search

Azure / azure-workload-identity

Azure AD Workload Identity uses Kubernetes primitives to associate managed identities for Azure resources and identities in Azure Active Directory (AAD) with pods.
https://azure.github.io/azure-workload-identity
MIT License
297 stars 90 forks source link

workload identity for image pull secrets #1049

Open rouke-broersma opened 1 year ago

rouke-broersma commented 1 year ago

Is your feature request related to a problem? Please describe.

In azure you can connect your AKS cluster to an Azure Container Registry by granting the agent pool managed identity pull permission on the ACR. However this only works if the AKS cluster and the ACR are in the same tenant.

Describe the solution you'd like

Extend workload identity with the capability to request and renew a token for a container registry using federated credentials and create or patch a kubernetes pullsecret with the token on an interval. Add the pullsecret to the annotated service account. See: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account

Example config:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: workload-identity-sa
  annotations:
    azure.workload.identity/use-acr: "true"
    azure.workload.identity/tenant-id: ${USER_ASSIGNED_TENANT_ID}
    azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}
    azure.workload.identity/acr-tenant-id: ${USER_ASSIGNED_ACR_PULL_TENANT_ID} # optional, if use-acr is true but acr-tenant-id is missing tenant-id would be used instead
    azure.workload.identity/acr-client-id: ${USER_ASSIGNED_ACR_PULL_CLIENT_ID} # optional, if use-acr is true but acr-client-id is missing client-id would be used instead
---
apiVersion: v1
kind: Pod
metadata:
  name: httpbin-pod
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: workload-identity-sa
  containers:
  - name: nginx
    image: myprivateregistry.azure.cr/nginx:alpine # allowed to pull because sa workload-identity-sa receives image pull secret with valid token from workload identity
    ports:
    - containerPort: 80

Describe alternatives you've considered

Build it myself, eg by following https://blogs.sap.com/2022/09/01/use-kubernetes-service-accounts-in-combination-with-oidc-identity-federation-for-imagepullsecrets/

Additional context

Shaked commented 9 months ago

Hi, any plans to support this at some point? This is a great feature

sainipankaj90k commented 3 months ago

Any update on supporting this one? cc: @aramase

arattanpal commented 3 months ago

same, looking for this solution. MS support integration to other resources using WI but not to ACR which is weird.