Pod-Level Azure Access for Kubernetes AI Services

Question

Pulumi · Accepted Answer

To grant pod-level access to Azure resources for Kubernetes AI services, you would typically use an Azure Kubernetes Service (AKS) cluster, which can be integrated with Azure Active Directory (AAD) and use Azure role-based access control (RBAC) to assign permissions to pods.

The following Pulumi Python program defines an Azure Kubernetes Service (AKS) cluster. The program creates an AKS cluster with an identity profile so that the individual Kubernetes pods can be associated with Azure identities. This enables the pods to authenticate against Azure services with the permissions assigned to those identities, which is necessary for certain AI services that may need access to other Azure resources like storage, databases, or AI/ML APIs.

Before you start, make sure you have Pulumi CLI installed and configured with the appropriate Azure credentials. This program will create resources within your Azure subscription.

Here's the Pulumi Python program:

```python
import pulumi
import pulumi_azure_native as azure_native
from pulumi_azure_native import resources, containerservice

# Create an Azure Resource Group
resource_group = resources.ResourceGroup('aks_resource_group')

# Create an AD service principal for AKS
ad_app = azure_native.graphrbac.Application(
    'aks-app',
    display_name='AKSApp',
)

ad_sp = azure_native.graphrbac.ServicePrincipal(
    'aks-sp',
    application_id=ad_app.application_id,
)

ad_sp_password = azure_native.graphrbac.ServicePrincipalPassword(
    'aks-sp-password',
    service_principal_id=ad_sp.service_principal_id,
    value="p@ssw0rd1234!",
    end_date='2099-01-01T00:00:00Z',
)

# Create an AKS cluster
aks_cluster = containerservice.ManagedCluster(
    'aks-cluster',
    resource_group_name=resource_group.name,
    identity=containerservice.ManagedClusterIdentityArgs(
        type="SystemAssigned"
    ),
    # Enable RBAC with Azure AD integration
    enable_rbac=True,
    aad_profile=containerservice.ManagedClusterAADProfileArgs(
        managed=True,
        client_app_id=ad_app.application_id,
        server_app_id=ad_sp.application_id,
        server_app_secret=ad_sp_password.value,
    ),
    agent_pool_profiles=[containerservice.ManagedClusterAgentPoolProfileArgs(
        name="agentpool",
        mode="System",
        count=3,
        vm_size="Standard_DS2_v2",
    )],
    dns_prefix='aksdns',
    kubernetes_version='1.20.9',
)

# Export the cluster properties
pulumi.export('kubeconfig', aks_cluster.kube_config_raw)
pulumi.export('cluster_name', aks_cluster.name)
```

In this program:
- We start by creating an Azure resource group to contain our AKS cluster.
- We then create an Azure AD application and service principal which are required for AKS to interact with other Azure resources.
- Next, we create the AKS cluster with `ManagedCluster` and integrate it with Azure AD by setting `aad_profile`. This integration allows Kubernetes to use Azure AD as its identity provider.
- The `agent_pool_profiles` defines the size and number of nodes, where the `vm_size` parameter specifies the size of the virtual machine used for the Kubernetes nodes.
- RBAC is enabled for the cluster (`enable_rbac=True`) with Azure AD integration, meaning you can assign roles to Kubernetes service accounts that correspond to Azure identities.

Remember to change the `value` of the `ServicePrincipalPassword` to a secure password or use a secret management system to handle this sensitive information securely.

After deploying this Pulumi program, your Kubernetes cluster will be configured to allow pods to use Azure identities, and you can then assign roles to those identities to grant specific permissions to services that your AI workloads may need to access.