search

Azure / aad-pod-identity

[DEPRECATED] Assign Azure Active Directory Identities to Kubernetes applications.
https://azure.github.io/aad-pod-identity
MIT License
568 stars 255 forks source link

AAD Pod Identity in a multi tenant cluster #895

Closed sbkg0002 closed 3 years ago

sbkg0002 commented 3 years ago

Describe the request Can someone explain how to use AAD Pod Identity in a multi tenant cluster? Currently everyone who can create anAzureIdentity, can create anAzureIdentityfor everyManagedIdentity` that is available for the cluster.

There is no way to -lets say- limit a namespace to ManagedIdentities from a certain Azure Subscription.

AWS Kiam has this covered by the iam.amazonaws.com/permitted annotation, which can limit the used of identities/roles from a certain AWS account.

Explain why AAD Pod Identity needs it Currently AAD Pod Identity cannot be used in multi-tenant clusters.

Describe the solution you'd like Limit a namespace to ManagedIdentities from a certain Azure Subscription via an annotation on the namespace.

chewong commented 3 years ago

There is no way to -lets say- limit a namespace to ManagedIdentities from a certain Azure Subscription.

Namespace mode is the closest to what you describe, where you deploy desired AzureIdentity and AzureIdentityBinding to the same namespace as your workload. Also, aad-pod-identity does not distinguish between single and multi-tenant clusters, as long as you have the correct resource ID / tenant ID in your AzureIdentity.

Annegies commented 3 years ago

The issue we're facing for multi-tenancy is that in order to enable aad-pod-identity to attach the Managed Identity to the node you have the give the identity that created the cluster the 'Managed Identity Operator' role assignment in your managed identity. Since there is no way to filter for which Managed Identities an Azure Identity in the cluster may be created another team is able to create one for another team's managed identities.

chewong commented 3 years ago

What you can do is to create a resource group dedicated to your team's managed identities and assign your cluster identity (service principal or managed identity) 'Managed Identity Operator' to the resource group scope. You can check out https://azure.github.io/aad-pod-identity/docs/getting-started/role-assignment/#reducing-number-of-role-assignments for more details.

chewong commented 3 years ago

There is no way to -lets say- limit a namespace to ManagedIdentities from a certain Azure Subscription.

aad-pod-identity does not currently support that. See https://github.com/Azure/aad-pod-identity/issues/895#issuecomment-739066132 for more details. Closing this issue for now but feel to re-open it if you have questions.

rhummelmose commented 3 years ago

How is this done @chewong?

rhummelmose commented 3 years ago

@chewong Proposal for how to fix this:

You make it possible to tie a k8s namespace to a group within the Azure AD.

Access to the managed identity can then be assigned to the group and when a request for assignment of a managed identity to a pod is handled by the Pod Identities operator, it can evaluate the access by inspecting the permissions present on the group assigned to the namespace from which the request originates.

CC: @justindavies