title | linkTitle | menu | ||||
---|---|---|---|---|---|---|
Documentation |
Documentation |
|
AAD Pod Identity enables Kubernetes applications to access cloud resources securely with Azure Active Directory using User-assigned managed identity and Service Principal.
Note: Configuring system-assigned managed identity with AAD Pod Identity to access cloud resources is not supported.
Using Kubernetes primitives, administrators configure identities and bindings to match pods. Then without any code modifications, your containerized applications can leverage any resource in the cloud that depends on AAD as an identity provider.
-
The API version of Pod Identity's CRDs (
AzureIdentity
,AzureIdentityBinding
,AzureAssignedIdentity
,AzurePodIdentityException
) have been upgraded fromapiextensions.k8s.io/v1beta1
toapiextensions.k8s.io/v1
. For Kubernetes clsuters with < 1.16,apiextensions.k8s.io/v1
CRDs would not work. You can either:- Continue using AAD Pod Identity v1.7.5 or
- Upgrade your cluster to 1.16+, then upgrade AAD Pod Identity.
If AAD Pod Identity was previously installed using Helm, subsequent
helm install
orhelm upgrade
would not upgrade the CRD API version fromapiextensions.k8s.io/v1beta1
toapiextensions.k8s.io/v1
(althoughkubectl get crd -oyaml
would displayapiextensions.k8s.io/v1
since the API server internally converts v1beta1 CRDs to v1, it lacks a structural schema, which is what AAD Pod Identity introduced in v1.8.0). If you wish to upgrade to the official v1 CRDs for AAD Pod Identity:kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts/aad-pod-identity/crds/crd.yaml
With managed mode enabled, you can remove the unused AzureAssignedIdentity CRD if you wish.
# MANAGED MODE ONLY! kubectl delete crd azureassignedidentities.aadpodidentity.k8s.io
-
With Azure/aad-pod-identity#842, aad-pod-identity no longer works on clusters with kubenet as the network plugin. For more details, please see Deploy AAD Pod Identity in a Cluster with Kubenet.
If you still wish to install aad-pod-identity on a kubenet-enabled cluster, set the helm chart value
nmi.allowNetworkPluginKubenet
totrue
in the helm command:helm (install|upgrade) ... --set nmi.allowNetworkPluginKubenet=true ...
-
The
forceNameSpaced
helm configuration variable is deprecated in helm release3.0.0
and will be removed in the future helm release. Instead useforceNamespaced
to configure pod identity to run in namespaced mode. -
(Only apply to app version ≥ v1.7.1 / chart version ≥ 3.0.0)
azureIdentities
invalues.yaml
is converted to a map instead of a list of identities.The following is an example of the required change in
values.yaml
from helm chart 2.x.x to 3.x.x:-azureIdentities: - - name: "azure-identity" - # if not defined, then the azure identity will be deployed in the same namespace as the chart - namespace: "" - # type 0: MSI, type 1: Service Principal - type: 0 - # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name - resourceID: "resource-id" - clientID: "client-id" - binding: - name: "azure-identity-binding" - # The selector will also need to be included in labels for app deployment - selector: "demo" +azureIdentities: + "azure-identity": + # if not defined, then the azure identity will be deployed in the same namespace as the chart + namespace: "" + # type 0: MSI, type 1: Service Principal + type: 0 + # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name + resourceID: "resource-id" + clientID: "client-id" + binding: + name: "azure-identity-binding" + # The selector will also need to be included in labels for app deployment + selector: "demo"
-
(Only apply to app version ≥ v1.7.5 / chart version ≥ 4.0.0) AAD Pod Identity has dropped Helm 2 starting from chart version 4.0.0/app version 1.7.5. To install or upgrade to the latest version of AAD Pod Identity, please use Helm 3 instead. Refer to this guide on how to migrate from Helm 2 to Helm 3.
With Azure/aad-pod-identity#398, the client-go library is upgraded to v0.17.2, where CRD fields are now case sensitive. If you are upgrading MIC and NMI from v1.x.x to v1.6.0, MIC v1.6.0+ will upgrade the fields of existing AzureIdentity
and AzureIdentityBinding
on startup to the new format to ensure backward compatibility. A configmap called aad-pod-identity-config
is created to record and confirm the successful type upgrade.
However, for future AzureIdentity
and AzureIdentityBinding
created using v1.6.0+, the following fields need to be changed:
< 1.6.0 | >= 1.6.0 |
---|---|
ClientID |
clientID |
ClientPassword |
clientPassword |
ResourceID |
resourceID |
TenantID |
tenantID |
< 1.6.0 | >= 1.6.0 |
---|---|
AzureIdentity |
azureIdentity |
Selector |
selector |
< 1.6.0 | >= 1.6.0 |
---|---|
PodLabels |
podLabels |
To get started, see the Getting Started page, or you can visit the GitHub repo.