diff --git a/docs/book/src/quick-start.md b/docs/book/src/quick-start.md index e22869715..33ad4cd07 100644 --- a/docs/book/src/quick-start.md +++ b/docs/book/src/quick-start.md @@ -168,8 +168,6 @@ kind: ServiceAccount metadata: annotations: azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID:-$USER_ASSIGNED_IDENTITY_CLIENT_ID} - labels: - azure.workload.identity/use: "true" # if you're using azure-workload-identity v1.0.0+, this label is not required. name: ${SERVICE_ACCOUNT_NAME} namespace: ${SERVICE_ACCOUNT_NAMESPACE} EOF diff --git a/docs/book/src/topics/service-account-labels-and-annotations.md b/docs/book/src/topics/service-account-labels-and-annotations.md index dcdf4f69e..07007357a 100644 --- a/docs/book/src/topics/service-account-labels-and-annotations.md +++ b/docs/book/src/topics/service-account-labels-and-annotations.md @@ -14,6 +14,8 @@ The following is a list of available labels and annotations that can be used to ### Annotations +All annotations are optional. If the annotation is not specified, the default value will be used. + | Annotation | Description | Default | | ---------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | | `azure.workload.identity/service-account-token-expiration` | **(Takes precedence if the service account is also annotated)** Represents the `expirationSeconds` field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued. | `3600` (acceptable range: `3600 - 86400`) | @@ -24,18 +26,14 @@ The following is a list of available labels and annotations that can be used to ## Service Account -### Labels - -| Label | Description | Recommended value | Required? | -| ----------------------------- | ------------------------------------------------------------------- | ----------------- | --------------------------------------------------------------------------------- | -| `azure.workload.identity/use` | Represents the service account is to be used for workload identity. | `true` | **This label is only required if using azure-workload-identity version < v1.0.0** | - ### Annotations +All annotations are optional. If the annotation is not specified, the default value will be used. + | Annotation | Description | Default | | ---------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | -| `azure.workload.identity/client-id` | Represents the AAD application client ID to be used with the pod. | | -| `azure.workload.identity/tenant-id` | Represents the Azure tenant ID where the AAD application is registered. | `AZURE_TENANT_ID` environment variable extracted from [`azure-wi-webhook-config`][1] ConfigMap | +| `azure.workload.identity/client-id` | Represents the AAD application or user-assigned managed identity client ID to be used with the pod. | | +| `azure.workload.identity/tenant-id` | Represents the Azure tenant ID where the AAD application or user-assigned managed identity is registered. | `AZURE_TENANT_ID` environment variable extracted from [`azure-wi-webhook-config`][1] ConfigMap | | `azure.workload.identity/service-account-token-expiration` | Represents the `expirationSeconds` field for the projected service account token. It is an optional field that the user might want to configure this to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry will not be correlated with AAD tokens. AAD tokens will expire in 24 hours after they are issued. | `3600` (acceptable range: `3600 - 86400`) | [1]: https://github.com/Azure/azure-workload-identity/blob/40b3842dc49784bb014ad5d8b02cf6c959244196/deploy/azure-wi-webhook.yaml#L101-L110