Was alpha rolled out to aks ?

[thomasfrederikhoeck]

Describe the bug
At the same time as v1.0.0-alpha.0 was released my pods starting failing with azure.identity._exceptions.CredentialUnavailableError: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource. from the Python SDK. I have made no changes to the cluster, the identity or anything in that sort. Have it been auto rolled out?

Steps To Reproduce
Have a AKS cluster running before yesterday where everything was working.

Expected behavior
Still work..

Logs

Environment
Client Version: v1.25.2
Kustomize Version: v4.5.7
Server Version: v1.22.15

Additional context

[thomasfrederikhoeck]

After adding adding azure.workload.identity/use: "true" as described here it fixed it https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#pod-labels which was also the breaking feature described in the release. So it looks like the alpha is what is running on AKS now.

[pinkfloydx33]

Yeah, same thing happened to us. It seems like we are experience the semantics of the alpha. We were in the process of getting these pod labels added before GA. The funny thing is the AZWI controller still indicates that its running mcr.microsoft.com/oss/azure/workload-identity/webhook:v0.14.0

[aramase]

Hello 👋🏻 thanks for opening the issue.

AKS is rolling out v0.15.0 in all the regions with the webhook failure policy set to Fail instead of Ignore and the objectSelector azure.workload.identity/use: "true". AFAIK, AKS sent out an email to all the users currently using WI with AKS add-on. @miwithro to confirm!

[pinkfloydx33]

We got an email a few weeks ago indicating we would need to do it for GA. We were in the process of getting it updated, assuming we had more time.

But even then, the image version still said 14 for the webhook controller so I'm confused why it kicked in.

[glloyd2010f]

After adding adding azure.workload.identity/use: "true" as described here it fixed it https://dev.azure.com/DSN-AADS/Applications/_build/results?buildId=16332&view=results which was also the breaking feature described in the release. So it looks like the alpha is what is running on AKS now.

Can you provide a copy of the fix in this issue? Trying to implement it and I do not have access to the ADO org.

[pinkfloydx33]

@glloyd2010f I don't have access either, but the "issue" is that target Pods now require a label in addition to the one required on the ServiceAccount. The fix is to add the azure.workload.identity/use: "true" label to your Pod spec.

Assuming you're using a Deployment, you'd make the following update (with irrelevant properties elided):

kind: Deployment
spec:
  template:
    metadata:
      labels:
        azure.workload.identity/use: 'true'

[thomasfrederikhoeck]

@glloyd2010f wrong link. I meant this https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#pod-labels