Description
openedon Nov 27, 2019
Pod Identity is now deprecated
https://github.com/Azure/aad-pod-identity#aad-pod-identity-deprecated
use workload identity instead
We need to automate testing our identity libraries' managed identity implementations with pod identity (AKS).
Below are instructions for manually testing Python's implementation (as seen in the repo):
Testing managed identity in Azure Kubernetes Service
prerequisite tools
- Azure CLI
- Docker CLI
- Helm 2.x (3.x doesn't handle CRDs properly at time of writing)
Azure resources
This test requires instances of these Azure resources:
- Azure Key Vault
- Azure Managed Identity
- with secrets/set and secrets/delete permission for the Key Vault
- Azure Container Registry
- Azure Kubernetes Service
- RBAC requires additional configuration not provided here, so an RBAC-disabled cluster is preferable
- the cluster's service principal must have 'Managed Identity Operator' role over the managed identity
- must be able to pull from the Container Registry
The rest of this section is a walkthrough of deploying these resources.
set environment variables to simplify copy-pasting
- RESOURCE_GROUP
- name of an Azure resource group
- must be unique in the Azure subscription
- e.g. 'pod-identity-test'
- AKS_NAME
- name of an Azure Kubernetes Service
- must be unique in the resource group
- e.g. 'pod-identity-test'
- ACR_NAME
- name of an Azure Container Registry
- 5-50 alphanumeric characters
- must be globally unique
- MANAGED_IDENTITY_NAME
- 3-128 alphanumeric characters
- must be unique in the resource group
- KEY_VAULT_NAME
- 3-24 alphanumeric characters
- must begin with a letter
- must be globally unique
resource group
az group create -n $RESOURCE_GROUP --location westus2
managed identity
Create the managed identity:
az identity create -g $RESOURCE_GROUP -n $MANAGED_IDENTITY_NAME
Save its clientId
, id
(ARM URI), and principalId
(object ID) for later:
export MANAGED_IDENTITY_CLIENT_ID=$(az identity show -g $RESOURCE_GROUP -n $MANAGED_IDENTITY_NAME --query clientId -o tsv) \
MANAGED_IDENTITY_ID=$(az identity show -g $RESOURCE_GROUP -n $MANAGED_IDENTITY_NAME --query id -o tsv) \
MANAGED_IDENTITY_PRINCIPAL_ID=$(az identity show -g $RESOURCE_GROUP -n $MANAGED_IDENTITY_NAME --query principalId -o tsv)
Key Vault
Create the Vault:
az keyvault create -g $RESOURCE_GROUP -n $KEY_VAULT_NAME --sku standard
Add an access policy for the managed identity:
az keyvault set-policy -n $KEY_VAULT_NAME --object-id $MANAGED_IDENTITY_PRINCIPAL_ID --secret-permissions list
container registry
az acr create -g $RESOURCE_GROUP -n $ACR_NAME --admin-enabled --sku basic
Kubernetes
Deploy the cluster (this will take several minutes):
az aks create -g $RESOURCE_GROUP -n $AKS_NAME --generate-ssh-keys --node-count 1 --disable-rbac --attach-acr $ACR_NAME
Grant the cluster's service principal permission to use the managed identity:
az role assignment create --role "Managed Identity Operator" \
--assignee $(az aks show -g $RESOURCE_GROUP -n $AKS_NAME --query servicePrincipalProfile.clientId -o tsv) \
--scope $MANAGED_IDENTITY_ID
build images
The test application must be packaged as a Docker image before deployment.
Test runs must include Python 2 and 3, so two images are required.
authenticate to ACR
az acr login -n $ACR_NAME
acquire the test code
git clone https://github.com/Azure/azure-sdk-for-python/ --branch master --single-branch --depth 1
The rest of this section assumes this working directory:
cd azure-sdk-for-python/sdk/identity/azure-identity/tests
build images and push them to the container registry
Set environment variables:
export REPOSITORY=$ACR_NAME.azurecr.io IMAGE_NAME=test-pod-identity PYTHON_VERSION=2.7
Build an image:
docker build --no-cache --build-arg PYTHON_VERSION=$PYTHON_VERSION -t $REPOSITORY/$IMAGE_NAME:$PYTHON_VERSION ./managed-identity-live
Push it to ACR:
docker push $REPOSITORY/$IMAGE_NAME:$PYTHON_VERSION
Then set PYTHON_VERSION
to the latest 3.x (3.8 at time of writing) and run the
above docker build
and docker push
commands again. (It's safe--and faster--
to omit --no-cache
from docker build
the second time.)
run the test
install kubectl
az aks install-cli
authenticate kubectl and helm
az aks get-credentials -g $RESOURCE_GROUP -n $AKS_NAME
install tiller
helm init --wait
run the test script
Twice. Once with PYTHON_VERSION=2.7
, once with PYTHON_VERSION=3.x
(replacing x with the latest Python 3 minor version):
python ./pod-identity/run-test.py \
--client-id $MANAGED_IDENTITY_CLIENT_ID \
--resource-id $MANAGED_IDENTITY_ID \
--vault-url https://$KEY_VAULT_NAME.vault.azure.net \
--repository $REPOSITORY \
--image-name $IMAGE_NAME \
--image-tag $PYTHON_VERSION
delete Azure resources
az group delete -n $RESOURCE_GROUP -y --no-wait