-
Notifications
You must be signed in to change notification settings - Fork 135
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add Pod Identity support #131
Comments
…visioned_collocated_pod test: add e2e test "dynamically_provisioned_collocated_pod_test"
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @andyzhangx, do you think the support for podidentity will be feasible ? I have this kind of architecture : 1 "client" per namespace, , 1 file share / namespace, 1 key vault / namespace For now I'm using the secret store csi driver to glue everything (shortened version) :
With a podidentity support, it would looks like (shortened version 2) :
|
@rompom azure file driver could use k8s secret to access file share, it's not necessary depending on pod identity, here is an example: https://github.com/kubernetes-sigs/azurefile-csi-driver/blob/master/deploy/example/storageclass-azurefile-secret.yaml |
@andyzhangx sure, but my idea was more or less to not have to use k8s secrets at all if possible, and the pod identity was a pretty good candidate for this :) |
Agent node still needs account name & key to mount azure file, I think the question here is whether it’s necessary to store account key as a secret, answer is No. As you could see, there are pros and cons for this feature( |
Is your feature request related to a problem? Please describe.
Describe the solution you'd like in detail
add support for Pod Identity to enable finer grain scope of identity as an alternative to using the cluster’s identity. We do see cases where Azure resources are closely associated with the cluster. But we also see customers partitioning AKS clusters using namespaces, and in those cases it’s more likely that RBAC grants to resources like storage/key vault would be to Managed Identities that were scoped to a Kubernetes namespace.
Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: