Concepts

The API of AAD Pod Identity CRDs and core components: Managed Identity Controller (MIC) and Node Managed Identity (NMI).

AzureIdentity

Describes one of the following Azure identity resources: 0) user-assigned identity, 1) service principal, or 2) service principal with certificate.

AzureIdentityBinding

Describes the identity binding relationship between an AzureIdentity and a pod with a specific selector as part of its label.

AzureAssignedIdentity

Describes the current state of identity binding relationship between an AzureIdentity and a pod.

AzurePodIdentityException

Allow pods with certain labels to access IMDS without being intercepted by NMI.

Managed Identity Controller (MIC)

A Kubernetes controller that watches for changes to pods, AzureIdentity and AzureIdentityBindings through the Kubernetes API Server. When it detects a relevant change, the MIC adds or deletes AzureAssignedIdentity as needed.

Node Managed Identity (NMI)

Makes an Azure Active Directory Authentication Library (ADAL) request to get a token on behalf of pods by intercepting IMDS traffic on each node and redirect them to itself.

Block Diagram and Design

An overview of all the Kubernetes components and their relationship.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified November 9, 2020: docs: add docs for various topics (#858) (4f6aa151)