diff --git a/examples/identity-binding/README.md b/examples/identity-binding/README.md new file mode 100644 index 000000000..61d44e525 --- /dev/null +++ b/examples/identity-binding/README.md @@ -0,0 +1,80 @@ +# Identity Binding Example + +This example demonstrates how to use the Identity Binding feature in an AKS cluster. + +## Prerequisites + +- Please ensure you have the latest preview version of Azure CLI installed. You can follow the instructions [here](https://learn.microsoft.com/cli/azure/aks/extension?view=azure-cli-latest). +- Ensure your subscription has the `Microsoft.ContainerService/IdentityBinding` feature flag enabled. +- Ensure your cluster is enabled with [AKS Workload Identity](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster) feature. + + +> [!NOTE] +> Identity Binding requires preview version of AKS workload identity webhook. Please confirm the following output from the command: +> +> ```bash +> kubectl -n kube-system get pods -l azure-workload-identity.io/system=true -o yaml | grep v1.6.0 +> image: mcr.microsoft.com/oss/v2/azure/workload-identity/webhook:v1.6.0-alpha.1 +> ``` +> +> Seeing `v1.6.0-alpha.1` in the image tag confirms that the preview version of webhook is installed. + +## Steps + +The following steps assume you have already created an AKS cluster `` and managed identity `` under resource group `` and subscription ``. + +We will reference the client id of the managed identity with `` in the following steps. + +### 1. Create identity binding resource + + +```bash +az aks identity-binding create \ + --resource-group \ + --cluster-name \ + --name my-first-ib \ + --managed-identity-resource-id /subscriptions//resourceGroups//providers/Microsoft.ManagedIdentity/userAssignedIdentities/ +``` + +> [!NOTE] +> Successful creation of identity binding resource will result in a federated managed identity credential being created in the managed identity with name `aks-identity-binding`. This federated managed identity credential is required by identity binding feature to work. + +### 2. Configure in-cluster access via ClusterRole and ClusterRoleBinding + +The identity binding feature uses Kubernetes RBAC to control which pods can access which managed identities via a cluster role with the verb `use-managed-identity`. In this step, we will create a cluster role and cluster role binding to grant the `default` service account in the `default` namespace permission to access the managed identity created in the previous step. + +Before deploying the `cluster-role-and-cluster-role-binding.yaml`, please make sure to replace the `` placeholder in the file with the actual client ID of the managed identity. + +```bash +kubectl apply -f cluster-role-and-cluster-role-binding.yaml +clusterrole.rbac.authorization.k8s.io/my-first-ib-cr created +clusterrolebinding.rbac.authorization.k8s.io/my-first-ib-crb created +``` + +### 3. Deploy sample application Pod + +Following the same step from the [Azure workload identity documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#grant-permissions-to-access-azure-key-vault), we will deploy a sample pod that uses the managed identity to access a secret from an Azure Key Vault. +Please make sure to replace the `` and `REPLACE_WITH_SECRET_NAME` placeholders in the `pod.yaml` file with your actual Key Vault name and secret name. + +```bash +kubectl apply -f pod.yaml +pod/my-first-ib-pod created +``` + +> [!NOTE] +> Compared with the original workload identity example, the following highlights the differences when using the identity binding feature: +> ```diff +> kind: Pod +> metadata: +> labels: +> azure.workload.identity/use: "true" +> + annotations: +> + azure.workload.identity/use-identity-binding: "true" +> ``` + +### 4. Verify the sample application Pod + +```bash +kubectl logs my-first-ib-pod +I1107 20:03:42.865180 1 main.go:77] "successfully got secret" secret="Hello!" +``` \ No newline at end of file diff --git a/examples/identity-binding/cluster-role-and-cluster-role-binding.yaml b/examples/identity-binding/cluster-role-and-cluster-role-binding.yaml new file mode 100644 index 000000000..3bd370f3a --- /dev/null +++ b/examples/identity-binding/cluster-role-and-cluster-role-binding.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: my-first-ib-cr +rules: + - verbs: ["use-managed-identity"] + apiGroups: ["cid.wi.aks.azure.com"] + resources: [""] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: my-first-ib-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: my-first-ib-cr +subjects: + - kind: ServiceAccount + name: default + namespace: default \ No newline at end of file diff --git a/examples/identity-binding/pod.yaml b/examples/identity-binding/pod.yaml new file mode 100644 index 000000000..01720fac7 --- /dev/null +++ b/examples/identity-binding/pod.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Pod +metadata: + name: my-first-ib-pod + namespace: default + labels: + azure.workload.identity/use: "true" + annotations: + azure.workload.identity/use-identity-binding: "true" +spec: + serviceAccount: default + containers: + - name: azure-sdk + # source code: https://github.com/Azure/azure-workload-identity/blob/feature/custom-token-endpoint/examples/identitybinding-msal-go/main.go + image: ghcr.io/bahe-msft/azure-workload-identity/identitybinding-msal-go@sha256:d8a262e2aed015790335650f1d1221cbf9270ee209993337e4c6055b39dd00ae + env: + - name: KEYVAULT_URL + # Replace YOUR_KEYVAULT_NAME with your actual Azure Key Vault name + value: https://YOUR_KEYVAULT_NAME.vault.azure.net/ + - name: SECRET_NAME + # Replace with the name of your Key Vault secret + value: REPLACE_WITH_SECRET_NAME + restartPolicy: Never \ No newline at end of file