Azure Kubernetes Service (AKS) with Azure Active Directory (AAD) Pod Identity

Since AKS could be integrated with more and more services on Azure, Pods having the identity to be authenticated by AAD becomes a must. AAD Pod Identity (AAD Pod ID) is designed for this purpose.

Before going through the step-by-step setup instructions, let’s take a look on how everything works behind the scene.

Image Source: Block Diagram and Design | Azure Active Directory Pod Identity for Kubernetes

In the image above, we see whenever a Pod is trying to access an Azure service and without label as “kubernetes.azure.com/managedby: aks”, MIC would be looking into Azure Identity Binding information and assign EMSI to the corresponding hosting Node. Then, Pod would be leveraging NMI to request AAD access token from the assigned EMSI endpoint.

Terminology

  • Managed Identity Controller (MIC): This is deployed as deployment. MIC does 2 things. It monitors what Azure identity is bound with the requesting Pod and assigns the corresponding EMSI to the hosting Node of that Pod. This is managed by Azure platform.
  • Node Managed Identity (NMI): Once MIC assigns EMSI to the target Node, NMI would request AAD access token on behalf of the requesting Pod. NMI is deployed in daemonsets, so every Node has its own NMI to perform the actions.
# get NMI daemonset
- kubectl get daemonsets -n kube-system
# describe the daemonsets
- kubectl describe daemonsets nmi -n kube-system
  • In AKS Pod Identity GitHub page, you would see behind the scene, the pod-identity-enabled AKS cluster would need to have Azure Identity and Azure Identity Binding for MIC to locate the correct identity object before NMI could request AAD access token on behalf of the Pod. However, these are now handled by Azure platform, so administrators would not have the management overhead.
  • Azure Identity Exception: This allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the node-managed identity (NMI) server. aad-pod-identity retrieves access tokens on behalf of your workload by intercepting token requests to the Instance Metadata Service (IMDS) endpoint (169.254.169.254).
# get Azure Pod identity exception in kube-system namespace
- kubectl get azurepodidentityexception -n kube-system
# describe Azure Pod identity exception
- kubectl describe azurepodidentityexception aks-addon-exception -n kube-system

So, Pods with label as “kubernetes.azure.com/managedby: aks” would not have to go through NMI to retrieve AAD access token. TCP traces would not show the differences as this is handled within Linux operating system.

Now, let’s try to implement AAD Pod Identity in the actual AKS environment. Basically, if we follow every step correctly in the official documentation (preview), we could have a pretty neat setup in 5 minutes.

  • Register for aks preview
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService
  • Install aks-preview on Az CLI
# Install the aks-preview extension
- az extension add --name aks-preview
# Update the extension to make sure you have the latest version installed
- az extension update --name aks-preview
  • Create AKS cluster with Kubenet or Azure CNI if there is no existing AKS cluster in the subscription
  • Depending on your environment, you would need to either create or update the AKS cluster with pod identity
# update AKS with Kubenet with pod identity
- az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity --enable-pod-identity-with-kubenet
# update AKS with Azure CNI with pod identity
- az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity --network-plugin azure
  • Follow this section of the documentation until the end of “Run a sample application”
  • Lastly, we could see if everything is set up correctly, the logs of the Pod would look similar to below.
kubectl logs demo --follow --namespace $POD_IDENTITY_NAMESPACE

If you have played around with Pod Identity in AKS cluster in the past, referring to this GitHub page, you would definitely know that there are many more features coming, such as having Pod Identity in certain namespaces, multi AAD Pod Identities in a single Pod etc. All the above is still a previewed feature, so not until it is general available would we fully know what other features would be brought on the platform. Please follow the steps above and see whether you could successfully set this up in your environment! Happy learning!

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!