Add Exception for aad-pod-identity
Learn what needs to be done to run successfully with aad-pod-identity
In order to use Managed Identities with Pods, Microsoft have developed a open source project called aad-pod-identity or Azure Active Directory Pod Identity for Kubernetes. In order for akv2k8s to run successfully in the same cluster as aad-pod-identity, a
AzurePodIdentityException must be added for akv2k8s.
If all of these conditions are true, a
AzurePodIdentityException must be added for akv2k8s to work successfully:
- The Kubernetes cluster has aad-pod-identity installed
- The Kubernetes cluster is using Managed Identity as its primary identity
- Akv2k8s is using default authentication (
The akv2k8s Helm chart has a simple setting for this. Just set
addAzurePodIdentityException=true and a AzurePodIdentityException will be added to Kubernetes.
As documented by
The authorization request to fetch a Service Principal Token from an MSI endpoint is sent to Azure Instance Metadata Service (IMDS) endpoint (169.254.169.254), which is redirected to the NMI pod.
Identity assignment on VM takes 10-20s and 40-60s in case of VMSS.
This will effectively prevent akv2k8s to do MSI authentication requests directly with the MSI endpoint (using Managed Identity with Azure Key Vault) and both the Controller and Evn Injector will fail during startup.