Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workload identity for image pull secrets #1049

Open
rouke-broersma opened this issue Aug 10, 2023 · 3 comments
Open

workload identity for image pull secrets #1049

rouke-broersma opened this issue Aug 10, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@rouke-broersma
Copy link

Is your feature request related to a problem? Please describe.

In azure you can connect your AKS cluster to an Azure Container Registry by granting the agent pool managed identity pull permission on the ACR. However this only works if the AKS cluster and the ACR are in the same tenant.

Describe the solution you'd like

Extend workload identity with the capability to request and renew a token for a container registry using federated credentials and create or patch a kubernetes pullsecret with the token on an interval. Add the pullsecret to the annotated service account. See: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account

Example config:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: workload-identity-sa
  annotations:
    azure.workload.identity/use-acr: "true"
    azure.workload.identity/tenant-id: ${USER_ASSIGNED_TENANT_ID}
    azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}
    azure.workload.identity/acr-tenant-id: ${USER_ASSIGNED_ACR_PULL_TENANT_ID} # optional, if use-acr is true but acr-tenant-id is missing tenant-id would be used instead
    azure.workload.identity/acr-client-id: ${USER_ASSIGNED_ACR_PULL_CLIENT_ID} # optional, if use-acr is true but acr-client-id is missing client-id would be used instead
---
apiVersion: v1
kind: Pod
metadata:
  name: httpbin-pod
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: workload-identity-sa
  containers:
  - name: nginx
    image: myprivateregistry.azure.cr/nginx:alpine # allowed to pull because sa workload-identity-sa receives image pull secret with valid token from workload identity
    ports:
    - containerPort: 80

Describe alternatives you've considered

Build it myself, eg by following https://blogs.sap.com/2022/09/01/use-kubernetes-service-accounts-in-combination-with-oidc-identity-federation-for-imagepullsecrets/

Additional context
@rouke-broersma rouke-broersma added the enhancement New feature or request label Aug 10, 2023
@Shaked
Copy link

Shaked commented Dec 11, 2023

Hi, any plans to support this at some point? This is a great feature

@sainipankaj90k
Copy link

Any update on supporting this one?
cc: @aramase

@arattanpal
Copy link

same, looking for this solution. MS support integration to other resources using WI but not to ACR which is weird.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Shaked @rouke-broersma @sainipankaj90k @arattanpal