-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Azure: Remove a need to provide secret while deploying CAA #974
Comments
We can support multiple approaches but we have to choose one (or more) to ensure things work on CI and for users. |
This is a great idea. We can support both the options - viz assigning identity to CAA (and peerpod-ctrl - since this does cleanups for VMs if required) and passing client_secret. |
So there is a way to assign identity to self-managed clusters on Azure: https://azure.github.io/azure-workload-identity/docs/topics/self-managed-clusters.html I haven't tried it so not sure how this will be translated into our CAA deployments. |
Could you use https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection with your azure clusters? This would be a more cross-provider friendly mechanism? |
@jtumber-ibm I don't I understand what you mean here. Service account tokens allow you to talk to the k8s api server, so using the k8s RBAC one can define what's allowed. But here I am talking about how do we allow an application to talk to the Azure API without needing any secret? AKS has a mechanism called workload identity, which is similar to k8s service account token. On the Azure side you define what a particular "workload" on AKS can do with azure APIs and bam, you don't need secret. My concern was how do we get this working for other DIY k8s clusters on Azure?! |
Sorry if I wasn't clear. Does Azure not provide a Service Account token to IAM role token endpoint? |
Yes it does but I know this works with the AKS, but not sure how it will work with DIY clusters on Azure. There seems to be a way to do that with DIY clusters, but I haven't tried it myself. |
If a certain property is not defined then don't expose it as empty inside the CAA pod. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Allow provisioner-user to provide the "managed identity name" to be used when creating the federated identity credential. Now one can expose a variable `MANAGED_IDENTITY_NAME` in the properties file to expose this value to the provisioner. - Create federated identity credential, which ties the existing managed identity to namespace and service account of the CAA pod. This way we don't have to pass the service principal credentials to the CAA pod in CI. - To be able to use this federated identity credential the cluster has to be created with OIDC issuer profile enabled and workload identity enabled. Fixes #974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Make it optional to provide client secret. - Use a new API to do authentication. Fixes #974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- This commit adds a method that allows updating the list of the `patchesStrategicMerge` list with additional patch files. - Add a patch file that will add the workload identity to the cloud-api-adaptor-daemonset and the service account cloud-api-adaptor. - Add code to provisioner that will update the patch file with the client id of the managed identity. Fixes #974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Fixes #974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Regardless of what authentication provisioner uses (be it service principal based or az cli based), the CAA still needs client id, so make it mandatory to provide client id. Fixes #974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
If a certain property is not defined then don't expose it as empty inside the CAA pod. Fixes #974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Upgrade from v2 to v4, this is required to use the workload identity feature. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Allow provisioner-user to provide the "managed identity name" to be used when creating the federated identity credential. Now one can expose a variable `MANAGED_IDENTITY_NAME` in the properties file to expose this value to the provisioner. - Create federated identity credential, which ties the existing managed identity to namespace and service account of the CAA pod. This way we don't have to pass the service principal credentials to the CAA pod in CI. - To be able to use this federated identity credential the cluster has to be created with OIDC issuer profile enabled and workload identity enabled. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Make it optional to provide client secret. - Use a new API to do authentication. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- This commit adds a method that allows updating the list of the `patchesStrategicMerge` list with additional patch files. - Add a patch file that will add the workload identity to the cloud-api-adaptor-daemonset and the service account cloud-api-adaptor. - Add code to provisioner that will update the patch file with the client id of the managed identity. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Regardless of what authentication provisioner uses (be it service principal based or az cli based), the CAA still needs client id, so make it mandatory to provide client id. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
If a certain property is not defined then don't expose it as empty inside the CAA pod. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Upgrade from v2 to v4, this is required to use the workload identity feature. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Allow provisioner-user to provide the "managed identity name" to be used when creating the federated identity credential. Now one can expose a variable `MANAGED_IDENTITY_NAME` in the properties file to expose this value to the provisioner. - Create federated identity credential, which ties the existing managed identity to namespace and service account of the CAA pod. This way we don't have to pass the service principal credentials to the CAA pod in CI. - To be able to use this federated identity credential the cluster has to be created with OIDC issuer profile enabled and workload identity enabled. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Make it optional to provide client secret. - Use a new API to do authentication. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- This commit adds a method that allows updating the list of the `patchesStrategicMerge` list with additional patch files. - Add a patch file that will add the workload identity to the cloud-api-adaptor-daemonset and the service account cloud-api-adaptor. - Add code to provisioner that will update the patch file with the client id of the managed identity. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Regardless of what authentication provisioner uses (be it service principal based or az cli based), the CAA still needs client id, so make it mandatory to provide client id. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
If a certain property is not defined then don't expose it as empty inside the CAA pod. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Upgrade from v2 to v4, this is required to use the workload identity feature. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Allow provisioner-user to provide the "managed identity name" to be used when creating the federated identity credential. Now one can expose a variable `MANAGED_IDENTITY_NAME` in the properties file to expose this value to the provisioner. - Create federated identity credential, which ties the existing managed identity to namespace and service account of the CAA pod. This way we don't have to pass the service principal credentials to the CAA pod in CI. - To be able to use this federated identity credential the cluster has to be created with OIDC issuer profile enabled and workload identity enabled. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- Make it optional to provide client secret. - Use a new API to do authentication. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
- This commit adds a method that allows updating the list of the `patchesStrategicMerge` list with additional patch files. - Add a patch file that will add the workload identity to the cloud-api-adaptor-daemonset and the service account cloud-api-adaptor. - Add code to provisioner that will update the patch file with the client id of the managed identity. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
Regardless of what authentication provisioner uses (be it service principal based or az cli based), the CAA still needs client id, so make it mandatory to provide client id. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
If a certain property is not defined then don't expose it as empty inside the CAA pod. Fixes confidential-containers#974 Signed-off-by: Suraj Deshmukh <suraj.deshmukh@microsoft.com>
In this new approach of not needing to have secrets, we will still create an identity like we do here but instead of passing the secret
AZURE_CAA_CLIENT_SECRET
to the daemonset, we will assign an identity to the worker nodes or to the CAA daemonset (workload) itself.Current Approach
In current approach we create a service principal and use the client_id, client_secret produced out of it and give it to the CAA daemonset.
Advantages
Disdvantages
Assign identity to the VM
Here we will create an identity and assign it to the worker nodes. So any request originating from the worker node will have permissions to create peer pod VM.
Advantages
Disadvantages
Assign identity to the workload
Here you can see how one can assign identity to the k8s workloads to be able to communicate with the Azure APIs.
Advantages
Disadvantages
The text was updated successfully, but these errors were encountered: