Support for exposing the kubelet identity for AKS cluster with MSI

[aristosvo]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

For the MSI it would make sense to also expose the identity profile with kubelet identity.

One of the reasons to add this is for aad-pod-identity enablement, as role assignments must be set on this identity in order to use aad-pod-identity, as described here.

A tutorial on aad-pod-identity with MSI on AKS with an example application can be found here, it will be updated or extended to configuration with TerraForm after this issue is fixed.

The kubelet identity is exposed from the API:

"identityProfile": {
    "kubeletidentity": {
      "clientId": "00000000000000000000000000000000",
      "objectId": "0000000000000000000000000000000",
      "resourceId": "/subscriptions/00000000000000000000000/resourcegroups/MC_xxxxxxxx_westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/xxxxxx-agentpool"
    }
  },

New or Affected Resource(s)

• azurerm_kubernetes_cluster

Potential Terraform Configuration

The identity_profile block exports the following:

• kubelet_identity - A kubelet_identity block

The kubelet_identity block exports the following:

• client_id - The client id of the user-defined Managed Identity of the kubelet.
• object_id - The object id of the user-defined Managed Identity of the kubelet.
• resource_id - The resource id of the user-defined Managed Identity of the kubelet.

References

• r/kubernetes_cluster: handling breaking changes in the AKS API #6095

[jmcshane]

Just to leave a comment on why this is important, role assignments must be set on this identity in order to use aad-pod-identity, as described here: https://github.com/Azure/aad-pod-identity/blob/master/docs/readmes/README.msi.md#pre-requisites---role-assignments

The workaround that I am doing right now is adding a datasource that pulls in the user assigned identity from the MC resource group after AKS cluster provisioning.

[aristosvo]

@jmcshane Thanks! That's my use case as well, I added it to the description.

I've probably time tomorrow to make a PR to implement this functionality.

[syedhassaanahmed]

Many thanks for the PR @aristosvo

We also ran into this while trying to use AAD Pod Identity. As part of the PR, Can you please also export the Kubelet Identity in Data Source: azurerm_kubernetes_cluster?

[aristosvo]

@syedhassaanahmed Thanks! I’ll take a look tonight or tomorrow, I hope the PR is merged by then so I’ll probably add a separate PR for the data source.

[ghost]

This has been released in version 2.6.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.6.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!