-pod identity “MyPodIdentity” resource (K8s object) in the target namespace of AKS cluster

#
# Creating "MyPodIdentity" (managed-pod identity) K8s resource
#
# az aks pod-identity add --resource-group myResourceGroup 
# --cluster-name myAKSCluster --namespace ${POD_IDENTITY_NAMESPACE}  
# --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID}
#
az aks pod-identity add `
--resource-group $Env:ResourceGroup `
--cluster-name $Env:AksClusterName `
--namespace $Env:AksTargetNamespace `
--name $Env:ManagedIdentityName `
--identity-resource-id $Env:ManagedIdentityResourceId

Check MyPodIdentity was created

kubectl get azureidentity -n test

Check corresponding AzureIdentity & AzureIdentityBinding

kubectl get AzureIdentity,AzureIdentityBinding -n test

Take note of selector of AzureIdentityBinding (will be used in pod manifest to assign pod managed identity)

kubectl describe ""azureidentitybinding.aadpodidentity.k8s.io/MyPodIdentity-binding"

In case you want to delete pod identity

az aks pod-identity delete `
--resource-group $Env:ResourceGroup `
--cluster-name $Env:AksClusterName `
--name $Env:PodIdentityName `
--namespace test   

AAD Pod Identity

• Might be deprecated in future in favor of ‘managed-pod identity’
• Open source project by Microsoft: https://github.com/Azure/aad-pod-identity
• Links:
  • https://github.com/Azure/aad-pod-identity/tree/master/deploy/demo
  • https://azure.github.io/aad-pod-identity/docs/demo/standard_walkthrough/

Installing AAD Pod Identity (details: https://azure.github.io/aad-pod-identity/docs/getting-started/installation/)

kubectl apply `
-f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml

Create User Assigned Managed Identity

• Go to: https://portal.azure.com/#create/Microsoft.ManagedIdentity
• Fillup details > Create
• Get information of Managed Identity
  • Azure portal > Resource group > target managed identity
  • Client id
    • Azure portal: from overview page
    • Azure CLI: az identity show --resource-group $RESOURCE_GROUP --name $MANAGED_IDENTITY_NAME --query clientId -o tsv
  • Resource id
    • Azure portal: from properties page
    • Azure CLI: az identity show --resource-group $RESOURCE_GROUP --name $MANAGED_IDENTITY_NAME --query id -o tsv
• Allow managed identity to access target resource

Managed identity information (will be used later)

Name: xxx
Client ID: xxx
Resource ID: /subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.ManagedIdentity/userAssignedIdentities/zzz

Allowing user managed identity to access target resource Azure portal (Allowing Managed Identity To Access Target Resource i.e. KeyVault)

• Azure portal > Resource group > Target resource (i.e. KeyVault)
• Settings: Access policies > Add access policy
• Select principle > Search ‘k8s-pod-azuread-identity’
• Add > Save

Azure CLI command in PowerShell (Allowing Managed Identity To Access Target Resource i.e. KeyVault)

$mid = az identity show --resource-group $RESOURCE_GROUP --name $MANAGED_IDENTITY_NAME --query clientId -o tsv
az keyvault set-policy -n $KV_NAME --key-permissions get --spn $mid
az keyvault set-policy -n $KV_NAME --secret-permissions get --spn $mid
az keyvault set-policy -n $KV_NAME --certificate-permissions get --spn $mid

Create AzureIdentity: https://github.com/Azure/aad-pod-identity/blob/master/deploy/demo/aadpodidentity.yaml
AzureIdentity.yaml

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
  name: MyAzureIdentity
spec:
  type: 0
  resourceID: RESOURCE_ID
  clientID: CLIENT_ID

Create AzureIdentityBinding: https://github.com/Azure/aad-pod-identity/blob/master/deploy/demo/aadpodidentitybinding.yaml
AzureIdentityBinding.yaml

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
  name: MyAzureIdentityBinding
spec:
  azureIdentity: "MyAzureIdentity"
  selector: "my-pod-identity"

selector: "my-pod-identity" is important, it will used in pod manifest to assign pod ‘managed identity’

Check AzureIdentity & AzureIdentityBinding

kubectl get AzureIdentity,AzureIdentityBinding -n test

Testing pod identity

• We are gonna test managed-pod identity by accessing Azure KeyVault
• Create Azure KeyVault
• Create a secret named “test-secret” (value: “this is a test secret in Azure KeyVault”)
• Get follwoing information (will be passed as args to image)
  • subscriptionid=SUBSCRIPTION_ID
  • clientid=IDENTITY_CLIENT_ID
  • resourcegroup=IDENTITY_RESOURCE_GROUP
• Give MyManagedIdentity access permission to KeyVault (read, list)

demo.yaml

apiVersion: v1
kind: Pod
metadata:
  name: demo
  labels:
    aadpodidbinding: MyPodIdentity
spec:
  containers:
  - name: demo
    image: mcr.microsoft.com/oss/azure/aad-pod-identity/demo:v1.6.3
    args:
      - --subscriptionid=SUBSCRIPTION_ID
      - --clientid=IDENTITY_CLIENT_ID
      - --resourcegroup=IDENTITY_RESOURCE_GROUP
    env:
      - name: MY_POD_NAME
        valueFrom:
          fieldRef:
            fieldPath: metadata.name
      - name: MY_POD_NAMESPACE
        valueFrom:
          fieldRef:
            fieldPath: metadata.namespace
      - name: MY_POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
  nodeSelector:
    kubernetes.io/os: linux

Deploy: kubectl apply -f demo.yaml --namespace test

Check application is running successfully

kubectl logs demo --follow --namespace test

Verify the logs show the a token is successfully acquired and the GET operation is successful

... ... ...

successfully acquired a token using the MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token)
successfully acquired a token, userAssignedID MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token) clientID(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
successfully made GET on instance metadata

... ... ...

Links

• https://pixelrobots.co.uk/2021/04/azure-key-vault-access-on-azure-kubernetes-service-using-the-new-aks-add-on/
• https://blog.nillsf.com/index.php/2021/01/05/trying-out-the-preview-of-azure-active-directory-pod-managed-identities-in-azure-kubernetes-service/
• https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity