Skip to content
This repository has been archived by the owner on Oct 12, 2023. It is now read-only.

prescribe aad-pod-identity installation in kube-system #488

Merged
merged 4 commits into from
Apr 13, 2020
Merged

prescribe aad-pod-identity installation in kube-system #488

merged 4 commits into from
Apr 13, 2020

Conversation

ferantivero
Copy link
Contributor

@ferantivero ferantivero commented Jan 22, 2020
edited by aramase
Loading

solves: #467

Reason for Change:

Prescribe add-pod-indentity installation in kube-system, otherwise it might fail trying to contact the AKS Api Server

Issue Fixed:

fixes #467

Notes for Reviewers:

@ferantivero ferantivero mentioned this pull request Jan 22, 2020
Closed
aramase
aramase suggested changes Feb 28, 2020
View reviewed changes
Copy link
Member

@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ferantivero Thank you for the PR. If we change the default deployment to kube-system namespace it would break current users who rely on the deployment manifests for upgrades. Instead would it be possible to add a note recommending installing in kube-system namespace using the helm chart for AKS?

@ferantivero
Copy link
Contributor Author

I could test this some time next week using helm3.

@aramase
Copy link
Member

aramase commented Mar 11, 2020

Thank you @ferantivero!

@aramase
Copy link
Member

aramase commented Mar 12, 2020

@ferantivero Can you please update the PR to add a note instead of changing the deployment to kube-system? We can then merge this and close out the issue.

@ferantivero
Copy link
Contributor Author

@aramase sure I can do that. But I‘d rather make the helm chart installation in kube-system the default one.

In my opinion we can get the better of both worlds: production-ready installation by default and backwards compat.

I‘m initially just adding a note as requested, unless you consider otherwise.

@aramase
Copy link
Member

aramase commented Mar 18, 2020

@ferantivero That makes sense! So I think we can update this PR to add a note in the deployment section recommending deployment in kube-system namespace for AKS clusters.

Then in a follow up PR, we can add the helm section in here as well https://github.com/Azure/aad-pod-identity#1-create-the-deployment. WDYT?

@aramase
Copy link
Member

aramase commented Mar 31, 2020

@ferantivero Can you please update the PR when you get the chance? I want to add the recommendation to the docs before more users run into the issue. I can do it too if you aren't able to pick this up? Let me know.

@ferantivero
Copy link
Contributor Author

@aramase done: recommendation has been added to the docs.

Please let me know in case you want to change the wording, typos, etc.

aramase
aramase reviewed Apr 13, 2020
View reviewed changes
README.md Outdated
@@ -41,6 +41,8 @@ Or run this command to deploy to a non-RBAC cluster:
kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment.yaml
```

> Important: if you are behind a firewall (e.g. Azure Firewall) and the Kubernetes Api Server is outside of your [AKS] cluster subnet, it is recommended to install AAD Pod Identity in the `kuebe-system` namespace by using the [helm charts]. Otherwise, please ensure the Kuberentes Api Server is explicity allowed adding a layer 4 rule to your Firewall.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important: For AKS clusters with limited egress-traffic, Please install pod-identity in kube-system namespace using the helm charts.

@ferantivero wdyt?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

aramase
aramase approved these changes Apr 13, 2020
View reviewed changes
Copy link
Member

@aramase aramase left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@aramase aramase merged commit 0c27b97 into Azure:master Apr 13, 2020
@ferantivero ferantivero deleted the feature/467_move-aad-pod-identity-to-kube-system branch April 13, 2020 17:56
@aramase aramase mentioned this pull request Apr 17, 2020
Closed
statbit pushed a commit to adobe-platform/aad-pod-identity that referenced this pull request Sep 30, 2021
@ferantivero
prescribe aad-pod-identity installation in kube-system (Azure#488)
8054969 
* add recommendation to install in kube-system with helm

* fix link

* fix typos

* address PR feedback: simplify wording
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@aramase aramase aramase approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Azure Firewall + add-pod-identity] watching problem
2 participants
@ferantivero @aramase