Azure Workload Identity in AKS(Azure Kubernetes Service) is a feature that allows to seamlessly interact with other Azure services. Here, we’ll discuss more on this feature in detail. At Bobcares, we assist our customers with several queries on a daily basis as part of our Kubernetes Support.

Overview

1. More on Azure Workload Identity in AKS
2. Azure Workload Identity in AKS: Key Features
3. Azure Workload Identity in AKS: Working
4. Azure Workload Identity in AKS: Setup Steps
5. Azure Workload Identity in AKS : Benefits
6. Conclusion

More on Azure Workload Identity in AKS

Azure Workload Identity allows Kubernetes service accounts to access Azure resources by integrating Azure AD with Kubernetes. It offers a simplified authentication process using Azure Managed Identities along with Kubernetes native features.

Through the linking of Azure Active Directory with Kubernetes service accounts, Azure Workload Identity enables Kubernetes pods in AKS to access Azure resources. This method also improves security and lowers administration overhead by doing away with the need to manage connection strings or service principle secrets inside the application.

Azure Workload Identity in AKS: Key Features

1. Federation of Identity:

i. Enables the federation of Azure AD identities with Kubernetes service accounts.

ii. Minimizes the chance of credential disclosure and does away with the requirement for secrets management.

2. Convenient and Safe Authentication:

i. Employs token-based authentication with Azure AD.

ii. Workloads using Kubernetes can easily authenticate to Azure services, including Azure Storage and Azure Key Vault.

3. Native Kubernetes Integration:

i. Uses natural Kubernetes primitives, such RBAC, Custom Resource Definitions (CRDs), and service accounts.

ii. Allows for more precise access control by integrating with Kubernetes Role-Based Access Control (RBAC).

4. Automatic Token Management:

Retrieving and renewing Azure AD tokens for authorized access is handled automatically.

Azure Workload Identity in AKS: Working

The main steps in the working of Azure Workload Identity is as follows:

1. Service Account Creation: A Kubernetes service account is created and annotated with Azure Workload Identity configuration details.

2. Azure AD Application and Managed Identity: An Azure AD application and a corresponding managed identity are created. The managed identity is given permissions to access specific Azure resources.

3. Federated Identity Credential: A federated identity credential is set up between the Azure AD application and the Kubernetes service account. This allows Azure AD to trust tokens issued by Kubernetes for the designated service account.

4. Token Exchange and Access: When a Kubernetes workload uses the annotated service account, it can request an Azure AD token. The Kubernetes Service Account Token Volume Projection and Azure Identity Webhook facilitate the token exchange. The workload uses the token to authenticate and access Azure resources.

Azure Workload Identity in AKS: Setup Steps

Prerequisites

1. An AKS cluster

2. Azure CLI installed

3. Azure AD tenant with permissions to create applications and managed identities

Steps

1. Enable OIDC Issuer in AKS: Initially, we must ensure the AKS cluster has the OIDC issuer enabled:

az aks update --resource-group  --name  --enable-oidc-issuer

2. Install Azure Workload Identity Components: Deploy the Azure Workload Identity components in the AKS cluster:

kubectl apply -f https://github.com/Azure/azure-workload-identity/raw/main/deploy/webhook.yaml

3. Create Azure AD Application and Managed Identity: Create an Azure AD application and managed identity for the workload:

az ad app create --display-name 
az identity create --name  --resource-group

4. Assign Federated Identity Credential: Configure the federated identity credential to link the Azure AD application with the Kubernetes service account:

az ad app federated-credential create --id  --parameters "{\"name\":\"\",\"issuer\":\"\",\"subject\":\"\",\"audiences\":[\"api://AzureADTokenExchange\"]}"

5. Annotate the Kubernetes Service Account: Annotate the Kubernetes service account with the Azure Workload Identity information:

yaml

apiVersion: v1
kind: ServiceAccount
metadata:
name: 
annotations:
azure.workload.identity/client-id: 
azure.workload.identity/tenant-id:

6. Grant Permissions: Assign the necessary Azure RBAC roles to the managed identity to access the required Azure resources:

az role assignment create --assignee  --role  --scope

Azure Workload Identity in AKS : Benefits

1. Enhanced Security: It eliminates the need to store credentials in code or configuration files, reducing the risk of exposure. It also leverages Azure Active Directory for authentication, providing a robust security framework with support for policies like Conditional Access. The fine-grained access control to Azure resources ensures applications have only the permissions they need.

2. Simplified Identity Management:It utilizes Azure Managed Identities, which automatically handle token issuance and renewal without manual intervention. There will be a centralized management of identity and access policies using Azure AD.

3. Seamless Integration: It combines seamlessly with Kubernetes, allowing developers to use native Kubernetes service accounts for identity. It also works with a wide range of Azure services, such as Azure Key Vault, Azure Storage, and Azure SQL Database.

4. Improved Scalability and Flexibility: It supports dynamic scaling of applications without the complexity of managing secrets or credentials. It offers multi-tenant environments, allowing for different identity configurations per workload.

5. Cost Efficiency: Automated credential management reduces the need for manual operations and the associated costs. Thus, ensures resources are accessed securely and efficiently, potentially leading to cost savings on cloud services.

6. Compliance and Auditing: It facilitates compliance with organizational and regulatory security standards by enforcing access policies.It also provides detailed logging and monitoring capabilities to track access and usage of Azure resources, aiding in auditing and compliance efforts.

7. Streamlined Development: Azure Workload Identity allows developers to focus on building applications without worrying about identity management complexities. It is quick to set up and integrate, speeding up the development and deployment process.

8. Resilience and Reliability:It offers high availability and resilience, ensuring that identity services remain operational even in case of failures.
Also, it maintains consistent performance across different workloads and environments.

[Want to learn more? Click here to reach us.]

Conclusion

Applications operating under Azure Kubernetes Service (AKS) may securely access other Azure services without handling passwords thanks to a powerful feature called Azure Workload Identity. Organizations can create a more secure, managed, and scalable cloud-native architecture, which will eventually improve application security and performance, by using Azure Workload Identity in AKS.

To sum up, our Tech team went over the details of Azure Workload Identity in AKS, including its working and setup.