Binding Azure Managed Identities to Kubernetes Pods

Question

Pulumi · Accepted Answer

To bind Azure Managed Identities to Kubernetes Pods, you would typically leverage a Kubernetes feature known as Pod Identity. Azure provides an integrated solution called Azure Active Directory Pod Identity which allows you to assign Azure Managed Identities to Pods running in an Azure Kubernetes Service (AKS) cluster.

The Pod Identity solution requires several components to work together:
1. A Managed Identity in Azure, which gives identity in Azure Active Directory (AAD) to your application.
2. The Azure AD Identity Controller and the Managed Identity Controller, which are deployed as part of the Pod Identity components in your AKS cluster.
3. A Kubernetes custom resource called `AzureIdentity` that is used to relate the AAD identity to be used with a Pod.
4. Another custom resource called `AzureIdentityBinding`, which ties the `AzureIdentity` to a selector, that Pods can use to request the identity.

Here's a Pulumi program demonstrating how to bind an Azure Managed Identity to Kubernetes Pods using Pulumi's Python SDK:

```python
import pulumi
import pulumi_kubernetes as k8s
import pulumi_azure_native as azure_native

# Step 1: Ensure you have an Azure Kubernetes Service (AKS) cluster
# Here, we would create a new AKS cluster or use an existing one.
# The code for creating a cluster is omitted for brevity.

# Step 2: Create an Azure Managed Identity
managed_identity = azure_native.managedidentity.UserAssignedIdentity(
    "my-managed-identity",
    resource_group_name=RESOURCE_GROUP_NAME,  # Existing resource group name
)

# Step 3: Install required components on the cluster for Azure AD Pod Identity
# Typically, you would install components using Helm, however, for illustration purposes,
# we're assuming those components have been manually installed on the cluster.

# Step 4: Create the 'AzureIdentity' Kubernetes custom resource
azure_identity = k8s.apiextensions.CustomResource(
    "my-azure-identity",
    api_version="aadpodidentity.k8s.io/v1",
    kind="AzureIdentity",
    metadata={
        "name": "my-azure-identity"
    },
    spec={
        "type": 0,  # Type 0: User-assigned MSI; type 1: System-assigned MSI
        "resource_id": managed_identity.id,
        "client_id": managed_identity.client_id
    }
)

# Step 5: Create the 'AzureIdentityBinding' Kubernetes custom resource
# This binds the 'AzureIdentity' we just created to a selector
azure_identity_binding = k8s.apiextensions.CustomResource(
    "my-azure-identity-binding",
    api_version="aadpodidentity.k8s.io/v1",
    kind="AzureIdentityBinding",
    metadata={
        "name": "my-azure-identity-binding"
    },
    spec={
        "azure_identity": azure_identity.metadata["name"],
        "selector": "my-identity-selector"  # This selector must match the label on the pods to use this identity
    }
)

# Step 6: Apply the pod identity binding to a Kubernetes Pod by adding a label `aadpodidbinding`
# matching the selector from the AzureIdentityBinding
pod_labels = {"aadpodidbinding": "my-identity-selector"}

# Example pod using the Azure Managed Identity
pod = k8s.core.v1.Pod(
    "my-pod",
    metadata={
        "labels": pod_labels
    },
    spec=k8s.core.v1.PodSpecArgs(
        containers=[k8s.core.v1.ContainerArgs(
            name="my-container",
            image="nginx",  # Example image
        )]
    )
)

# Export outputs
pulumi.export('identity_resource_id', managed_identity.id)
pulumi.export('pod_name', pod.metadata["name"])
```

In this program:
- The `managed_identity` object is an instance of `UserAssignedIdentity` and represents the Managed Identity you want to use.
- The `azure_identity` object is mapped to your Managed Identity by referencing its `resource_id` and `client_id`.
- The `azure_identity_binding` object uses a selector (`my-identity-selector`) to grant pods the Managed Identity. The pods must include this selector in their labels to be associated with the Managed Identity.
- Finally, the `pod` declaration creates a Kubernetes Pod with the `aadpodidbinding` label that matches the `selector` in the `AzureIdentityBinding`. This label is what ties the Pod to the Managed Identity.

By following these steps and structuring your code similarly, you can bind Azure Managed Identities to Kubernetes Pods in an AKS cluster using Pulumi.