Available from 1.5 release
Goal: To enable user to use a separate service principal (aad-pod-identity admin service principal) other than the cluster service princial and to move away from /etc/kubernetes/azure.json
Users now have the option to deploy aad-pod-identity with a separate service principal which is together with its secret and other configurations stored in a Kubernetes secret object.
The permission of the admin service principal needs to be 'Contributor' role over the scope of node resource group starting with "MC_".
Create a new service principal with the permission:
az ad sp create-for-rbac -n "<sp_name>" --role "Contributor" --scopes "/subscriptions/<subscription-id>/resourceGroups/<MC_node_resource_group>"
Note the
(client id),password
(secret) andtenant
from the resulting json, which will be used in creating the admin secret.
Or assign the permission for an existing service principal:
az role assignment create --role "Contributor" --assignee <sp_id> --scope "/subscriptions/<subscription-id>/resourceGroups/<MC_node_resource_group>"
For any subsequent user assigned managed identity that's intended for a pod, it's also required to grant the service principal 'Managed Identity Operator' permission (also stated here):
az role assignment create --role "Managed Identity Operator" --assignee <sp_id> --scope <resource id of the managed identity>
The aadpodidentity-admin-secret
contains the following fields:
- Cloud:
- 'Cloud' should be chosen from the following case-insensitive values:
(values taken from here).
- 'Cloud' should be chosen from the following case-insensitive values:
- SubscriptionID:
- ResourceGroup:
- 'ResourceGroup' is the node resource group where the actual virtual machines or virtual machine scale set resides.
- VMType:
- 'VMType' is optional and can be one of these values:
for normal virtual machine nodes, andvmss
for cluster deployed with a virtual machine scale set.
- 'VMType' is optional and can be one of these values:
- TenantID:
- ClientID:
- ClientSecret:
- 'TenantID', 'ClientID' and 'ClientSecret' are service principal's
- 'TenantID', 'ClientID' and 'ClientSecret' are service principal's
echo -n 'secret-content' | base64
to create a base64 encoded string.
Fill out those secret values in the /deploy/infra/noazurejson/deployment.yaml or /deploy/infra/noazurejson/deployment-rbac.yaml before executing kubectl create -f ./deploy/infra/noazurejson/deployment.yaml
or kubectl create -f ./deploy/infra/noazurejson/deployment-rbac.yaml
Note that if not use the above yaml's,
must be created before deployingmic
must reference the secret as shown in the yaml's.
The secret will be injected as an environment variable into mic
upon pod creation and cannot be updated during the lifecycle of mic
. However, redeploying mic
should pick up the updated service principal's information should they change.