The API of AAD Pod Identity CRDs and core components: Managed Identity Controller (MIC) and Node Managed Identity (NMI).


Describes one of the following Azure identity resources: 0) user-assigned identity, 1) service principal, or 2) service principal with certificate.


Describes the identity binding relationship between an AzureIdentity and a pod with a specific selector as part of its label.


Describes the current state of identity binding relationship between an AzureIdentity and a pod.


Allow pods with certain labels to access IMDS without being intercepted by NMI.

Managed Identity Controller (MIC)

A Kubernetes controller that watches for changes to pods, AzureIdentity and AzureIdentityBindings through the Kubernetes API Server. When it detects a relevant change, the MIC adds or deletes AzureAssignedIdentity as needed.

Node Managed Identity (NMI)

Makes an Azure Active Directory Authentication Library (ADAL) request to get a token on behalf of pods by intercepting IMDS traffic on each node and redirect them to itself.

Block Diagram and Design

An overview of all the Kubernetes components and their relationship.