Enabling Azure Service Access from Kubernetes Pods

Question

Pulumi · Accepted Answer

When you want to enable Azure services access from Kubernetes pods, you generally configure your Kubernetes cluster with the necessary access credentials and configure your pods to use these credentials. The specific details on how to provide access depend on the Azure service you're trying to access. One common approach is to use Azure service principals and roles. In some cases, you may use Kubernetes secrets to store credentials securely and then mount those secrets into your pods.

In Pulumi, this involves creating and configuring resources on both Azure and Kubernetes. These resources include Azure Role Assignments, Service Principals, Kubernetes Secrets, and Pod configurations.

For the purpose of this example, I'll show you how to set up a Kubernetes pod with access to Azure services by creating the following:

An Azure AD application, which represents the identity of the application when it accesses resources that are secured by Azure AD.
A Service Principal, which is an instance of an application in a tenant.
An Azure AD Service Principal password, which will serve as the credentials.
A role assignment, granting the necessary permissions to the Service Principal over the specific scope (e.g., a storage account).
A Kubernetes secret, where you will store the credentials securely.
A simple Kubernetes pod that uses the secret to access Azure services.

Here's a Pulumi program written in Python that accomplishes the above steps:

import pulumi
import pulumi_azure_native as azure_native
import pulumi_kubernetes as kubernetes
from pulumi_azure_native import authorization
from pulumi_azure_native import resources


# Replace these variables with your Azure settings.
SERVICE_PRINCIPAL_NAME = "my-application"
RESOURCE_GROUP_NAME = "myResourceGroup"
SUBSCRIPTION_SCOPE = "/subscriptions/<your-subscription-id>"

# Create an Azure Resource Group
resource_group = resources.ResourceGroup(RESOURCE_GROUP_NAME)

# Create an Azure AD application
app = azure_native.graph.Application("app",
    display_name=SERVICE_PRINCIPAL_NAME,
)

# Create a Service Principal for the AD application
sp = azure_native.graph.ServicePrincipal("sp",
    application_id=app.application_id,
)

# Create a Service Principal password
spp = azure_native.graph.PasswordCredential("spp",
    service_principal_id=sp.id,
    display_name="password",
    # You may choose to set an end date for the credential.
)

# Assign a role to the Service Principal (e.g., contributor role over the resource group)
role_assignment = authorization.RoleAssignment("roleAssignment",
    principal_id=sp.id,
    role_definition_id=f"{SUBSCRIPTION_SCOPE}/providers/Microsoft.Authorization/roleDefinitions/<role-definition-id>", # Use the role definition ID for the desired role.
    scope=resource_group.id,
)

# Create a Kubernetes secret with the Service Principal credentials
k8s_provider = kubernetes.Provider("k8sprovider", kubeconfig="<YOUR_KUBECONFIG_CONTENT>")
k8s_secret = kubernetes.core.v1.Secret("sp-secret",
    string_data={
        "AZURE_CLIENT_ID": app.application_id,
        "AZURE_TENANT_ID": app.tenant_id,
        "AZURE_CLIENT_SECRET": spp.value,
    },
    opts=pulumi.ResourceOptions(provider=k8s_provider),
)

# Create a Kubernetes pod that uses the secret
pod = kubernetes.core.v1.Pod("pod",
    spec=kubernetes.core.v1.PodSpecArgs(
        containers=[kubernetes.core.v1.ContainerArgs(
            name="mycontainer",
            image="myimage",
            env_from=[kubernetes.core.v1.EnvFromSourceArgs(
                secret_ref=kubernetes.core.v1.SecretEnvSourceArgs(
                    name=k8s_secret.metadata["name"],
                ),
            )],
        )],
    ),
    opts=pulumi.ResourceOptions(provider=k8s_provider),
)

# Export the role assignment ID
pulumi.export("role_assignment_id", role_assignment.id)

Make sure to replace <YOUR_SUBSCRIPTION_ID>, <role-definition-id>, and <YOUR_KUBECONFIG_CONTENT> with your actual Azure subscription ID, the role definition ID for the permissions you want to grant, and the contents of your kubeconfig file respectively.

In this program, we first create an Azure Resource Group and an Azure AD application, then instantiate a Service Principal for the application. We generate a password for the Service Principal, which will be used as the credentials to access Azure resources. We then create a role assignment to grant the Service Principal access to the desired resources within the scope of the Resource Group.

Next, we create a Kubernetes secret resource using pulumi_kubernetes. This secret contains the necessary credentials that Kubernetes will use to run pods with access to Azure services. Then, we create a Kubernetes pod with an environment that references the secret, effectively providing the pod with access to Azure services.

Do note that you would want to tailor the permissions and the image of the container according to your application requirements. The role assignment should be granted only with the least privileges necessary for the application to function.

You would connect this program with actual Azure services by providing the right scope and role definition IDs, as well as the image that contains the logic for interacting with the Azure service.

Remember to configure your Pulumi program with the appropriate Azure and Kubernetes credentials. You can read more about how to set these up in the Pulumi documentation.