Azure AD Workload Identity uses Kubernetes primitives to associate managed identities for Azure resources and identities in Azure Active Directory (AAD) with pods.
Describe the bug
I am using workload identity on a deployment running on AKS cluster, setting the required annotations and labels on the svc and deployment. The webhook pods are running in the kube-system namespace and injecting all environment variables except AZURE_CLIENT_ID.
Steps To Reproduce
Enable workload identity and oidc issuer on AKS cluster
Setup SVC account, deployment and federated credential to the service account.
AZURE_CLIENT_ID env variable is not set in the running pod
Expected behavior
AZURE_CLIENT_ID env variable should be set.
dipti@dipti-Virtual-Machine-2:~$ kubectl describe pod source-controller-c69445fb-xc95n -n source-system
Name: source-controller-c69445fb-xc95n
Namespace: source-system
Priority: 0
Service Account: default
Node: aks-nodepool1-90542042-vmss000000/10.224.0.5
Start Time: Wed, 22 May 2024 15:20:10 -0700
Labels: app=source-controller
**azure.workload.identity/use=true**
pod-template-hash=c69445fb
Annotations: prometheus.io/port: 8080
prometheus.io/scrape: true
Status: Running
IP: 10.244.1.28
IPs:
IP: 10.244.1.28
Controlled By: ReplicaSet/source-controller-c69445fb
Containers:
manager:
Container ID: containerd://ae86627c9aebc6693387e63ea5b910558aac0c95288e7c38437100c670dcace0
Image: diptipaiacr.azurecr.io/source-controller:6.3
Image ID: diptipaiacr.azurecr.io/source-controller@sha256:8fe0a6da38c86d8ce11c8de952ca34d3da4742faf24c2399778399a1815d94dd
Ports: 9090/TCP, 8080/TCP, 9440/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
SeccompProfile: RuntimeDefault
Args:
--watch-all-namespaces
--log-level=info
--log-encoding=json
--enable-leader-election
--storage-path=/data
--storage-adv-addr=source-controller.$(RUNTIME_NAMESPACE).svc.cluster.local.
State: Running
Started: Wed, 22 May 2024 15:20:10 -0700
Ready: True
Restart Count: 0
Limits:
cpu: 1
memory: 1Gi
Requests:
cpu: 50m
memory: 64Mi
Environment:
RUNTIME_NAMESPACE: source-system (v1:metadata.namespace)
TUF_ROOT: /tmp/.sigstore
XDG_CONFIG_HOME: /tmp/dlv
AZURE_CONFIG_DIR: /tmp/.azure
**AZURE_CLIENT_ID:
AZURE_TENANT_ID: 72f988bf-86f1-41af-91ab-2d7cd011db47
AZURE_FEDERATED_TOKEN_FILE: /var/run/secrets/azure/tokens/azure-identity-token
AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/**
Mounts:
/data from data (rw)
/tmp from tmp (rw)
/var/run/secrets/azure/tokens from azure-identity-token (ro)
/var/run/secrets/kubernetes.io/serviceaccount from kube-api-access-zlhf8 (ro)
Conditions:
Type Status
Initialized True
Ready True
ContainersReady True
PodScheduled True
Volumes:
data:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
tmp:
Type: EmptyDir (a temporary directory that shares a pod's lifetime)
Medium:
SizeLimit: <unset>
kube-api-access-zlhf8:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3607
ConfigMapName: kube-root-ca.crt
ConfigMapOptional: <nil>
DownwardAPI: true
azure-identity-token:
Type: Projected (a volume that contains injected data from multiple sources)
TokenExpirationSeconds: 3600
QoS Class: Burstable
Node-Selectors: <none>
Tolerations: node.kubernetes.io/memory-pressure:NoSchedule op=Exists
node.kubernetes.io/not-ready:NoExecute op=Exists for 300s
node.kubernetes.io/unreachable:NoExecute op=Exists for 300s
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Scheduled 15s default-scheduler Successfully assigned source-system/source-controller-c69445fb-xc95n to aks-nodepool1-90542042-vmss000000
Normal Pulled 15s kubelet Container image "diptipaiacr.azurecr.io/source-controller:6.3" already present on machine
Normal Created 15s kubelet Created container manager
Normal Started 15s kubelet Started container manager
Environment
Kubernetes version (use kubectl version):
dipti@dipti-Virtual-Machine-2:~$ kubectl version
Client Version: v1.30.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.9
WARNING: version difference between client (1.30) and server (1.28) exceeds the supported minor version skew of +/-1
Describe the bug I am using workload identity on a deployment running on AKS cluster, setting the required annotations and labels on the svc and deployment. The webhook pods are running in the kube-system namespace and injecting all environment variables except AZURE_CLIENT_ID.
Steps To Reproduce
Expected behavior AZURE_CLIENT_ID env variable should be set.
Logs
Describe output of svc:
Describe output of pod:
Environment
Kubernetes version (use
kubectl version
):dipti@dipti-Virtual-Machine-2:~$ kubectl version Client Version: v1.30.1 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.28.9 WARNING: version difference between client (1.30) and server (1.28) exceeds the supported minor version skew of +/-1
Cloud provider or hardware configuration: AKS
OS (e.g:
cat /etc/os-release
): dipti@dipti-Virtual-Machine-2:~$ cat /etc/os-release PRETTY_NAME="Ubuntu 22.04.4 LTS" NAME="Ubuntu" VERSION_ID="22.04" VERSION="22.04.4 LTS (Jammy Jellyfish)" VERSION_CODENAME=jammy ID=ubuntu ID_LIKE=debian HOME_URL="https://www.ubuntu.com/" SUPPORT_URL="https://help.ubuntu.com/" BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/" PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy" UBUNTU_CODENAME=jammyKernel (e.g.
uname -a
): Linux dipti-Virtual-Machine-2 6.5.0-1021-azure #22~22.04.1-Ubuntu SMP Tue Apr 30 16:08:18 UTC 2024 x86_64 x86_64 x86_64 GNU/LinuxInstall tools:
Network plugin and version (if this is a network-related bug):
Others:
Additional context