Documentation

📣 Announcement

❗ IMPORTANT: As of Monday 10/24/2022, AAD Pod Identity is deprecated. As mentioned in the announcement, AAD Pod Identity has been replaced with Azure Workload Identity. Going forward, we will no longer add new features or bug fixes to this project in favor of Azure Workload Identity, which reached General Availability (GA) in Azure Kubernetes Service (AKS). We will provide CVE patches until September 2023, at which time the project will be archived. There will be no new releases after September 2023.

AAD Pod Identity enables Kubernetes applications to access cloud resources securely with Azure Active Directory using User-assigned managed identity and Service Principal.

Note: Configuring system-assigned managed identity with AAD Pod Identity to access cloud resources is not supported.

Using Kubernetes primitives, administrators configure identities and bindings to match pods. Then without any code modifications, your containerized applications can leverage any resource in the cloud that depends on AAD as an identity provider.

Breaking Changes

v1.8.4

The metadata header required flag is enabled by default to prevent SSRF attacks. Check Metadata Header Required for more information. To disable the metadata header check, set --metadata-header-required=false in NMI container args.

v1.8.0

• The API version of Pod Identity’s CRDs (AzureIdentity, AzureIdentityBinding, AzureAssignedIdentity, AzurePodIdentityException) have been upgraded from apiextensions.k8s.io/v1beta1 to apiextensions.k8s.io/v1. For Kubernetes clusters with < 1.16, apiextensions.k8s.io/v1 CRDs would not work. You can either:

  1. Continue using AAD Pod Identity v1.7.5 or
  2. Upgrade your cluster to 1.16+, then upgrade AAD Pod Identity.

  If AAD Pod Identity was previously installed using Helm, subsequent helm install or helm upgrade would not upgrade the CRD API version from apiextensions.k8s.io/v1beta1 to apiextensions.k8s.io/v1 (although kubectl get crd -oyaml would display apiextensions.k8s.io/v1 since the API server internally converts v1beta1 CRDs to v1, it lacks a structural schema, which is what AAD Pod Identity introduced in v1.8.0). If you wish to upgrade to the official v1 CRDs for AAD Pod Identity:

  kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts/aad-pod-identity/crds/crd.yaml
  

  With managed mode enabled, you can remove the unused AzureAssignedIdentity CRD if you wish.

  # MANAGED MODE ONLY!
  kubectl delete crd azureassignedidentities.aadpodidentity.k8s.io
  

v1.7.5

• AAD Pod Identity has dropped Helm 2 starting from chart version 4.0.0/app version 1.7.5. To install or upgrade to the latest version of AAD Pod Identity, please use Helm 3 instead. Refer to this guide on how to migrate from Helm 2 to Helm 3.

v1.7.2

• The forceNameSpaced helm configuration variable is removed. Use forceNamespaced instead to configure pod identity to run in namespaced mode.

v1.7.1

• azureIdentities in values.yaml is converted to a map instead of a list of identities.

  The following is an example of the required change in values.yaml from helm chart 2.x.x to 3.x.x:

  -azureIdentities:
  -  - name: "azure-identity"
  -    # if not defined, then the azure identity will be deployed in the same namespace as the chart
  -    namespace: ""
  -    # type 0: MSI, type 1: Service Principal
  -    type: 0
  -    # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
  -    resourceID: "resource-id"
  -    clientID: "client-id"
  -    binding:
  -      name: "azure-identity-binding"
  -      # The selector will also need to be included in labels for app deployment
  -      selector: "demo"
  +azureIdentities:
  +  "azure-identity":
  +    # if not defined, then the azure identity will be deployed in the same namespace as the chart
  +    namespace: ""
  +    # type 0: MSI, type 1: Service Principal
  +    type: 0
  +    # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name
  +    resourceID: "resource-id"
  +    clientID: "client-id"
  +    binding:
  +      name: "azure-identity-binding"
  +      # The selector will also need to be included in labels for app deployment
  +      selector: "demo"
  

v1.7.0

• With Azure/aad-pod-identity#842, aad-pod-identity no longer works on clusters with kubenet as the network plugin. For more details, please see Deploy AAD Pod Identity in a Cluster with Kubenet.

  If you still wish to install aad-pod-identity on a kubenet-enabled cluster, set the helm chart value nmi.allowNetworkPluginKubenet to true in the helm command:

  helm (install|upgrade) ... --set nmi.allowNetworkPluginKubenet=true ...
  

v1.6.0

With Azure/aad-pod-identity#398, the client-go library is upgraded to v0.17.2, where CRD fields are now case sensitive. If you are upgrading MIC and NMI from v1.x.x to v1.6.0, MIC v1.6.0+ will upgrade the fields of existing AzureIdentity and AzureIdentityBinding on startup to the new format to ensure backward compatibility. A configmap called aad-pod-identity-config is created to record and confirm the successful type upgrade.

However, for future AzureIdentity and AzureIdentityBinding created using v1.6.0+, the following fields need to be changed:

AzureIdentity

AzureIdentityBinding

AzurePodIdentityException

Ready to get started?

To get started, see the Getting Started page, or you can visit the GitHub repo.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.