You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Your question
I am trying to configure the akv2k8s controller using azure workload identity. I have created the service account for controller using federated credential. I am able to create the secret successfully and mount it on pod as env. At the moment I am using global federated credential for the secret creation.
I would like to know if its possible to have seperate federated credential assigned for each application authenticating against keyvault instead of global one assigned onto controller for authentication. For eg. Application A can only read secrets from keyvault A and Application B can only read secret from keyvault B.
Note: Make sure to check out known issues (https://github.com/sparebankenvest/azure-key-vault-to-kubernetes#known-issues) before submitting
Your question
I am trying to configure the akv2k8s controller using azure workload identity. I have created the service account for controller using federated credential. I am able to create the secret successfully and mount it on pod as env. At the moment I am using global federated credential for the secret creation.
I would like to know if its possible to have seperate federated credential assigned for each application authenticating against keyvault instead of global one assigned onto controller for authentication. For eg. Application A can only read secrets from keyvault A and Application B can only read secret from keyvault B.
To Reproduce
My helm chart values:
addAzurePodIdentityException: true
azureKeyVaultResyncPeriod: 30
cloudConfig: /etc/kubernetes/azure.json
controller:
affinity: {}
enabled: true
env: {}
envFromSecret: []
extraVolumeMounts: []
extraVolumes: []
image:
pullPolicy: IfNotPresent
repository: spvest/azure-keyvault-controller
tag: 1.6.0
labels: {}
metrics:
serviceMonitor: {}
name: controller
nodeSelector: {}
podAnnotations: {}
podLabels:
azure.workload.identity/use: "true"
priorityClassName: ""
rbac: {}
resources: {}
securityContext:
allowPrivilegeEscalation: true
service:
externalHttpPort: 9000
internalHttpPort: 9000
type: ClusterIP
serviceAccount:
annotations:
azure.workload.identity/client-id: <>
create: true
labels:
azure.workload.identity/use: "true"
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
tolerations: []
env_injector:
affinity: {}
authService: true
certificate:
custom:
ca: {}
enabled: false
server:
tls: {}
useCertManager: false
dockerImageInspection:
timeout: 20
enabled: true
env: {}
envFromSecret: []
envImage:
pullPolicy: IfNotPresent
repository: spvest/azure-keyvault-env
tag: 1.6.0
extraVolumeMounts: []
extraVolumes: []
failurePolicy: Fail
image:
pullPolicy: IfNotPresent
repository: spvest/azure-keyvault-webhook
tag: 1.6.0
labels: {}
metrics:
serviceMonitor: {}
name: env-injector
namespaceLabelSelector:
label:
name: azure-key-vault-env-injection
value: enabled
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
nodeSelector: {}
podAnnotations: {}
podDisruptionBudget:
enabled: true
minAvailable: 1
podLabels:
azure.workload.identity/use: "true"
rbac: {}
rbacSubjects:
kind: Group
name: system:serviceaccounts
replicaCount: 2
resources: {}
securityContext:
allowPrivilegeEscalation: true
service:
externalHttpPort: 80
externalMtlsPort: 9443
externalTlsPort: 443
internalHttpPort: 8080
internalMtlsPort: 9443
internalTlsPort: 8443
type: ClusterIP
serviceAccount:
annotations:
azure.workload.identity/client-id: <>
create: true
labels:
azure.workload.identity/use: "true"
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
tolerations: []
global:
env: {}
envFromSecret: []
keyVaultAuth: environment-azidentity
logFormat: text
logLevel: info
metrics:
enabled: false
serviceMonitor:
additionalLabels: {}
enabled: false
interval: 30s
rbac:
create: true
podSecurityPolicies: {}
userDefinedMSI:
useWorkloadIdentityExtension: true
azureCloudType: AzurePublicCloud
enabled: false
msi: null
subscriptionId: null
tenantId: null
kubeResyncPeriod: 30
name: akv2k8s
watchAllNamespaces: true
I have Created secret using kind: AzureKeyVaultSecret and mounted on pod as env
The text was updated successfully, but these errors were encountered: