Migrating from Standard to Managed Mode

Migrating from Standard to Managed mode for AAD Pod Identity

Available from 1.6.0 release

Introduction

AAD Pod Identity supports 2 modes of operation (full explanation of both modes):

Standard Mode: In this mode, there is MIC and NMI components deployed to the cluster. MIC handles assigning/un-assigning the identity to the underlying VM/VMSS. NMI will intercept token request, validate if the pod has access to the identity it’s requesting a token for and fetch the token on behalf of the application.
Managed Mode: In this mode, there is only NMI. The identity needs to be manually assigned and managed by the user. Refer to this doc for more details on this mode.

Steps to migrate AAD Pod Identity from Standard to Managed mode

If you already have AAD Pod Identity setup with Standard mode and would like to migrate to Managed mode:

NOTE: AAD Pod Identity in Managed Mode only works in namespaced mode. This means the AzureIdentity and AzureIdentityBinding needs to be in the same namespace as the application pod referencing it. This it to ensure RBAC best practices. If you’re running in non-namespace mode, move the AzureIdentity and AzureIdentityBinding to the correct namespaces before proceeding with the steps.

Assign the pod identities to the VM/VMSS:

To assign the identity to the VM, run the following command:

az vm identity assign -g <VM resource group name> -n <VM name> --identities <resource ID of managed identity>

To assign the identity to VMSS, run the following command:

az vmss identity assign -g <VM resource group name> -n <VMSS name> --identities <resource ID of managed identity>

Delete the MIC deployment and NMI daemonset

kubectl delete deploy <mic deployment name> -n <namespace>
kubectl delete daemonset <nmi daemonset name> -n <namespace>

Delete the MIC service accounts and cluster-role

kubectl delete sa aad-pod-id-mic-service-account -n <namespace>
kubectl delete clusterrole aad-pod-id-mic-role
kubectl delete clusterrolebinding aad-pod-id-mic-binding

Delete AzureAssignedIdentity custom resource definition
The AzureAssignedIdentity is created and managed by MIC in standard mode. This is not required for managed mode.
Refer to this doc on how to delete the AzureAssignedIdentities.
Install AAD Pod Identity in managed mode
Refer to this doc on how install AAD Pod Identity in managed mode.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified October 27, 2022: Link to full description of Standard and Managed modes (#1348) (9995e526)