Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Workload identity #369

Open
joachimnielandt opened this issue Feb 14, 2023 · 4 comments
Open

Workload identity #369

joachimnielandt opened this issue Feb 14, 2023 · 4 comments

Comments

@joachimnielandt
Copy link

joachimnielandt commented Feb 14, 2023
edited

Hello all,

I am using a modified version of this repository as the basis of my cluster. I noticed recent upgrades mention having to switch over from 'pod managed identity' to 'workload identity', which impacts, e.g., Traefik's aadpodidbinding. Are there plans to modify this repository to reflect this advised change, or can you advise on how to migrate correctly?

I understood that there are some required labels and annotations, but I also see mention of sidecars and migration paths to eliminate the 'pod managed identity' capability altogether, so I figured I'd better ask to have the full picture before doing anything untoward.

Best regards and thanks in advance

related docs:
@ckittel
Copy link
Member

ckittel commented Feb 15, 2023
edited

This repo is already using workload identity. There might be a lingering aadpodbinding annotation still in the manifest. If that's the case, let me know and we can remove that annotation/metadata that is no longer needed.

@joachimnielandt
Copy link
Author

Good to hear, seeing that annotation and linking it to the notice confused me.

The annotations can be found here:

So, for my understanding: the notice mentions having to include azure.workload.identity/use on serviceaccounts and pods (as a temporary measure to switch from pod identity?). This would not be necessary as it's already set up properly to begin with?

@ckittel
Copy link
Member

ckittel commented Feb 15, 2023
edited

Don't need to add that additional annotation (azure.workload.identity/use) -- that's for code-level usage of workload identity. Traefik doesn't do that, it just uses pre-mounted secrets. The AKS Key Vault Provider is the one that is using workload identity for this. So it's already all set up to go.

Thanks. I'll leave this github issue open as a signal to delete those two legacy pod identity annotations -- sorry for the confusion!

@joachimnielandt
Copy link
Author

Great, once again thanks for the explanation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ckittel @joachimnielandt