Skip to content

added multiple azure managed identities documentation #688

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jetstack-bot merged 5 commits into from
Sep 3, 2021
Merged

added multiple azure managed identities documentation #688

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b4cf820
add multiple azure managed identities docs
tomasfreund Aug 25, 2021
990386c
remove word as per code review suggestion
tomasfreund Aug 25, 2021
6893e8c
remove word as per code review suggestion
tomasfreund Aug 25, 2021
73036b0
Quote the words clientID and resourceID to satisfy the spell checker
wallrj Sep 3, 2021
ee75bf5
Whitespace cleanup
wallrj Sep 3, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 22 additions & 8 deletions content/en/docs/configuration/acme/dns01/azuredns.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ kind: AzureIdentity
metadata:
annotations:
# recommended to use namespaced identites https://azure.github.io/aad-pod-identity/docs/configure/match_pods_in_namespace/
aadpodidentity.k8s.io/Behavior: namespaced
aadpodidentity.k8s.io/Behavior: namespaced
name: certman-identity
namespace: cert-manager # change to your preferred namespace
spec:
Expand Down Expand Up @@ -136,13 +136,12 @@ spec:

## Managed Identity Using AKS Kubelet Identity

When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory.
When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory.

There are some caveats with this approach, these mainly being:

- You will need to ensure only 1 managed identity is assigned to the node pool. This is due to cert-manager not currently being able to select the identity to use
- Any permissions granted to this identity will also be accessible to all containers running inside the Kubernetes cluster.
- Using AKS extensions like `Kube Dashboard` will not work with this method as this creates an additional identity that is assigned to the node pools.
- Using AKS extensions like `Kube Dashboard`, `Virtual Node`, or `HTTP Application Routing` (see full list [here](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities)) will create additional identities that are assigned to your node pools. If your node pools have more than one identity assigned, you will need to specify either `clientID` or `resourceID` to select the correct one.

To set this up, firstly you will need to retrieve the identity that the kubelet is using by querying the AKS cluster. This can then be used to create the appropriate permissions in the DNS zone.

Expand All @@ -156,7 +155,7 @@ ZONE_ID=$(az network dns zone show --name $ZONE_NAME --resource-group $ZONE_GROU

# Create role assignment
az role assignment create --role "DNS Zone Contributor" --assignee $PRINCIPAL_ID --scope $ZONE_ID
```
```

- Example terraform:
```terraform
Expand All @@ -174,13 +173,22 @@ resource "azurerm_kubernetes_cluster" "cluster" {

resource "azurerm_role_assignment" "dns_contributor" {
scope = var.dns_zone_id
role_definition_name = "DNS Zone Contributor"
principal_id = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_id
role_definition_name = "DNS Zone Contributor"
principal_id = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_id
skip_service_principal_aad_check = true # Allows skipping propagation of identity to ensure assignment succeeds.
}
```

Then when creating the cert-manager issuer we only need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone. Example below:
Then when creating the cert-manager issuer we need to specify the `hostedZoneName`, `resourceGroupName` and `subscriptionID` fields for the DNS Zone.

We also need to specify `managedIdentity.clientID` or `managedIdentity.resourceID` if multiple managed identities are assigned to the node pools.

The value for `managedIdentity.clientID` can be fetched by running this command:
```bash
az aks show -n $CLUSTERNAME -g $CLUSTER_GROUP --query "identityProfile.kubeletidentity.clientId" -o tsv
```

Example below:
```yaml
apiVersion: cert-manager.io/v1
kind: Issuer
Expand All @@ -197,6 +205,12 @@ spec:
hostedZoneName: AZURE_DNS_ZONE
# Azure Cloud Environment, default to AzurePublicCloud
environment: AzurePublicCloud
# optional, only required if node pools have more than 1 managed identity assigned
managedIdentity:
# client id of the node pool managed identity (can not be set at the same time as resourceID)
clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID
# resource id of the managed identity (can not be set at the same time as clientID)
# resourceID: YOUR_MANAGED_IDENTITY_RESOURCE_ID
```

## Service Principal
Expand Down