Installation
Prerequisites
- Azure CLI (≥2.32.0)
- with aks-preview CLI extension installed (≥0.5.50)
- Helm 3
- A Kubernetes cluster with version ≥ v1.20
- Follow the cluster-specific setup guide below before deploying Azure AD Workload Identity:
| Cluster type | Steps | Guide |
|---|---|---|
| Managed cluster | 1. Enable any OIDC-specific feature flags 2. Extract the OIDC issuer URL | Link |
| Self-managed cluster | 1. Generate service account key pair or bring your own keys 2. Setup the public OIDC issuer URL 3. Generate OIDC discovery and JWKS documents 4. Configure kube-apiserver and kube-controller-manager flags | Link |
Azure AD Workload Identity Components
| Component | Description | Guide |
|---|---|---|
| Mutating Admission Webhook | Projects a signed service account token to a well-known path (/var/run/secrets/azure/tokens/azure-identity-token) and inject authentication-related environment variables to your pods based on annotated service account. | Link |
Azure AD Workload Identity CLI (azwi) | A utility CLI that helps manage Azure AD Workload Identity and automate error-prone operations. | Link |