Support Azure Workload Identities #2724
Comments
karlschriek
added
the
kind/feature
|
We should keep an eye on Azure/go-autorest#680. Once that is merged it should be fairly trivial to implement this.l |
|
I am interested in this, in the scope of testing and updating the tutorial. What would be the contents of |
|
Azure/go-autorest#680 has been merged, the functionality is included in the latest version (github.com/Azure/go-autorest/autorest/adal v0.9.20). I hacked together a solution for this earlier by making the following changes in provider/azure/config.go:
type config struct {
...
UseWorkloadIdentity bool `json:"useWorkloadIdentity" yaml:"useWorkloadIdentity"`
}Add the following section to // Try to retrieve token with AWI
if cfg.UseWorkloadIdentity {
log.Info("Using token provided by Workload Identity.")
resource := "https://management.azure.com"
awiClientId := os.Getenv("AZURE_CLIENT_ID")
awiTenantId := os.Getenv("AZURE_TENANT_ID")
jwtBytes, err := ioutil.ReadFile(os.Getenv("AZURE_FEDERATED_TOKEN_FILE"))
if err != nil {
return nil, fmt.Errorf("Failed to get Azure Workload Identity token for file: %v", err)
}
jwt := string(jwtBytes)
oauthConfig, err := adal.NewOAuthConfig(environment.ActiveDirectoryEndpoint, awiTenantId)
if err != nil {
return nil, fmt.Errorf("failed to retrieve OAuth config: %v", err)
}
token, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, awiClientId, jwt, resource)
return token, nil
}@darkn3rd the way Azure Workload Identities work is that the Service Account attached to the Pod is able to impersonate a Service Principal and fetch a token for that SP, which is injected into the Pod in a file at the location |
|
Looking forward to this; trying out the preview for MI support and hitting blocks like this across various tooling that doesn't support AZWI |
|
Sorry for the long silence, I'll try to make some time to create a PR on this. I want to come back to the issue of refreshing the token. Is there some logic loop within external-dns that can take care of this? I.e., tries to write, fails because of lacking authorization, restarts the flow to get a token which will eventually hit the block of code under |
|
You may want to take a look at KEDA's implementation, specifically There seems to be two different ways they are connecting to Azure with AZWI. Depending on the resource, sometimes they call For everything else (Key Vault, Appinsights, Data Explorer and Azure Monitor) it looks like they implement the I may be wrong here as I haven't dug into their implementation too extensively, but it appears to be fairly basic. The mechanism to use seems to be based upon the type of resource being accessed and what the underlying libs support for it. Those scalers connect to the azure resources multiple times per minute. In the simpler (first) case, it looks like they just read in the token on each new connection. I'm not an expert on their implementation, nor yours... and I'm only a novice in |
|
Just to be really clear, we actually don't need to do anything to refresh the token. The AWI webhook takes care of that. I.e., periodically the contents of the file located at the path stored in So the simplest way to deal with this I think is to make sure that whatever function is calling |
|
Right, this should only be "tricky" if external-dns is caching the file/token, since the AZWI webhook rotates it out as necessary. That said you may want to look at Keda. They implement the first patten in a way that's very, very close to the official example. If you look at the sample , they don't call I don't know if the two approaches are equivalent, nor if they're expected to differ due to the underlying auth clients or target resource (vault vs dns).... But it might be worth trying out? (sorry just spit balling here) |
|
I see they use |
|
Ah OK makes sense. As I said above, I'm not too knowledgeable in any of the tools. Ignore me :) |
|
How similar is Azure WI to Google's WI? Does cert-manager support Azure WI yet? I found @karlschriek ticket cert-manager/cert-manager#5085 |
|
I made opened a PR on cert manager today.
I am not familiar with Google WI, bit I do know that Azure WI is very
similar to Amazon's IRSA.
…On Fri, 15 Jul 2022, 20:50 Joaquin Menchaca, ***@***.***> wrote:
How similar is Azure WI to Google's WI? Does cert-manager support Azure WI
yet?
—
Reply to this email directly, view it on GitHub
<#2724 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGBE4OFC2GM4FYK2S3IEEVDVUGXGDANCNFSM5UORWE3Q>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Also, at the moment AZWI is tied to App Registrations only. In private preview they now have support for managed identities. It is going to replace "pod-identity v1 preview" for anyone who might have that extension installed in their AKS cluster (the OSS project for pod-identity is sticking around so far as I know) |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
AZWI is now in public preview with pod-identity being deprecated. Would greatly appreciate this. We are currently using the migration sidecar they've made available but would prefer something native. |
|
+1 for this as well. I spent a couple days on trying to solve this before I ran into this issue. As @pinkfloydx33 mentioned, a good work around is to use the workload identity sidecar mentioned in this article. It still took me a while to figure out how to get this working with external-dns (since this was my first time setup), so figured I would add more details. first make sure you have the workload identity chart installed properly. Then you can follow a guide like this one to create the service account (just ignore giving access to key-vault and instead follow the doc in external-dns to give it access to the dns zone instead Then for my setup Im using this chart as a dependency in a parent chart, so I was able to setup a secret file like this in that parent chart: Then in my values.yaml I was able to do this: The 2 key parts to pay attention to get this working is the json file need to have I was really hoping to have a zero-config parent chart I could install into our k8s clusters, so it would be really awesome if externaldns could support this new workload like external-secrets. That way we dont need to give the tenantid, subscriptionid and resourcgroup to the helm chart, it could just leverage the service account created. |
|
Just to highlight it to whoever is subscribed to this issue, there's a new PR (#3111) that introduces support for AKS Workload Identity while also making sure an up-to-date federated token is used to request a new access token. Here's an example how you could build your own image: If you're not afraid to use my build in your lab (never trust strangers :D), then you could pull it here for amd64: var refreshFunc adal.TokenRefresh = func(context context.Context, resource string) (*adal.Token, error) {
log.Info("Refreshing the token") // <-- here |
|
I can gladly give the image a try over the weekend (I'm off tomorrow) in my sandbox cluster. Keda managed to solve the issue of the rotating tokens somehow and its been working quite nicely for a few months. I'm curious if anyone has taken a look at their implementation for a comparison? |
|
@pinkfloydx33 Thanks for the upcoming test! I hadn't looked at KEDA code before. Just to add a bit more to the context, I was recently asked to help with adoption of AKS, and, this week, began to look at a potential setup starting from the core components, which happened to be external-dns and cert-manager (and, of course, relying on Workload Identities looked more attractive than on Pod-Managed Identities). So, KEDA was simply out of scope at that moment. // ADWorkloadIdentityCredential is a type that implements the TokenCredential interface.
// Once azure-sdk-for-go supports Workload Identity we can remove this and use default implementation
// https://github.com/Azure/azure-sdk-for-go/issues/15615So, even though, there's some space for inspiration from KEDA implementation, a different library requires a different approach. Migration from |
|
Ok cool. I hadn't looked at KEDA's implementation; my golang is low-intermediate/high-beginner so it likely wouldn't have mattered if I did. I just knew it was there as they were the first major app I know of to offer support (it was actually completed on their end months before they finally released it). We were fortunate to be part of AZWI AKS private preview, so I've had plenty of time to migrate our apps and third-party stuff, including keda. The only apps left for us to migrate are external-dns, cert-manager and akv2k8s... The latter of which has had zero movement on the subject since my initial issue in their github repo. But for all three, we are currently using the side car approach and have stripped the pod identity v1 (aks native add-on) from our clusters entirely. It was truly a big deal for us. I've been tracking the PRs for certmanager/externaldns so that I can get rid of the sidecars...so anything I can do to help test I'm all for. |
|
Installed in my cluster as of ~7:30am EST. Working for both Azure DNS and Azure Private DNS (expected as they use same configuration code). Will check back in 24h for refresh, etc. |
|
Each instance successfully refreshed their tokens, 5 minutes shy of 24 hours in both cases. Verified that external-dns was still able to sync records after the token refresh. All looks good. |
|
@pinkfloydx33 thanks for the tests, and glad to hear everything went well :) |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
