Cluster managed identity support for system-assigned-identity

[jnoller]

Tracking issue for support of system assigned Managed Identity within AKS.

[jnoller]

Related Issue #803

[J0F3]

Any news or an approximate ETA for this?
Thx!

[mkosieradzki]

https://azure.microsoft.com/en-us/updates/managed-identities-integration-in-azure-kubernetes-service-aks-is-now-in-preview/ - it seems to be live very soon.

However, I see that it does only support System-assigned MI. If designed properly this should not cause any problems like requiring access management on any resource outside of the MC_ RG.

[sauryadas]

https://docs.microsoft.com/en-us/azure/aks/use-managed-identity

[asubmani]

If we provision an AKS cluster today with MSI's AND keep the SPN for required services like monitoring etc. Can we AVOID a cluster re-deployment when the SPN dependency is no longer required?

[sauryadas]

@norshtein Can you confirm? will an upgrade clean up the SPN and have the addons refer to the UA MI ?

[norshtein]

After SPN dependency is no longer required, it's fine if you don't update current cluster. But disabling and re-enabling addons is needed, the purpose of this operation is to recreate addon pods and use new addon version to make addons use managed identity to authenticate. During this period, your addons will be offline for sometime but the cluster will keep online. If you don't disable and re-enable addons, your addons will still use SPN to authenticate and they will not work correctly after SPN expires.

[norshtein]

@sauryadas yes, an upgrading operation will clean up the SPN and have the addons refer to the UA MI.

[ams0]

I tested this scenario today:

$> az ad sp create-for-rbac -n "uselesssp" --skip-assignment
$> az aks create -k 1.17.0  --load-balancer-sku Standard --network-plugin kubenet -c 2 -s Standard_B4ms  --nodepool-name base  -g k8s -n msi --enable-managed-identity --service-principal <uselesssp> --client-secret <uselesssecret>

It has to be a real SP - anything else, like a wrong password, will fail (it means the CLI or the RP does some sort of checking?). But once the cluster is running, it works fine (so far as I can test). It creates LoadBalancer type services and can use azure-disk PersistentVolumes. Just wanted to share this little fact: you can have a functional cluster without assign the SP any role.

[jluk]

Managed identity is now GA, closing issue as a result.

https://github.com/Azure/AKS/releases/tag/2020-03-16

[zhiweiv]

The guide is not updated yet, will it come soon?
https://docs.microsoft.com/en-us/azure/aks/use-managed-identity

[jluk]

Document update will be live by Monday, possibly earlier. Thanks for checking!

[sauryadas]

@zhiweiv Docs live now
https://docs.microsoft.com/en-us/azure/aks/use-managed-identity

[ghost]

Very brief question on this, according to the terraform provider docs a route table is required for AKS deployment, but the permissions section linked from the docs page https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal#delegate-access-to-other-azure-resources doesn't mention anything specifically about configuring routes. Should I open a new issue somewhere on this? I just don't feel like the documentation on the AKS route table is very clear

[flamingboo]

@sauryadas
Somehow I'm a bit confused about the updated guide:

"For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the MC_* resource group, use the PrincipalID of the cluster to perform a role assignment. For more information on role assignment, see Delegate access to other Azure resources."
Since I will be deploying with my own VNet (vnetSubnetID in ARM), how can I do - in advance - an assignment with the PrincipalID of cluster (principl ID of the system-assigned managed identity) generated during the deployement?
Unless I did not understand correctly the procedure?

[sauryadas]

@flamingboo you would create the cluster with the byo vnet and then perform the role assignment. Give it a shot and let us know

[flamingboo]

ok good. will you keep you updated.

[andyofengland]

Is there an ARM Template equivalent of the --enable-managed-identity command?

[bhicks329]

Under the resource at the top level you just need ...

"identity": {
      "type": "SystemAssigned"
  }

https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/2020-03-01/managedclusters

[andyofengland]

Fantastic, thank you!
Something to perhaps feed back to the documentation side of things as it wasn't clear the correlation between the CLI and the ARM version of the same thing.

[j03wang]

Are there plans for this to come to the other clouds (China, specifically)?

[jluk]

@j03wang yes this feature is being developed for access in AzChina and AzGov. When those have released those labels will be placed on this ticket. cc @thomas1206 / @TomGeske

[j03wang]

@jluk Thanks! Is there a time range I can expect this to come in?

[TomGeske]

@j03wang: MSI should be availble in China today. Do you see any error message while creating an MSI enabled cluster?

[j03wang]

@TomGeske Yes - I'm seeing this:

Creating cluster having identity type 'SystemAssigned' is not allowed in specified location chinanorth2

[TomGeske]

let me double check and come back.

[TomGeske]

@j03wang: I just checked. MSI. Current ETA for availability in China is mid-June.

[j03wang]

@TomGeske Thanks for checking. Might there be a preview flag or whitelist of sorts for China before then?

[TomGeske]

MSI support for AKS isn't deployed to China region, yet. Whitelisting is mainly used in public cloud regions only.

[TomGeske]

Just as a heads-up Managed Identity is now available in China.