1. Binding Azure Managed Identities to Kubernetes Pods


    To bind Azure Managed Identities to Kubernetes Pods, you would typically leverage a Kubernetes feature known as Pod Identity. Azure provides an integrated solution called Azure Active Directory Pod Identity which allows you to assign Azure Managed Identities to Pods running in an Azure Kubernetes Service (AKS) cluster.

    The Pod Identity solution requires several components to work together:

    1. A Managed Identity in Azure, which gives identity in Azure Active Directory (AAD) to your application.
    2. The Azure AD Identity Controller and the Managed Identity Controller, which are deployed as part of the Pod Identity components in your AKS cluster.
    3. A Kubernetes custom resource called AzureIdentity that is used to relate the AAD identity to be used with a Pod.
    4. Another custom resource called AzureIdentityBinding, which ties the AzureIdentity to a selector, that Pods can use to request the identity.

    Here's a Pulumi program demonstrating how to bind an Azure Managed Identity to Kubernetes Pods using Pulumi's Python SDK:

    import pulumi import pulumi_kubernetes as k8s import pulumi_azure_native as azure_native # Step 1: Ensure you have an Azure Kubernetes Service (AKS) cluster # Here, we would create a new AKS cluster or use an existing one. # The code for creating a cluster is omitted for brevity. # Step 2: Create an Azure Managed Identity managed_identity = azure_native.managedidentity.UserAssignedIdentity( "my-managed-identity", resource_group_name=RESOURCE_GROUP_NAME, # Existing resource group name ) # Step 3: Install required components on the cluster for Azure AD Pod Identity # Typically, you would install components using Helm, however, for illustration purposes, # we're assuming those components have been manually installed on the cluster. # Step 4: Create the 'AzureIdentity' Kubernetes custom resource azure_identity = k8s.apiextensions.CustomResource( "my-azure-identity", api_version="aadpodidentity.k8s.io/v1", kind="AzureIdentity", metadata={ "name": "my-azure-identity" }, spec={ "type": 0, # Type 0: User-assigned MSI; type 1: System-assigned MSI "resource_id": managed_identity.id, "client_id": managed_identity.client_id } ) # Step 5: Create the 'AzureIdentityBinding' Kubernetes custom resource # This binds the 'AzureIdentity' we just created to a selector azure_identity_binding = k8s.apiextensions.CustomResource( "my-azure-identity-binding", api_version="aadpodidentity.k8s.io/v1", kind="AzureIdentityBinding", metadata={ "name": "my-azure-identity-binding" }, spec={ "azure_identity": azure_identity.metadata["name"], "selector": "my-identity-selector" # This selector must match the label on the pods to use this identity } ) # Step 6: Apply the pod identity binding to a Kubernetes Pod by adding a label `aadpodidbinding` # matching the selector from the AzureIdentityBinding pod_labels = {"aadpodidbinding": "my-identity-selector"} # Example pod using the Azure Managed Identity pod = k8s.core.v1.Pod( "my-pod", metadata={ "labels": pod_labels }, spec=k8s.core.v1.PodSpecArgs( containers=[k8s.core.v1.ContainerArgs( name="my-container", image="nginx", # Example image )] ) ) # Export outputs pulumi.export('identity_resource_id', managed_identity.id) pulumi.export('pod_name', pod.metadata["name"])

    In this program:

    • The managed_identity object is an instance of UserAssignedIdentity and represents the Managed Identity you want to use.
    • The azure_identity object is mapped to your Managed Identity by referencing its resource_id and client_id.
    • The azure_identity_binding object uses a selector (my-identity-selector) to grant pods the Managed Identity. The pods must include this selector in their labels to be associated with the Managed Identity.
    • Finally, the pod declaration creates a Kubernetes Pod with the aadpodidbinding label that matches the selector in the AzureIdentityBinding. This label is what ties the Pod to the Managed Identity.

    By following these steps and structuring your code similarly, you can bind Azure Managed Identities to Kubernetes Pods in an AKS cluster using Pulumi.