Use managed identities for AKS pod authentication#
Security · Azure Kubernetes Service · Preview · 2021_12
Configure AKS clusters to use AAD pod identities to access Azure resources securely.
Description#
AAD pod identities allows AKS clusters to assign a user identity to a pod in Kubernetes.
Administrators create identities and bindings as Kubernetes primitives that allow pods to access Azure resources that rely on Azure AD as an identity provider.
Recommendation#
Consider enabling AAD pod identities on AKS clusters.
It is only recommended to use AAD pod identities with AKS clusters that use Azure CNI.
Examples#
Configure with Azure CLI#
Register EnablePodIdentityPreview
feature:
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService
Install the aks-preview
Azure CLI:
# Install the aks-preview extension
az extension add --name aks-preview
# Update the extension to make sure you have the latest version installed
az extension update --name aks-preview
Create AKS cluster with AAD Pod identity enabled:
az aks create -g '<resource_group>' -n '<cluster_name>' --enable-pod-identity --network-plugin azure
Update an existing AKS cluster with AAD pod identity enabled:
az aks update -g '<resource_group>' -n '<cluster_name>' --enable-pod-identity
Configure with Azure template#
To deploy AKS clusters that pass this rule:
- Set
Properties.networkProfile.networkPlugin
toazure
. - Set
Properties.podIdentityProfile.enabled
totrue
.
For example:
{
"type": "Microsoft.ContainerService/managedClusters",
"apiVersion": "2021-07-01",
"name": "[parameters('clusterName')]",
"location": "[parameters('location')]",
"identity": {
"type": "UserAssigned",
"userAssignedIdentities": {
"[format('{0}', resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName')))]": {}
}
},
"properties": {
"kubernetesVersion": "[parameters('kubernetesVersion')]",
"enableRBAC": true,
"dnsPrefix": "[parameters('dnsPrefix')]",
"agentPoolProfiles": "[variables('allPools')]",
"aadProfile": {
"managed": true,
"enableAzureRBAC": true,
"adminGroupObjectIDs": "[parameters('clusterAdmins')]",
"tenantID": "[subscription().tenantId]"
},
"networkProfile": {
"networkPlugin": "azure",
"networkPolicy": "azure",
"loadBalancerSku": "standard",
"serviceCidr": "[variables('serviceCidr')]",
"dnsServiceIP": "[variables('dnsServiceIP')]",
"dockerBridgeCidr": "[variables('dockerBridgeCidr')]"
},
"autoUpgradeProfile": {
"upgradeChannel": "stable"
},
"addonProfiles": {
"httpApplicationRouting": {
"enabled": false
},
"azurepolicy": {
"enabled": true,
"config": {
"version": "v2"
}
},
"omsagent": {
"enabled": true,
"config": {
"logAnalyticsWorkspaceResourceID": "[parameters('workspaceId')]"
}
},
"kubeDashboard": {
"enabled": false
},
"azureKeyvaultSecretsProvider": {
"enabled": true,
"config": {
"enableSecretRotation": "true"
}
}
},
"podIdentityProfile": {
"enabled": true
}
},
"tags": "[parameters('tags')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('identityName'))]"
]
}
Configure with Bicep#
To deploy AKS clusters that pass this rule:
- Set
Properties.networkProfile.networkPlugin
toazure
. - Set
Properties.podIdentityProfile.enabled
totrue
.
For example:
// Cluster
resource cluster 'Microsoft.ContainerService/managedClusters@2021-07-01' = {
location: location
name: clusterName
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}': {}
}
}
properties: {
kubernetesVersion: kubernetesVersion
enableRBAC: true
dnsPrefix: dnsPrefix
agentPoolProfiles: allPools
aadProfile: {
managed: true
enableAzureRBAC: true
adminGroupObjectIDs: clusterAdmins
tenantID: subscription().tenantId
}
networkProfile: {
networkPlugin: 'azure'
networkPolicy: 'azure'
loadBalancerSku: 'standard'
serviceCidr: serviceCidr
dnsServiceIP: dnsServiceIP
dockerBridgeCidr: dockerBridgeCidr
}
autoUpgradeProfile: {
upgradeChannel: 'stable'
}
addonProfiles: {
httpApplicationRouting: {
enabled: false
}
azurepolicy: {
enabled: true
config: {
version: 'v2'
}
}
omsagent: {
enabled: true
config: {
logAnalyticsWorkspaceResourceID: workspaceId
}
}
kubeDashboard: {
enabled: false
}
azureKeyvaultSecretsProvider: {
enabled: true
config: {
enableSecretRotation: 'true'
}
}
}
podIdentityProfile: {
enabled: true
}
}
tags: tags
}
Links#
- Use identity-based authentication
- Use Azure Active Directory pod-managed identities in Azure Kubernetes Service (Preview)
- Use managed identities in Azure Kubernetes Service
- What are managed identities for Azure resources?
- AAD Pod Identity
- Azure deployment reference