Workload identity support namespaced service account #39
Conversation
RichardChen820
force-pushed
the
user/junbchen/workloadIdentity
branch
from
0a4d31f to
108c727
Compare
deploy/templates/deployment.yaml
Outdated
| - name: WORKLOAD_IDENTITY_ENABLED | ||
| value: {{ .Values.workloadIdentity.enabled }} | ||
| - name: WORKLOAD_IDENTITY_CUSTOM_SERVICE_ACCOUNT_ONLY | ||
| value: {{ .Values.workloadIdentity.allowCustomServiceAccount }} |
There was a problem hiding this comment.
It's customServiceAccountOnly in helm-value.yaml file, not allowCustomServiceAccount.
| tenantId := serviceAccountObj.Annotations[AnnotationTenantID] | ||
| getAssertionFunc := newGetAssertionFunc(serviceAccountNamespace, serviceAccountName) | ||
|
|
||
| clientAssertionCredential, err := azidentity.NewClientAssertionCredential(tenantId, clientId, getAssertionFunc, nil) |
There was a problem hiding this comment.
I am not sure the usage of clientAssertionCredential,for authenticating both service principal and workload identity?
| return "", err | ||
| } | ||
|
|
||
| token, err := kubeClient.CoreV1().ServiceAccounts(serviceAccountNamespace).CreateToken(ctx, serviceAccountName, &authv1.TokenRequest{ |
There was a problem hiding this comment.
Will the service account token expire?
There was a problem hiding this comment.
It may expire, but since we reuse the appconfig.client, once the tokenCredential expires, but will try to acquire new AAD token, then it will call the callback to get a new service account token as well, so we do not need to worry about service account expires or not.
| return nil, err | ||
| } | ||
|
|
||
| clientId := serviceAccountObj.ObjectMeta.Annotations[AnnotationClientID] |
There was a problem hiding this comment.
Can we add the check for AnnotationClientID and AnnotationTenantID? They may not exist.
| } | ||
|
|
||
| if _, ok := serviceAccountObj.Annotations[AnnotationTenantID]; ok { | ||
| tenantId = serviceAccountObj.Annotations[AnnotationTenantID] |
There was a problem hiding this comment.
What's the difference bewteen the AzureTenantId from pod config and AnnotationTenantID from service account?
There was a problem hiding this comment.
You can imagine that the AzureTenantId from pod is global, the AnnotationTenantID is for each specific service account. If users uses the same tenantID for all service account, it just need to use the global one, no need to specify in every service account
There was a problem hiding this comment.
to be honest, I cannot think of a case when a different tenant id is used. Technically it has to be the same tenantId.
There was a problem hiding this comment.
I do a bit change to this, hope this make sense to you
| @@ -492,11 +493,22 @@ func newClientAssertionCredential(ctx context.Context, serviceAccountName string | |||
| return nil, err | |||
| } | |||
|
|
|||
| clientId := serviceAccountObj.ObjectMeta.Annotations[AnnotationClientID] | |||
| tenantId := serviceAccountObj.Annotations[AnnotationTenantID] | |||
| tenantId, ok := os.LookupEnv(strings.ToUpper(AzureTenantId)) | |||
There was a problem hiding this comment.
Why the tenantId is required?
There was a problem hiding this comment.
Good question, the tenantId is there if enable the cluster workload identity, but need confirm it.
There was a problem hiding this comment.
Confirmed, once the workload identity is enabled, the tenantId should be there, and the existing way we support for workload identity also relies on this tenantId
There was a problem hiding this comment.
If namespaced service account is used, is the value of tenantId same as AnnotationTenantID from service account? If customers need to explicitly set this value, will users from other namespace can get the tenantId through kubectl describe po k8sproviderpodxxxx?
There was a problem hiding this comment.
I don't quite get your question. tenantId if for global, each service account could overwrite is by setting AnnotationTenantID
internal/controller/utils.go
Outdated
|
|
||
| if workloadIdentity.ManagedIdentityClientId != nil { | ||
| if strings.EqualFold(os.Getenv(WorkloadIdentityDisableGlobalServiceAccount), "true") { | ||
| return loader.NewArgumentError("auth.workloadIdentity.managedIdentityClientId", fmt.Errorf("managedIdentityClientId is not allowed since only custom service account is allowed")) |
There was a problem hiding this comment.
should we avoid "custom service account"? some like "since global service account is disabled" to keep consistent with the installation flag.
| } | ||
|
|
||
| func newGetAssertionFunc(serviceAccountNamespace string, serviceAccountName string) func(ctx context.Context) (string, error) { | ||
| audiences := []string{AzureDefaultAudience} |
There was a problem hiding this comment.
the name is a little misleading. it's not default audience of Azure. I believe https://management.azure.com is the actual default for control plane. ApiTokenExchangeAudience?
There was a problem hiding this comment.
Make sense, updated.
RichardChen820
force-pushed
the
user/junbchen/workloadIdentity
branch
3 times, most recently
from
8eca86e to
1fcf377
Compare
RichardChen820
force-pushed
the
user/junbchen/workloadIdentity
branch
from
1fcf377 to
29a03e9
Compare
* Not running on windows node (#30) * Bump up version to 2.0.0-preview (#42) * Workload identity support namespaced service account (#39) * Workload identity support namespaced service account * feedback * Feedback * Upgrade package (#44) * fix vulnerability * fix go version * update * update * update * update * update * update controller runtime * upgrade azsecrets package * update ci * update patched version * update * revert version * upgrade packages * update ci * revert * deduplicate feature flags (#50) * Treat get settings from one client failure as warning (#48) * Add node affinity and toleration configuration (#46) * K8s provider conformance test plugin (#43) * k8s provider conformance test plugin * rename * remove docker hub dependency * replace curl with wget * add version file * Setup golangci lint action (#51) * setup golangci lint action * fix linting error * update ci * update * add lint in makefile * Add Correlation Context header for extension (#47) * Add Correlation Context header for extension * Add more context * Add Host and RequestType in correlation context * Remove the kv refresh * update extension test plugin conformance file (#52) * added timeout parameter in golintCI (#54) * Revise the error message for selector object verification (#56) * Bump up version to 2.0.0 (#58) * Add data collection section in readme (#57) * Require to opt-in for the global service account (#60) * Require to opt in the global service account * Rename * Fix vulnerability (#68) * fix vulnerability * specify go version in golang lint ci --------- Co-authored-by: Richard chen <[email protected]>
Workload identity support namespaced service account