README
¶
Azure AD Workload Identity
Azure AD Workload Identity is the next iteration of AAD Pod Identity that enables Kubernetes applications to access Azure cloud resources securely with Azure Active Directory based on annotated service accounts.
Installation
Check out the installation guide on how to deploy the Azure AD Workload Identity webhook.
Quick Start
Check out the Azure AD Workload Identity Quick Start on how to securely access Azure cloud resources from your application using the webhook and MSAL.
Overview
The repository contains the following components:
-
The webhook is for mutating pods that reference an annotated service account. The webhook will inject the environment variables and the projected service account token volume. Your application/SDK will consume them to authenticate itself to Azure resources.
-
Proxy Init and Proxy
The proxy init container and proxy sidecar container will be used for applications that are still using AAD Pod Identity.
Motivation
- Cloud-agnostic.
- Support Linux and Windows workload.
- Industry-standard and Kubernetes-friendly authentication based on OpenID Connect (OIDC).
- Remove convoluted steps to set up cluster role assignments.
- Remove the following dependencies:
- Instance Metadata Service (IMDS)
- CustomResourceDefinitions (CRDs)
Goals
- A secure way for cloud-native applications to obtain AAD tokens and access Azure cloud resources in a Kubernetes cluster.
Directories