[Feature Request] AKS support of BYO user-assigned-identity for Managed Identity support #1591
Comments
jluk
moved this from Planned (Committed)
to In Progress (Development)
in Azure Kubernetes Service Roadmap (Public)
jluk
changed the title
|
Hello @jluk , thanks for a super quick response. In other words, release of BYO RT broke previously working functionality. |
|
@Tbohunek: current ETA is that we are planning to release public preview for BYO control plane MI this month. |
|
@Tbohunek the BYO RT functionality should have only impacted net-new scenarios in which you brought an existing subnet/rt to a cluster and AKS will now use the existing subnet. Can you clarify what is breaking? If you are deploying MSI clusters today I presume you are manually adding routes to the route table AKS creates on your behalf, which should continue to work. |
|
@jluk We have a subnet Right now this is seen as BYO RT scenario and AKS no longer creates |
|
What I see is that you need to update the AKS deployment chain of events so that the Managed Identity is created first and given permissions on the subnet and on the BYO RT before AKS begins to create routes in the BYO RT. That doesn't sound too hard, but I know there are also issues that AKS deployment did not create Role assignments for the SP nor did it assign the AKS-managed RT to the subnet afterwards, even though it should have. I need to verify that this actually works now. #400 |
|
Hey, Is this already known? Manually adding role assignment works for the moment. |
|
@jluk Cool, thanks. Do you also plan to include the required permission on BYO RT and Subnet, or are those two planned to be kept manual? |
* assign ntw contrib role to the cluster system-assigned id Why? in the current Managed Identity model, only system assigned identities are supported. Azure/AKS#1591 Azure/AKS#1557 * deploy Traefik version v2.2.1 as an internal load balancer - observe ingress resources in a0008 only - select user nodepool for ingress controller. This is under the premise that everything we bring to the cluster should land in user nodepools - deploy traefik service as an ingress load balancer: https://docs.microsoft.com/en-us/azure/aks/internal-lb#create-an-internal-load-balancer - configure Traekif and workload route with TLS v1.2 or higher with SNI enabled * use wildcard default self signed certificate: *.bicycle.contoso.com * create secret with tls cert ``` | AKS | hello.bicycle.contoso.com --| Internal Load Balancer |-> <returns 404 but has a matching certificate> | 10.10.4.X | bu0001a0008-00.bicycle.contoso.com --| Traefik Ingress Controller |-> aspnetweb-service:80 | Https | ``` - HA: * traefik match number of nodes as replicas (2) * inform the scheduler that all the workload replicas are desired to be co-located with traefik pods * prevent from co-locating replicas of workload on a single node * prevent from co-locating replicas of traefik on a single node ``` System User User Node Node 1 Node 2 +---------+ +----------+ +----------+ | ... | |traefik|1 | |traefik|2 | +---------+ +----------+ +----------+ +----------+ +----------+ |workload|1| |workload|2| +----------+ +----------+ ``` * Azure App Gw cert integration
|
@TomGeske Hey, I wonder if there's any update about the BYO control plane MI public preview so far? |
|
Yes, Preview will be available very soon. We are currently wrapping up final items like cli and docs. |
|
@TomGeske Thank you for the information! Also I wonder if there's any plan to allow user assigned MI for Kubelet? I saw it was still "Not currently supported" from the document |
|
@kenans: Yes, that's definitely in our pipeline. Plan is to validate first bring your own control plane MI, once we are good we will others like Kubelet for bring your own. |
jluk
moved this from In Progress (Development)
to Public Preview (Shipped & Improving)
in Azure Kubernetes Service Roadmap (Public)
|
We just shipped preview for bring your own control plane managed identity: https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-control-plane-mi-preview. Give it a try and let us know how it goes. |
|
Hi @TomGeske Sadly we were unable to deploy the preview version due to different reasons. Do you have feedback from other customers? Does it look good with GA soon? Thanks |
|
@Tbohunek: technical reason? |
|
@TomGeske nope, operational reason - the team is entering production so there is limited time for experiments. I'll let you know next week. |
|
Adding an existing app gateway on on an existing cluster using az aks enable-addons cli command creates the Ingress controller managed identity and assigns it the contributor role on the App gateway resource group. This is the desired behavior. However using an ARM template to create a AKS cluster with an App gateway add on using an existing App gateway resource Id does not do the same role assignment. This impacts our effort in deploying AKS with app gateway using CI CD where our service principal cannot be given User access admin role. |
