Support for Pod Identity Add On for AKS

[piizei]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Please support the Pod Identity Add-On for AKS

New or Affected Resource(s)

• azurerm_kubernetes_cluster

Potential Terraform Configuration

resource "azurerm_kubernetes_cluster" "aks" {

  addon_profile {
    kube_dashboard {
      enabled = true
    }
    azure_policy {
      enabled = true
    }

    pod_identity {
      enabled = true
      principal_id = azurerm_user_assigned_identity.podid.principal_id
    }

  }

}

References

• https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity

[avinashpancham]

Is there a timeline for Pod Identity on AKS being supported by Terraform? I understand that Azure will release a V2 of Pod Identity but that will only be available in Q2 of 2022, which is between 6 and 9 months away.

If the idea is to wait till Q2 of 2022, then having a recommend temporary method to turn this on would be nice, even if it just would be as shown below.

resource "azurerm_kubernetes_cluster" "default" {
  name                   = "my_cluster"
  location               = "westeurope"
  ...

  provisioner "local-exec" {
    command = "az aks update -g my_resource_group -n my_cluster --enable-pod-identity"
  }
}

[avinashpancham]

For anyone struggling with this: I found that Azure also shares this functionality as an Helm chart. So you can just create a regular AKS cluster with Terraform's azurerm provider and instead of enabling the pod-identity by adding the local-exec as above, you apply the following Helm chart with the kubernetes Helm provider. IMO this is more in line with how you should use Terraform.

resource "helm_release" "aad-pod-identity" {
  name       = "aad-pod-identity"
  repository = "https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts"
  chart      = "aad-pod-identity"
  version    = "4.1.5"  # use the latest version at the time of reading
}

Azure offers these Helm charts for multiple preview features that are not yet supported by the AKS resource in the azurerm provider. Next to Azure Pod Identity, a Helm chart is for example also available for the AKS Secrets Store CSI Driver

[pdefreitas]

@avinashpancham The problem is that running it on Managed Mode it seems you have no means to assign multiple user identities to VMSS created by the cluster.

Does anyone know how to translate this assignment to IaC for this use-case I've mentioned?
az vmss identity assign -g <VM resource group name> -n <VMSS name> --identities <resource ID of managed identity>

[vipulp86]

Currently, POD identity(with its k8s resources) add-on on cluster can be enabled using Azure Preview feature.

But we need a terraform azure RM resource for AKS Pod Identity to be assigned to kubernetes namespaces. As of now it gets assigned via azure CLI to individual namespaces.

[katbyte]

@vipulp86 - that is for the older v1 pod identity feature. as mentioned in the linked documentation it will be replaced by the new Azure AD Workload Identity api which is schedule for public preview sometime this month - once thats out we intend to look into implementing it.

[Vegoo89]

I follow the topic regarding Workload Identity and it seems that support for Managed Identity won't be added before 9/30.
If someone implements support for V1 addon, would it be possible to merge the changes or you don't want to touch V1 at all?

Right now - for me - to make it work I have to call Azure management API to update cluster to use the addon along with identities and exceptions, which is far from ideal solution.

I saw pretty good merge request that was closed already and just wondering :)

[github-actions]

This functionality has been released in v3.27.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.