1. Pod-Level Azure Access for Kubernetes AI Services


    To grant pod-level access to Azure resources for Kubernetes AI services, you would typically use an Azure Kubernetes Service (AKS) cluster, which can be integrated with Azure Active Directory (AAD) and use Azure role-based access control (RBAC) to assign permissions to pods.

    The following Pulumi Python program defines an Azure Kubernetes Service (AKS) cluster. The program creates an AKS cluster with an identity profile so that the individual Kubernetes pods can be associated with Azure identities. This enables the pods to authenticate against Azure services with the permissions assigned to those identities, which is necessary for certain AI services that may need access to other Azure resources like storage, databases, or AI/ML APIs.

    Before you start, make sure you have Pulumi CLI installed and configured with the appropriate Azure credentials. This program will create resources within your Azure subscription.

    Here's the Pulumi Python program:

    import pulumi import pulumi_azure_native as azure_native from pulumi_azure_native import resources, containerservice # Create an Azure Resource Group resource_group = resources.ResourceGroup('aks_resource_group') # Create an AD service principal for AKS ad_app = azure_native.graphrbac.Application( 'aks-app', display_name='AKSApp', ) ad_sp = azure_native.graphrbac.ServicePrincipal( 'aks-sp', application_id=ad_app.application_id, ) ad_sp_password = azure_native.graphrbac.ServicePrincipalPassword( 'aks-sp-password', service_principal_id=ad_sp.service_principal_id, value="p@ssw0rd1234!", end_date='2099-01-01T00:00:00Z', ) # Create an AKS cluster aks_cluster = containerservice.ManagedCluster( 'aks-cluster', resource_group_name=resource_group.name, identity=containerservice.ManagedClusterIdentityArgs( type="SystemAssigned" ), # Enable RBAC with Azure AD integration enable_rbac=True, aad_profile=containerservice.ManagedClusterAADProfileArgs( managed=True, client_app_id=ad_app.application_id, server_app_id=ad_sp.application_id, server_app_secret=ad_sp_password.value, ), agent_pool_profiles=[containerservice.ManagedClusterAgentPoolProfileArgs( name="agentpool", mode="System", count=3, vm_size="Standard_DS2_v2", )], dns_prefix='aksdns', kubernetes_version='1.20.9', ) # Export the cluster properties pulumi.export('kubeconfig', aks_cluster.kube_config_raw) pulumi.export('cluster_name', aks_cluster.name)

    In this program:

    • We start by creating an Azure resource group to contain our AKS cluster.
    • We then create an Azure AD application and service principal which are required for AKS to interact with other Azure resources.
    • Next, we create the AKS cluster with ManagedCluster and integrate it with Azure AD by setting aad_profile. This integration allows Kubernetes to use Azure AD as its identity provider.
    • The agent_pool_profiles defines the size and number of nodes, where the vm_size parameter specifies the size of the virtual machine used for the Kubernetes nodes.
    • RBAC is enabled for the cluster (enable_rbac=True) with Azure AD integration, meaning you can assign roles to Kubernetes service accounts that correspond to Azure identities.

    Remember to change the value of the ServicePrincipalPassword to a secure password or use a secret management system to handle this sensitive information securely.

    After deploying this Pulumi program, your Kubernetes cluster will be configured to allow pods to use Azure identities, and you can then assign roles to those identities to grant specific permissions to services that your AI workloads may need to access.