Aad pod identity as add on #3475
Conversation
|
I think we should hold off merging this until pod identity works with azure cni (no podCIDR) and RBAC, per these two issues: Azure/aad-pod-identity#40 and Azure/aad-pod-identity#39 |
|
@kkmsft can we remove the |
parts/k8s/kubernetescustomscript.sh
Outdated
| @@ -486,6 +486,10 @@ configACIConnectorAddon() { | |||
| sed -i "s|<kubernetesACIConnectorKey>|$(echo $ACI_CONNECTOR_KEY)|g" "/etc/kubernetes/addons/aci-connector-deployment.yaml" | |||
| } | |||
|
|
|||
| configAADPodIdentityAddon() { | |||
| sed -i "s|<kubernetesAADPodIdentityCredentials>|$AAD_POD_IDENTITY|g" "/etc/kubernetes/addons/aad-pod-identity-deployment.yaml" | |||
There was a problem hiding this comment.
It looks like we aren't actually passing in AAD_POD_IDENTITY or AAD_POD_IDENTITY_ADDON env vars yet. May I suggest that we drop the "boolean" AAD_POD_IDENTITY_ADDON var, and simply check for non-empty string value of AAD_POD_IDENTITY to determine whether or not we want to do the sed replacement?
There was a problem hiding this comment.
Thank you, Jack. Since we don't have anything to pass and use values from azure.json, this is not required. So have removed this.
| { | ||
| "name": "aad-pod-identity", | ||
| "enabled" : true, | ||
| "config": { |
There was a problem hiding this comment.
I think these configs are specific to the aci-connector. I dont think config is neccessary for pod identity.
| "name": "agentpool", | ||
| "count": 3, | ||
| "vmSize": "Standard_DS2_v2", | ||
| "availabilityProfile": "VirtualMachineScaleSets" |
There was a problem hiding this comment.
Need to support VMSS first...hold this PR until that is added or change this to AvailabilitySet
There was a problem hiding this comment.
Using AvailablitySet in this PR as the example. Will add the ScaleSet after adding the support for that in aad-pod-identity.
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: aad-pod-identity-secret |
There was a problem hiding this comment.
we dont need this for pod identity
There was a problem hiding this comment.
Using azure.json directly.
parts/k8s/kubernetesmastervars.t
Outdated
| @@ -103,6 +103,16 @@ | |||
| "kubernetesTillerCPULimit": "[parameters('kubernetesTillerCPULimit')]", | |||
| "kubernetesTillerMemoryLimit": "[parameters('kubernetesTillerMemoryLimit')]", | |||
| "kubernetesTillerMaxHistory": "[parameters('kubernetesTillerMaxHistory')]", | |||
| "kubernetesAADPodIdentityEnabled": "[parameters('kubernetesAADPodIdentityEnabled')]", | |||
| "kubernetesAADPodIdentitySpec": "[parameters('kubernetesAADPodIdentitySpec')]", | |||
| "kubernetesAADPodIdentityNodeName": "[parameters('kubernetesAADPodIdentityNodeName')]", | |||
There was a problem hiding this comment.
These are specific to aci-connector. I dont think we need these for pod identity.
There was a problem hiding this comment.
Enabled flag remains. Rest removed.
parts/k8s/kubernetesparams.t
Outdated
| }, | ||
| "type": "string" | ||
| }, | ||
| "kubernetesAADPodIdentityOS": { |
There was a problem hiding this comment.
I think these params are specific to the aci-connector. I dont think config is neccessary for pod identity.
There was a problem hiding this comment.
Thanks Rita. Removed them. Remnants from following a template example :-)
kkmsft
force-pushed
the
aad-pod-identity
branch
6 times, most recently
from
d86fab9
to
9d83cbf
Compare
|
@jackfrancis @ritazh @kkmsft @CecileRobertMichon |
| "name": "agentpool", | ||
| "count": 3, | ||
| "vmSize": "Standard_DS2_v2", | ||
| "availabilityProfile": "AvailabilitySet" |
There was a problem hiding this comment.
Please add a comment to indicate currently only "AvailabilitySet" is supported to avoid users creating using "VirtualMachineScaleSets".
|
|
||
| You can validate that the add-on is running as expected with the following commands: | ||
|
|
||
| You should see two pod names - one starting with mic and another nmi as `Running` after executing: |
There was a problem hiding this comment.
You should see two sets of pods - a single mic pod and as many nmi pods as there are agent nodes in Running state after executing:
| "kubernetesmasteraddons-aad-pod-identity-deployment.yaml", | ||
| "aad-pod-identity-deployment.yaml", | ||
| profile.OrchestratorProfile.KubernetesConfig.IsAADPodIdentityEnabled(), | ||
| }, |
Codecov Report
@@ Coverage Diff @@
## master #3475 +/- ##
==========================================
+ Coverage 55.49% 55.85% +0.36%
==========================================
Files 105 105
Lines 15990 16003 +13
==========================================
+ Hits 8873 8938 +65
+ Misses 6369 6316 -53
- Partials 748 749 +1 |
pkg/acsengine/defaults.go
Outdated
| Containers: []api.KubernetesContainerSpec{ | ||
| { | ||
| Name: "mic", | ||
| Image: "nikhilbh/mic:1.0", |
There was a problem hiding this comment.
Remove image, it is not being used
pkg/acsengine/defaults.go
Outdated
| }, | ||
| { | ||
| Name: "nmi", | ||
| Image: "nikhilbh/nmi:1.0", |
There was a problem hiding this comment.
Remove image, it is not being used
| - name: nmi | ||
| image: "nikhilbh/nmi:1.2" | ||
| imagePullPolicy: Always | ||
| args: |
There was a problem hiding this comment.
I think you need resource limits and requests here.
| component: mic | ||
| spec: | ||
| serviceAccountName: aad-pod-id-mic-service-account | ||
| containers: |
There was a problem hiding this comment.
Also here. I think you need resource limits and requests here.
|
LGTM @jackfrancis will add an issue to add validation test for this |
|
@ritazh and E2E test coverage :) |
What this PR does / why we need it:
Add deploying Aad pod Identity as a add-on for acs engine created cluster.
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Special notes for your reviewer:
If applicable:
Release note: