Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Pod Identity Add On for AKS #9885

Closed
piizei opened this issue Dec 16, 2020 · 9 comments · Fixed by #11492 or #18742
Closed

Support for Pod Identity Add On for AKS #9885

piizei opened this issue Dec 16, 2020 · 9 comments · Fixed by #11492 or #18742

Comments

@piizei
Copy link

piizei commented Dec 16, 2020

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please support the Pod Identity Add-On for AKS

New or Affected Resource(s)

  • azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "aks" {

  addon_profile {
    kube_dashboard {
      enabled = true
    }
    azure_policy {
      enabled = true
    }

    pod_identity {
      enabled = true
      principal_id = azurerm_user_assigned_identity.podid.principal_id
    }

  }

}

References

@piotr-muzyka

This comment has been minimized.

@avinashpancham
Copy link

avinashpancham commented Sep 20, 2021

Is there a timeline for Pod Identity on AKS being supported by Terraform? I understand that Azure will release a V2 of Pod Identity but that will only be available in Q2 of 2022, which is between 6 and 9 months away.

If the idea is to wait till Q2 of 2022, then having a recommend temporary method to turn this on would be nice, even if it just would be as shown below.

resource "azurerm_kubernetes_cluster" "default" {
  name                   = "my_cluster"
  location               = "westeurope"
  ...

  provisioner "local-exec" {
    command = "az aks update -g my_resource_group -n my_cluster --enable-pod-identity"
  }
}

@avinashpancham
Copy link

avinashpancham commented Sep 28, 2021

For anyone struggling with this: I found that Azure also shares this functionality as an Helm chart. So you can just create a regular AKS cluster with Terraform's azurerm provider and instead of enabling the pod-identity by adding the local-exec as above, you apply the following Helm chart with the kubernetes Helm provider. IMO this is more in line with how you should use Terraform.

resource "helm_release" "aad-pod-identity" {
  name       = "aad-pod-identity"
  repository = "https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts"
  chart      = "aad-pod-identity"
  version    = "4.1.5"  # use the latest version at the time of reading
}

Azure offers these Helm charts for multiple preview features that are not yet supported by the AKS resource in the azurerm provider. Next to Azure Pod Identity, a Helm chart is for example also available for the AKS Secrets Store CSI Driver

@pdefreitas
Copy link

@avinashpancham The problem is that running it on Managed Mode it seems you have no means to assign multiple user identities to VMSS created by the cluster.

Does anyone know how to translate this assignment to IaC for this use-case I've mentioned?
az vmss identity assign -g <VM resource group name> -n <VMSS name> --identities <resource ID of managed identity>

@vipulp86
Copy link

Currently, POD identity(with its k8s resources) add-on on cluster can be enabled using Azure Preview feature.

But we need a terraform azure RM resource for AKS Pod Identity to be assigned to kubernetes namespaces. As of now it gets assigned via azure CLI to individual namespaces.

@katbyte
Copy link
Collaborator

katbyte commented Apr 6, 2022

@vipulp86 - that is for the older v1 pod identity feature. as mentioned in the linked documentation it will be replaced by the new Azure AD Workload Identity api which is schedule for public preview sometime this month - once thats out we intend to look into implementing it.

@Vegoo89
Copy link
Contributor

Vegoo89 commented Jun 6, 2022

I follow the topic regarding Workload Identity and it seems that support for Managed Identity won't be added before 9/30.
If someone implements support for V1 addon, would it be possible to merge the changes or you don't want to touch V1 at all?

Right now - for me - to make it work I have to call Azure management API to update cluster to use the addon along with identities and exceptions, which is far from ideal solution.

I saw pretty good merge request that was closed already and just wondering :)

@github-actions
Copy link

This functionality has been released in v3.27.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 13, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.