Azure / AKS

Azure Kubernetes Service
https://azure.github.io/AKS/
1.97k stars 308 forks source link

Migrate addons from Managed Identity to Federated Identity #2913

Open CocoWang-wql opened 2 years ago

CocoWang-wql commented 2 years ago

Federated Identity is a new version of Identity, which is used by Workload Identity as well.

With Federated identity, the pod requests projected service account token from API Sever firstly. Then it requests AAD token from Azure AD directly. And the federated identity is not stored on the node. The short-lived AAD token will be used to authenticate to other Azure Resources/Services. The requests are not sent to IMDS (Instance Metadata Service) any more.

Once Federated Identity is GA, we will migrate AKS addons from Managed Identity to Federated Identity.

ghost commented 2 years ago

Hi CocoWang-wql, AKS bot here :wave: Thank you for posting on the AKS Repo, I'll do my best to get a kind human from the AKS team to assist you.

I might be just a bot, but I'm told my suggestions are normally quite good, as such: 1) If this case is urgent, please open a Support Request so that our 24/7 support team may help you faster. 2) Please abide by the AKS repo Guidelines and Code of Conduct. 3) If you're having an issue, could it be described on the AKS Troubleshooting guides or AKS Diagnostics? 4) Make sure your subscribed to the AKS Release Notes to keep up to date with all that's new on AKS. 5) Make sure there isn't a duplicate of this issue already reported. If there is, feel free to close this one and '+1' the existing issue. 6) If you have a question, do take a look at our AKS FAQ. We place the most common ones there!

ghost commented 2 years ago

Action required from @Azure/aks-pm

ghost commented 2 years ago

Action required from @Azure/aks-pm

ghost commented 1 year ago

Action required from @Azure/aks-pm

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

ghost commented 1 year ago

Action required from @Azure/aks-pm

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

ghost commented 1 year ago

Action required from @Azure/aks-pm

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

EppO commented 1 year ago

Workload Identity on AKS is GA: https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster Implementing this would improve significantly the security posture and remove the need to bind the different add-on managed Identities to the underlying VMSS.

ghost commented 1 year ago

Issue needing attention of @Azure/aks-leads

aglees commented 1 year ago

Are there any updates to this being progressed through?

microsoft-github-policy-service[bot] commented 9 months ago

This issue has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs within 15 days of this comment.

microsoft-github-policy-service[bot] commented 9 months ago

Issue needing attention of @Azure/aks-leads

microsoft-github-policy-service[bot] commented 9 months ago

This issue will now be closed because it hasn't had any activity for 7 days after stale. CocoWang-wql feel free to comment again on the next 7 days to reopen or open a new issue after that time if you still have a question/issue or suggestion.

microsoft-github-policy-service[bot] commented 3 months ago

@miwithrow, @CocoWang-wql would you be able to assist?

charleswool commented 2 months ago

Workload Identity on AKS is GA: https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster Implementing this would improve significantly the security posture and remove the need to bind the different add-on managed Identities to the underlying VMSS.