Self-Managed Clusters

When compared to using managed Kubernetes services like AKS, managing your own Kubernetes cluster provides the most freedom in customizing Kubernetes and your workload. However, there are additional setup required before deploying Azure AD Workload Identity to a self-managed cluster. If you are a cluster administrator, make sure you can perform the following actions:

  1. Generate your own service account signing key pair and rotate it regularly (at least quarterly)
  2. Manually set up your OIDC issuer URL, and upload your discovery document and JWKS to a public endpoint
  3. Ability to configure flags for system-critical pods such as kube-apiserver and kube-controller-manager