Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use separate federated credential for each application #680

Open
shivangi0406 opened this issue Mar 15, 2024 · 0 comments
Open

Use separate federated credential for each application #680

shivangi0406 opened this issue Mar 15, 2024 · 0 comments
Labels
question Further information is requested

Comments

@shivangi0406
Copy link

Note: Make sure to check out known issues (https://github.com/sparebankenvest/azure-key-vault-to-kubernetes#known-issues) before submitting

Your question
I am trying to configure the akv2k8s controller using azure workload identity. I have created the service account for controller using federated credential. I am able to create the secret successfully and mount it on pod as env. At the moment I am using global federated credential for the secret creation.

I would like to know if its possible to have seperate federated credential assigned for each application authenticating against keyvault instead of global one assigned onto controller for authentication. For eg. Application A can only read secrets from keyvault A and Application B can only read secret from keyvault B.

To Reproduce

My helm chart values:
addAzurePodIdentityException: true
azureKeyVaultResyncPeriod: 30
cloudConfig: /etc/kubernetes/azure.json
controller:
affinity: {}
enabled: true
env: {}
envFromSecret: []
extraVolumeMounts: []
extraVolumes: []
image:
pullPolicy: IfNotPresent
repository: spvest/azure-keyvault-controller
tag: 1.6.0
labels: {}
metrics:
serviceMonitor: {}
name: controller
nodeSelector: {}
podAnnotations: {}
podLabels:
azure.workload.identity/use: "true"
priorityClassName: ""
rbac: {}
resources: {}
securityContext:
allowPrivilegeEscalation: true
service:
externalHttpPort: 9000
internalHttpPort: 9000
type: ClusterIP
serviceAccount:
annotations:
azure.workload.identity/client-id: <>
create: true
labels:
azure.workload.identity/use: "true"
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
tolerations: []
env_injector:
affinity: {}
authService: true
certificate:
custom:
ca: {}
enabled: false
server:
tls: {}
useCertManager: false
dockerImageInspection:
timeout: 20
enabled: true
env: {}
envFromSecret: []
envImage:
pullPolicy: IfNotPresent
repository: spvest/azure-keyvault-env
tag: 1.6.0
extraVolumeMounts: []
extraVolumes: []
failurePolicy: Fail
image:
pullPolicy: IfNotPresent
repository: spvest/azure-keyvault-webhook
tag: 1.6.0
labels: {}
metrics:
serviceMonitor: {}
name: env-injector
namespaceLabelSelector:
label:
name: azure-key-vault-env-injection
value: enabled
namespaceSelector:
matchExpressions:
- key: name
operator: NotIn
values:
- kube-system
nodeSelector: {}
podAnnotations: {}
podDisruptionBudget:
enabled: true
minAvailable: 1
podLabels:
azure.workload.identity/use: "true"
rbac: {}
rbacSubjects:

  • apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: system:serviceaccounts
    replicaCount: 2
    resources: {}
    securityContext:
    allowPrivilegeEscalation: true
    service:
    externalHttpPort: 80
    externalMtlsPort: 9443
    externalTlsPort: 443
    internalHttpPort: 8080
    internalMtlsPort: 9443
    internalTlsPort: 8443
    type: ClusterIP
    serviceAccount:
    annotations:
    azure.workload.identity/client-id: <>
    create: true
    labels:
    azure.workload.identity/use: "true"
    strategy:
    rollingUpdate:
    maxSurge: 25%
    maxUnavailable: 25%
    tolerations: []
    global:
    env: {}
    envFromSecret: []
    keyVaultAuth: environment-azidentity
    logFormat: text
    logLevel: info
    metrics:
    enabled: false
    serviceMonitor:
    additionalLabels: {}
    enabled: false
    interval: 30s
    rbac:
    create: true
    podSecurityPolicies: {}
    userDefinedMSI:
    useWorkloadIdentityExtension: true
    azureCloudType: AzurePublicCloud
    enabled: false
    msi: null
    subscriptionId: null
    tenantId: null
    kubeResyncPeriod: 30
    name: akv2k8s
    watchAllNamespaces: true

I have Created secret using kind: AzureKeyVaultSecret and mounted on pod as env

@shivangi0406 shivangi0406 added the question Further information is requested label Mar 15, 2024
@shivangi0406 shivangi0406 changed the title [Question] Use separate federated credential for each application Mar 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

1 participant