Skip to content

Commit

Permalink
docs: add required label for pod (#629)
Browse files Browse the repository at this point in the history 
Signed-off-by: Anish Ramasekar <[email protected]>
  • Loading branch information
@aramase
aramase committed Nov 9, 2022
1 parent 6a8e4bb commit 0cd6d96
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 1 deletion.
2 changes: 2 additions & 0 deletions docs/book/src/quick-start.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -273,6 +273,8 @@ kind: Pod
metadata:
name: quick-start
namespace: ${SERVICE_ACCOUNT_NAMESPACE}
labels:
azure.workload.identity/use: "true"
spec:
serviceAccountName: ${SERVICE_ACCOUNT_NAME}
containers:
Expand Down
8 changes: 7 additions & 1 deletion docs/book/src/topics/service-account-labels-and-annotations.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,13 +22,19 @@ The following is a list of available labels and annotations that can be used to

## Pod

### Labels

| Label | Description | Recommended value | Required? |
| ----------------------------- | ------------------------------------------------------- | ----------------- | --------- |
| `azure.workload.identity/use` | Represents the pod is to be used for workload identity. | `true` ||

### Annotations

| Annotation | Description | Default |
| ---------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- |
| `azure.workload.identity/service-account-token-expiration` | **(Takes precedence if the service account is also annotated)** Represents the `expirationSeconds` field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued. | `3600` (acceptable range: `3600 - 86400`) |
| `azure.workload.identity/skip-containers` | Represents a semi-colon-separated list of containers (e.g. `container1;container2`) to skip adding projected service account token volume. By default, the projected service account token volume will be added to all containers if the service account is labeled with `azure.workload.identity/use: true`. | |
| `azure.workload.identity/inject-proxy-sidecar` | Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an AAD token on behalf of the user with federated identity credential. | `true` |
| `azure.workload.identity/inject-proxy-sidecar` | Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an AAD token on behalf of the user with federated identity credential. | `true` |
| `azure.workload.identity/proxy-sidecar-port` | Represents the port of the proxy sidecar. | `8080` |

[1]: https://github.com/Azure/azure-workload-identity/blob/40b3842dc49784bb014ad5d8b02cf6c959244196/deploy/azure-wi-webhook.yaml#L101-L110

0 comments on commit 0cd6d96

Please sign in to comment.