Skip to content

adding workload identity support for vn2#67

Merged
SethHollandsworth merged 1 commit intomainfrom
vn2_workload_identity
Oct 21, 2024
Merged

adding workload identity support for vn2#67
SethHollandsworth merged 1 commit intomainfrom
vn2_workload_identity

Conversation

@SethHollandsworth
Copy link
Copy Markdown
Owner

@SethHollandsworth SethHollandsworth commented Oct 21, 2024

Adding workload identity support. There are 4 env vars and 1 mount. The mount is already added by default at /serviceaccount so all we needed to do was add the env vars.

@SethHollandsworth SethHollandsworth added the enhancement New feature or request label Oct 21, 2024
@SethHollandsworth SethHollandsworth self-assigned this Oct 21, 2024
ksayid
ksayid reviewed Oct 21, 2024
View reviewed changes
ksayid
ksayid reviewed Oct 21, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ksayid ksayid left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in diff mode, if the difference in policy is due to the workload identity label, the user will get a list of the env vars that are added due to workload identity.

{
  "skr2": {
    "env_rules": [
      "environment variable with rule 'AZURE_CLIENT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_TENANT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_FEDERATED_TOKEN_FILE=.+' is not in the policy",
      "environment variable with rule 'AZURE_AUTHORITY_HOST=.+' is not in the policy"
    ]
  }
}

do you think the error message should make it more clear that these env vars are linked to the workload identity label azure.workload.identity/use: "true"

@SethHollandsworth
Copy link
Copy Markdown
Owner Author

SethHollandsworth commented Oct 21, 2024

in diff mode, if the difference in policy is due to the workload identity label, the user will get a list of the env vars that are added due to workload identity.

{
  "skr2": {
    "env_rules": [
      "environment variable with rule 'AZURE_CLIENT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_TENANT_ID=.+' is not in the policy",
      "environment variable with rule 'AZURE_FEDERATED_TOKEN_FILE=.+' is not in the policy",
      "environment variable with rule 'AZURE_AUTHORITY_HOST=.+' is not in the policy"
    ]
  }
}

do you think the error message should make it more clear that these env vars are linked to the workload identity label azure.workload.identity/use: "true"

That sounds like a whole feature in itself. It would need to be done for other things like privileged/unprivileged, debug mode, stdio, zero sidecars, etc. I'll put it on the list of big things to do if there's time available

ksayid
ksayid approved these changes Oct 21, 2024
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ksayid ksayid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@SethHollandsworth SethHollandsworth merged commit 18d10a4 into main Oct 21, 2024
@SethHollandsworth SethHollandsworth deleted the vn2_workload_identity branch October 21, 2024 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hgarvison hgarvison hgarvison approved these changes

@ksayid ksayid ksayid approved these changes

@stevendongatmsft stevendongatmsft Awaiting requested review from stevendongatmsft stevendongatmsft is a code owner

Assignees

@SethHollandsworth SethHollandsworth

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SethHollandsworth @hgarvison @ksayid