Azure Kubernetes Service (AKS) with Azure Active Directory (AAD) Pod Identity

Image Source: Block Diagram and Design | Azure Active Directory Pod Identity for Kubernetes

Terminology

  • Managed Identity Controller (MIC): This is deployed as deployment. MIC does 2 things. It monitors what Azure identity is bound with the requesting Pod and assigns the corresponding EMSI to the hosting Node of that Pod. This is managed by Azure platform.
  • Node Managed Identity (NMI): Once MIC assigns EMSI to the target Node, NMI would request AAD access token on behalf of the requesting Pod. NMI is deployed in daemonsets, so every Node has its own NMI to perform the actions.
# get NMI daemonset
- kubectl get daemonsets -n kube-system
# describe the daemonsets
- kubectl describe daemonsets nmi -n kube-system
  • In AKS Pod Identity GitHub page, you would see behind the scene, the pod-identity-enabled AKS cluster would need to have Azure Identity and Azure Identity Binding for MIC to locate the correct identity object before NMI could request AAD access token on behalf of the Pod. However, these are now handled by Azure platform, so administrators would not have the management overhead.
  • Azure Identity Exception: This allows pods with certain labels to access the Azure Instance Metadata Service (IMDS) endpoint without being intercepted by the node-managed identity (NMI) server. aad-pod-identity retrieves access tokens on behalf of your workload by intercepting token requests to the Instance Metadata Service (IMDS) endpoint (169.254.169.254).
# get Azure Pod identity exception in kube-system namespace
- kubectl get azurepodidentityexception -n kube-system
# describe Azure Pod identity exception
- kubectl describe azurepodidentityexception aks-addon-exception -n kube-system
  • Register for aks preview
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService
  • Install aks-preview on Az CLI
# Install the aks-preview extension
- az extension add --name aks-preview
# Update the extension to make sure you have the latest version installed
- az extension update --name aks-preview
  • Create AKS cluster with Kubenet or Azure CNI if there is no existing AKS cluster in the subscription
  • Depending on your environment, you would need to either create or update the AKS cluster with pod identity
# update AKS with Kubenet with pod identity
- az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity --enable-pod-identity-with-kubenet
# update AKS with Azure CNI with pod identity
- az aks update -g $MY_RESOURCE_GROUP -n $MY_CLUSTER --enable-pod-identity --network-plugin azure
  • Follow this section of the documentation until the end of “Run a sample application”
  • Lastly, we could see if everything is set up correctly, the logs of the Pod would look similar to below.
kubectl logs demo --follow --namespace $POD_IDENTITY_NAMESPACE

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan

Jonathan

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!