|
Bring your own support for add-on MIs like the one from AppGW are planned in future. |
|
We are trying to use BYO user-assigned identity for AKS in combination with kubenet as network plugin and custom UDR. Following article though mentions in a note that both service principal or managed identity can be used for custom UDR in combination with kubenet. We tested the deployment with a BYO user-managed identity, kubenet and custom UDR and get an error telling us managed identities in combination with custom udr is not supported. Will this become a supported scenario in the future (BYO user-assigned-identity icw kubenet and custom UDR)? |
|
@stijnv1: thanks for your feedback. That might be a validation that need to be removed. let me double check. |
|
Exact message we get when deploying with Azure CLI or ARM: |
|
Can you please a look ? Deployment failed. Correlation ID: 842ae2a8-adcd-46f4-be73-b6c64be44057. {
"status": "Failed",
"error": {
"code": "ResourceDeploymentFailure",
"message": "The resource operation completed with terminal provisioning state 'Failed'.",
"details": [
{
"code": "DeploymentFailed",
"message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.",
"details": [
{
"code": "BadRequest",
"message": "{\r\n \"code\": \"CustomRouteTableWithMSINotSupported\",\r\n \"message\": \"Clusters using managed identity do not support bringing your own route table. Please see https://aka.ms/aks/customrt for more information\"\r\n}"
}
]
}
]
}
} |
|
Thanks for your feedback. That's still not ready. We are working on enabling bring your own route table for managed identity. Current ETA is October. |
sakthi-vetrivel
added this to In Progress (Development)
in Azure Kubernetes Service Roadmap (Azure Government)
|
Since we now have October - can you outline when MSI+ Kubenet + Outboundtype will be working? |
|
Before the end of October. I can provide a better date next week. |
|
Hi guys, I need a little assistance with creating an ARM template that uses the user assigned identity. Here are relevant portions of the template, the user assigned identity is being created in the same resource group as the AKS cluster: I have also tried with the ID of the identity instead of using a variable, though the end goal will be to have all these parameterised. Here is the error I am getting: |
|
Fixed this, for those getting the same issue the correct syntax is: |
|
This feature appears to be in preview now; is there any timetable for GA? |
palma21
moved this from Public Preview (Shipped & Improving)
to Generally Available (Done)
in Azure Kubernetes Service Roadmap (Public)
|
It is now GA |
|
Thanks @palma21 for sharing 🚀 |
|
@TomGeske and @miwithro, I've been trying to do similar configuration to #1591 (comment), and I'm still seeing the same error. Is this still in progress? resource "azurerm_kubernetes_cluster" "aks" {
name = "myaks"
location = azurerm_resource_group.kube.location
kubernetes_version = var.kube_version
resource_group_name = azurerm_resource_group.kube.name
dns_prefix = "myaks"
private_cluster_enabled = true
default_node_pool {
name = "default"
node_count = var.nodepool_nodes_count
vm_size = var.nodepool_vm_size
vnet_subnet_id = module.knet.subnet_ids["aks"]
}
identity {
type = "SystemAssigned"
}
network_profile {
docker_bridge_cidr = var.network_docker_bridge_cidr
dns_service_ip = var.network_dns_service_ip
network_plugin = "kubenet"
outbound_type = "userDefinedRouting"
service_cidr = var.network_service_cidr
}
depends_on = [module.routetable]
} |
|
You would need bring your own identity in that case. @miwithro couldn't find an example in Terraform how to define bring your own identity for control plane. Can you help? |
palma21
moved this from Generally Available (Done)
to Archive (GA older than 1 month)
in Azure Kubernetes Service Roadmap (Public)
ghost
locked as resolved and limited conversation to collaborators
What happened:
In the current Managed Identity model, only AKS created identities are supported.
This blocks enterprise scenarios where a dedicated networking team provides network permissions, but can't assign permissions to an identity that can be passed an app team prior to creating the cluster. This requirement expands to any needed permissions which should be granted to a cluster identity prior to cluster creation.
The goal of this issue is to enable a user to bring their own user assigned identity which must have all necessary permissions to be used in the cluster, similar to bringing your own SP today.
Addresses:
#1557
#1542
The text was updated successfully, but these errors were encountered: