Author : MD TAREQ HASSAN | Updated : 2021/05/19

Prerequisites

Initialize environment variables (PowerShell ISE will be used to execute commands)

$Env:AzUserName = xxx
$Env:AzPassword = yyy
$Env:ResourceGroup = "MyResourceGroup"
$Env:AksClusterName = "MyAksCluster"
$Env:AksTargetNamespace = "MyAksNamespace"
$Env:ManagedIdentityName = "MyManagedIdentity"
 

AKS cluster credential (to execute commands in a terminal)

#
# Login to Azure
#
az login -u $Env:AzUserName -p $Env:AzPassword

#
# Get AKS cluster credential
#
az aks get-credentials --resource-group $Env:ResourceGroup --name $Env:AksClusterName --overwrite-existing

Create User Managed Identity

Create managed identity in Azure portal

Create managed identity using Azure CLI

az identity create --name $Env:ManagedIdentityName --resource-group $Env:ResourceGroup

Get managed identity information (client id & resource id -> will be used to create pod-managed identity)

Save managed identity information in environment variables (will be used later)

# 
# ClientID of MyManagedIdentity 
# Can be used to assign access permission for other azure resource i.e. KeyVault
#
$Env:ManagedIdentityClientId = $(az identity show --resource-group $Env:ResourceGroup --name $Env:ManagedIdentityName --query clientId -o tsv)

#
# ResourceId of MyManagedIdentity
# It is needed to create 'managed-pod identity' (MyPodIdentity)
# 
$Env:ManagedIdentityResourceId = $(az identity show -g $Env:ResourceGroup -n $Env:ManagedIdentityName --query id -o tsv)

Managed-pod Identity Add-on

AKS preview features

#
# 'aks-preview' extension
#
az extension add --name aks-preview
az extension update --name aks-preview

Register EnablePodIdentityPreview feature

#
# EnablePodIdentityPreview feature registration
#
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService

Enable Managed-pod identity

#
# Enable 'managed-pod identity' add-on
#
# az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity
# az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity --network-plugin azure
#

az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity

Create managed-pod identity “MyPodIdentity” resource (K8s object) in the target namespace of AKS cluster

#
# Creating "MyPodIdentity" (managed-pod identity) K8s resource
#
# az aks pod-identity add --resource-group myResourceGroup 
# --cluster-name myAKSCluster --namespace ${POD_IDENTITY_NAMESPACE}  
# --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID}
#
az aks pod-identity add `
--resource-group $Env:ResourceGroup `
--cluster-name $Env:AksClusterName `
--namespace $Env:AksTargetNamespace `
--name $Env:ManagedIdentityName `
--identity-resource-id $Env:ManagedIdentityResourceId

Check MyPodIdentity was created

kubectl get azureidentity -n test

Check corresponding AzureIdentity & AzureIdentityBinding

kubectl get AzureIdentity,AzureIdentityBinding -n test

Take note of selector of AzureIdentityBinding (will be used in pod manifest to assign pod managed identity)

kubectl describe ""azureidentitybinding.aadpodidentity.k8s.io/MyPodIdentity-binding"

In case you want to delete pod identity

az aks pod-identity delete `
--resource-group $Env:ResourceGroup `
--cluster-name $Env:AksClusterName `
--name $Env:PodIdentityName `
--namespace test   

AAD Pod Identity

Installing AAD Pod Identity (details: https://azure.github.io/aad-pod-identity/docs/getting-started/installation/)

kubectl apply `
-f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml

Create User Assigned Managed Identity

Managed identity information (will be used later)

Name: xxx
Client ID: xxx
Resource ID: /subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.ManagedIdentity/userAssignedIdentities/zzz

Allowing user managed identity to access target resource Azure portal (Allowing Managed Identity To Access Target Resource i.e. KeyVault)

Azure CLI command in PowerShell (Allowing Managed Identity To Access Target Resource i.e. KeyVault)

$mid = az identity show --resource-group $RESOURCE_GROUP --name $MANAGED_IDENTITY_NAME --query clientId -o tsv
az keyvault set-policy -n $KV_NAME --key-permissions get --spn $mid
az keyvault set-policy -n $KV_NAME --secret-permissions get --spn $mid
az keyvault set-policy -n $KV_NAME --certificate-permissions get --spn $mid

Create AzureIdentity: https://github.com/Azure/aad-pod-identity/blob/master/deploy/demo/aadpodidentity.yaml
AzureIdentity.yaml

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
  name: MyAzureIdentity
spec:
  type: 0
  resourceID: RESOURCE_ID
  clientID: CLIENT_ID

Create AzureIdentityBinding: https://github.com/Azure/aad-pod-identity/blob/master/deploy/demo/aadpodidentitybinding.yaml
AzureIdentityBinding.yaml

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
  name: MyAzureIdentityBinding
spec:
  azureIdentity: "MyAzureIdentity"
  selector: "my-pod-identity"

selector: "my-pod-identity" is important, it will used in pod manifest to assign pod ‘managed identity’

Check AzureIdentity & AzureIdentityBinding

kubectl get AzureIdentity,AzureIdentityBinding -n test

Testing pod identity

demo.yaml

apiVersion: v1
kind: Pod
metadata:
  name: demo
  labels:
    aadpodidbinding: MyPodIdentity
spec:
  containers:
  - name: demo
    image: mcr.microsoft.com/oss/azure/aad-pod-identity/demo:v1.6.3
    args:
      - --subscriptionid=SUBSCRIPTION_ID
      - --clientid=IDENTITY_CLIENT_ID
      - --resourcegroup=IDENTITY_RESOURCE_GROUP
    env:
      - name: MY_POD_NAME
        valueFrom:
          fieldRef:
            fieldPath: metadata.name
      - name: MY_POD_NAMESPACE
        valueFrom:
          fieldRef:
            fieldPath: metadata.namespace
      - name: MY_POD_IP
        valueFrom:
          fieldRef:
            fieldPath: status.podIP
  nodeSelector:
    kubernetes.io/os: linux

Deploy: kubectl apply -f demo.yaml --namespace test

Check application is running successfully

kubectl logs demo --follow --namespace test

Verify the logs show the a token is successfully acquired and the GET operation is successful

... ... ...

successfully acquired a token using the MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token)
successfully acquired a token, userAssignedID MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token) clientID(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
successfully made GET on instance metadata

... ... ...