You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
In azure you can connect your AKS cluster to an Azure Container Registry by granting the agent pool managed identity pull permission on the ACR. However this only works if the AKS cluster and the ACR are in the same tenant.
apiVersion: v1
kind: ServiceAccount
metadata:
name: workload-identity-sa
annotations:
azure.workload.identity/use-acr: "true"
azure.workload.identity/tenant-id: ${USER_ASSIGNED_TENANT_ID}
azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}
azure.workload.identity/acr-tenant-id: ${USER_ASSIGNED_ACR_PULL_TENANT_ID} # optional, if use-acr is true but acr-tenant-id is missing tenant-id would be used instead
azure.workload.identity/acr-client-id: ${USER_ASSIGNED_ACR_PULL_CLIENT_ID} # optional, if use-acr is true but acr-client-id is missing client-id would be used instead
---
apiVersion: v1
kind: Pod
metadata:
name: httpbin-pod
labels:
azure.workload.identity/use: "true"
spec:
serviceAccountName: workload-identity-sa
containers:
- name: nginx
image: myprivateregistry.azure.cr/nginx:alpine # allowed to pull because sa workload-identity-sa receives image pull secret with valid token from workload identity
ports:
- containerPort: 80
Is your feature request related to a problem? Please describe.
In azure you can connect your AKS cluster to an Azure Container Registry by granting the agent pool managed identity pull permission on the ACR. However this only works if the AKS cluster and the ACR are in the same tenant.
Describe the solution you'd like
Extend workload identity with the capability to request and renew a token for a container registry using federated credentials and create or patch a kubernetes pullsecret with the token on an interval. Add the pullsecret to the annotated service account. See: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account
Example config:
Describe alternatives you've considered
Build it myself, eg by following https://blogs.sap.com/2022/09/01/use-kubernetes-service-accounts-in-combination-with-oidc-identity-federation-for-imagepullsecrets/
Additional context
The text was updated successfully, but these errors were encountered: