[Feature] Azure AD Workload Identity Managed AKS Addon #1480
Comments
jluk
changed the title
|
Currently, we use AAD Pod Identity and would love to use this feature. |
|
Please make sure that this is all part of the portal UI as well. As an example the integration with Azure Container Registries exists, but you have to use AZ CLI instead of just clicking on a drop down and adding it. |
|
Definately agree about that! |
|
We hear you, portal integration is constantly improving and another wave is in the works. |
|
With the GA of Managed Identity for AKS Clusters, it has become even more painful(read: role assignments) to install AAD Pod Identity. Would be great to have this feature released soon. |
|
@JohnGalt1717 and others - thanks for the feedback :) Just wanted to quickly chime in and let you know that we're actively working on integration between AKS and ACR in portal. We're focusing on setting up that connection when deploying a new AKS cluster to start with - is that what you had in mind or were you thinking more about connecting an ACR to an existing AKS cluster? |
|
@jenetlan I'd like to see both. Thinking like an Add-ons page after creation that lists all of the addons like ACR (add one or more), AAD-POD identity, Azure Application Gateway, Public IP, Let's Encrypt with integration with Azure DNS, Nginx Ingress, Key Vault, etc linked to Public IP, all in the Addons menu as a start of add-ons that can be configured both with a single line with az aks and in portal on it's on add-ons tab that would allow you to add and pick from a list of available, fill out whatever you need to fill out and you're good to go. This stuff is incredibly accident prone currently with long list of steps that could be cut down if these were easy to install from CLI and portal and they just setup everything for you automatically. Better, let 3rd parties also create addons that let them offer other stuff too that directly works with Azure in k8s. |
|
Fully agreed, thinks like KEDA (keda.sh) would be nice as an add-on as well! However, the biggest pain for me is still AAD Pod Identity. |
ghost
added
the
|
This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment. |
|
@jluk do you have any news about this issue? |
|
@jluk Anything on this? |
|
@heoelri yes that is correct. Pod-side and annotation exactly as the doc suggests. |
|
@miwithro what about pods that only use a SecretProviderClass? The CSI documentation has labels and annotations only on the Service Account, is that still valid? |
|
@miwithro Are there any limitations at subscription or a higher scope? For instance a limit on the amount of Managed Identities or federated credentials (apart from the 20 per MI) you can create per subscription. |
|
@miwithro For our use case, the federated credentials / MI limit is a huge issue. In our clusters, we have 20-30 namespaces at least with 3-5 service accounts per namespace. We have to use a single MI for the AKS cluster as the MI is provided by our customers and we can't ask them to pre-create tons of MIs before cluster creation. We also can't create the MIs dynamically due to security concerns. Is there a plan to increase this limit? We need at least 100 federated credential per MI. With the current limitations we have to continue using the old AAD pod identity solution which is deprecated now. |
Is GA still on track for March? |
|
@tom-scott yes. |
Fantastic - thanks! 👍 |
|
That sounds amazing! Looking forward to work with this! |
|
workload identity GA announcement was published yesterday but the announcement is not published anymore on Azure updates page, what happened? |
Hello, I posted this on twitter yesterday and @miwithro asked me to pull the tweet as it is now postponed till 14th April. |
|
Any update on GA? It was announced GA but then the announcement was deleted. But It was supposed to be GA in March but it's now April 😥 |
Hopefully in around 3 days if all goes to plan. |
|
Any success? @PixelRobots |
I have just heard that it is now live and GA. |
|
Where it is notified? |
Just now at KubeCon. Docs are rolling out today hopefully. |
|
Thanks for sharing the link! My only concern is this:
Does it mean that pods will not be mutated to inject a sidecar anymore? If so, it'll break a lot of setups, e.g. for external-dns, which is not even close to getting support for Workload Identity, PR has stayed unreviewed since October. Migration from adal to Azure SDK is not moving anywhere either. |
|
Had a call with AKS PM today. And the great news is that sidecar proxy injection is going to stay for now, so third-party projects still have some time left to embrace native support for Workload Identity. |
|
We are using the OSS version of aad-podidentity (NMI only mode). Would enabling a cluster for federated identity break existing pod identity? Our intention is to enable this feature, so that we can deploy a few workloads that use "workload identity" without bringing down existing deployments that use |
|
@asubmani Yes, it will work fine. We were part of private preview and that's exactly how we slowly migrated over. Nothing should change as they are two very different workflows that can coexist |
aritraghosh
moved this to Archive (GA older than 1 month)
in Azure Kubernetes Service Roadmap (Public)
and others
It would be good to have built-in support for AAD Pod Identity for which we can opt-out during creation of AKS cluster.
By doing that, we could :
The text was updated successfully, but these errors were encountered: