Migrate from AAD pod identity to Azure Workload Identity

[CecileRobertMichon]

/kind feature

Azure AD Workload Identity is the next iteration of Azure AD Pod Identity that enables Kubernetes applications to access Azure cloud resources securely with Azure Active Directory based on annotated service accounts.

Since Azure AD Pod Identity is getting deprecated, we should migrate all CAPZ usage to Azure Workload Identity.

[sonasingh46]

I can work on this one.
/assign sonasingh46

[CecileRobertMichon]

@sonasingh46 let me know if you need any help with this one. Excited to see it moving forward.

/cc @chewong @aramase

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[CecileRobertMichon]

/remove-lifecycle stale

[CecileRobertMichon]

@sonasingh46 is this something you're still working on?

Now that workload identity supports managed identity and identity federation, this would allow us to use managed identities even for management clusters not in Azure (eg. kind clusters!) Azure/azure-workload-identity#325

[sonasingh46]

I had given some first pass time on this issue and then paused for some time on this.
By the way, the info you shared sounds great and I can start on this again asap.
I think the first step would be to start with a design document for this and I would love to do this.

[CecileRobertMichon]

@sonasingh46 I'm going to mark this for the current release milestone given that you're working on it, if it's too tight we can move it to the next one (the next release date is ~1 month away)

/milestone v1.6

[jackfrancis]

Moving this to the next milestone, but worth mentioning that we definitely want to prioritize this for 1.7 (let's not push it out indefinitely)

[surajssd]

@CecileRobertMichon

Now that workload identity supports managed identity and identity federation, this would allow us to use managed identities even for management clusters not in Azure (eg. kind clusters!) Azure/azure-workload-identity#325

Is there a documentation to do provide identities for any pod a generic k8s cluster (read non-AKS) ? I found that most of the docs for this refer to doing stuff on AKS, while I want to solve this for any k8s cluster on Azure. I am trying to solve this very problem for another project confidential-containers/cloud-api-adaptor#974

[CecileRobertMichon]

@surajssd yes here: https://azure.github.io/azure-workload-identity/docs/topics/self-managed-clusters.html

[surajssd]

@surajssd yes here: https://azure.github.io/azure-workload-identity/docs/topics/self-managed-clusters.html

Thanks 😇

[sonasingh46]

Just linking the doc PR here for the record.
#3770