Closed cdlliuy closed 6 days ago
Also, MI-FIC is recommended approach from security perspective. How to explain it can't work on AKS anymore when workload identity is enabled?
@cdlliuy This repo is for the mutating webhook configuration in Azure Workload Identity. For FIC configuration, I would recommend reaching out to the Entra team.
Describe the bug I am referring to the sample code for MI+ FIC approach to access from tenant A to azure resource in another tenant B.
When working with aad-pod-identity, the sample code works correctly to get the expected access token.
Then, I followed the workload identity migration guide today (June,3rd, 2024) https://learn.microsoft.com/en-us/azure/aks/workload-identity-migrate-from-pod-identity with image version: workload-identity/webhook:v1.2.2.
Running the same application, I got failure:
Steps To Reproduce See above description
Expected behavior I understand the behavior that the double hop is not supported, but this behavior made the workable application running successfully on aad-pod-identity can't work anymore with workload identity.
It is a bigger risk for the end-user.
Also, MI-FIC is recommended approach from security perspective. How to explain it can't work on AKS anymore when workload identity is enabled?
Logs
Environment
kubectl version
):cat /etc/os-release
):uname -a
):Additional context