/remove-lifecycle rotten |
k8s-ci-robot
removed
the
lifecycle/rotten
|
any progress here? AAD Pod Identity is already officially depcreated and workload identity is going GA in March 2023. |
|
@mblaschke there's a working solution here: #3111, but it has stayed unreviewed since the end of October. I had a brief discussion with one of the maintainers on Slack: https://kubernetes.slack.com/archives/C771MKDKQ/p1669924073459489 (if summarised: maintainers are busy, and there's kind of pause till a plugins provider is ready, so I'm unlikely to see any reviews in near future). That made me think there's no point in keeping the PR updated until I get pinged by maintainers, and it hasn't happened so far. If someone can manage to get some attention from maintainers, I can certainly update the PR and tackle their requests for changes if any. As a side note, I see that many multi-cloud open source projects seem to lack interest or expertise in Azure, which makes it much harder to have some changes accepted into the main code base. I wish Microsoft organized a team of engineers who would help to drive changes in the projects as AKS is a big thing on regulated market. |
|
@weisdd what can I do to help unblock this issue/PR ? is it impossible to make it move forward at this point ? |
|
@djsly Unfortunately, nothing has changed since my last comment. I still haven't got any reviews from maintainers. |
|
Following. I also would like to update to aad-workload-identity given it is will be depreciated in a few months. I also noticed that workload identity is no longer in preview mode |
|
Anything that can done to help unblock this up? AAD Pod Identity is quickly reaching EOL |
|
@christertime Well, the only way to go forward is to somehow bring maintainers' attention to this issue.
So, everyone is just stuck now using the workload identity sidecar proxy. |
|
It sounds like this isn't going to get merged before AAD Pod Identity's are EOL. What's the best workaround? MS docs mention the proxy sidecar shouldn't go to production and there's certainly no guarantee that it won't be anything other than a permanent hack given how long this issue has been open. |
|
We're using the proxy side car. Fingers crossed. It's a shame this hasn't been given priority. |
|
Or create your own build from one of the as of yet unmerged PR branches. We
did this with my very first hacky code (which doesn't even refresh the
token, just loads it once at startup, so we just threw in a cron job that
forces external-dns to restart periodically). Not exactly elegant but it
works. It is a real shame that someone won't take the time to get #3111
merged though!
…On Thu, 27 Jul 2023, 21:09 pinkfloydx33, ***@***.***> wrote:
We're using the proxy side car. Fingers crossed. It's a shame this hasn't
been given priority.
—
Reply to this email directly, view it on GitHub
<#2724 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGBE4OEKY447NHNOCPYOSZ3XSK4IHANCNFSM5UORWE3Q>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
Is it so hard for a maintainer to issue a not fully tested/ unstable BETA build which works on Azure/ AKS? Given some of us only need this features, I do not personally mind if the rest of the features are not fully tested. Creating a build should take minutes assuming the relevant pipelines are available. :( |
|
Pod identity use cases are now failing for new clusters on Azure (at least in my experience). Anybody using pod identity hopefully already fixed their chart versions on the basis of #2383 and maintainers can do a merge on #3111 , new release, and chart in sensible order. Azure needs your kind help, maintainers! Best wishes for your speedy completion of plugin work. Thank you! |
|
For those following this ticket, there is movement on #3040 -- I have no idea how difficult "re-implement[ing] support for workload identity using the new library" would be, but that path does show activity. |
Azure recently added Azure Workload Identities (see https://github.com/Azure/azure-workload-identity and https://azure.github.io/azure-workload-identity/docs/) to AKS. Officially the functionality is still in Preview, but the approach is quite stable and we are already using it in various production situations.
AWI is essentially the equivalent of AWS's IAM Roles for Service Accounts and works the same. I.e, you cluster becomes an OIDC identity provider and a specific service account in a specific namespace can be designated as federated principal to which Azure IAM roles can be attached. This is significantly more secure than using credentials (i.e. Service Principals with client secrets) or Managed Service Identities (for which the whole Node is able to assume the identity).
Also similarly to IRSA, AWI works by annotating a Service Account, as follows:
By attaching this ServiceAccount to a Pod, we get the following env vars in the Pod:
At the location
AZURE_FEDERATED_TOKEN_FILEa temporary token is mounted. To be able to use this we would just need to configure Azure authentication to use theAZURE_FEDERATED_TOKEN_FILEfor login.I would really love to see this supported in External DNS.
The text was updated successfully, but these errors were encountered: