Skip to content
Petkir Blog
XLinkedinBluesky

Workload Identity for Azure Kubernetes Service

Code3 min read

Workload Identity for Azure Kubernetes Service (AKS)

Workload Identity for Azure Kubernetes Service (AKS) is a feature that integrates Azure Active Directory (Azure AD) with Kubernetes, allowing you to securely and easily access Azure resources from your AKS cluster. This integration replaces older methods that relied on Kubernetes secrets and service principals, offering a more secure and streamlined approach.

Key Features and Benefits

  1. Security Improvement: Workload Identity eliminates the need to store Kubernetes secrets or manage service principal credentials within the cluster. This reduces the risk of credential leakage and simplifies credential management.

  2. Simplified Management: With Workload Identity, you can use Azure AD identities to access Azure resources, leveraging Azure AD's built-in security and identity management capabilities.

  3. Granular Access Control: It allows you to use Kubernetes namespaces and Azure AD roles to control access to Azure resources, providing fine-grained access control.

  4. Automated Token Management: The integration handles the automatic exchange of tokens between Azure AD and Kubernetes, reducing the overhead of token management and rotation.

How Workload Identity Works

  1. Azure AD Integration: Workload Identity uses Azure AD to authenticate Kubernetes pods by associating each pod with an Azure AD identity.

  2. Federated Identity Credentials: It leverages the OpenID Connect (OIDC) protocol to federate identities between Kubernetes and Azure AD. Each pod is assigned an OIDC token, which Azure AD recognizes and validates.

  3. Azure Managed Identity: Pods can use Azure Managed Identities to access Azure resources. This managed identity is automatically assigned to the pod and configured to request access tokens from Azure AD.

Steps to Set Up Workload Identity

  1. Enable OIDC Issuer on AKS: Ensure that the OIDC issuer URL is enabled on your AKS cluster. This setting is necessary for Azure AD to validate tokens issued by the Kubernetes API server.

  2. Create Azure AD Applications and Service Principals: Define the Azure AD applications and service principals that your workloads will use to access Azure resources.

  3. Assign Roles: Assign appropriate Azure roles to these Azure AD applications, granting the necessary permissions to access the required Azure resources.

  4. Configure Kubernetes: Update your Kubernetes manifests to specify the Azure identity to be used by your pods. This involves defining a ServiceAccount and associating it with the Azure identity.

  5. Deploy Workloads: Deploy your Kubernetes workloads, ensuring they reference the configured ServiceAccount.

Example Configuration

Here is a simplified example of how you might configure a Kubernetes deployment to use Workload Identity:

  1. Create a ServiceAccount:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: my-service-account
      namespace: default
      annotations:
        azure.workload.identity/client-id: "<azure-ad-client-id>"

  2. Reference the ServiceAccount in a Deployment:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: my-deployment
      namespace: default
    spec:
      template:
        spec:
          serviceAccountName: my-service-account
          containers:
          - name: my-container
            image: my-image

  3. Assign Azure Role to the Service Principal: Ensure the Azure AD application (represented by <azure-ad-client-id>) has the necessary role assignments to access the Azure resources.

Conclusion

Workload Identity for AKS enhances security and simplifies the management of identities within Kubernetes clusters by leveraging Azure AD. This integration allows Kubernetes pods to access Azure resources without the need to store sensitive credentials, thereby reducing the risk of security breaches and simplifying operational overhead.