Skip to content
/ hello_workload-identity Public

Reference Implementation about Workload Identity. Build and Deploy Application/Pod with Managed Identity support to Azure Kubernetes Services based on DevSecOps Practices

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

oaviles/hello_workload-identity

BranchesTags

Repository files navigation

DevSquad Workload Identity Project

This is a collection of sample projects for Cloud Application Developer using Azure Cloud Platform. The sample projects are arranged in different topics about microservice development and deployment on Azure Kubernetes Service supported by Secure DevOps Practices.

Kubernetes workload identity and access, reference architecture: Deploy AKS cluster managed identities

Steps to deploy:

  • Deploy AKS Cluster: You can use GitHub Workflow Deploy AKS
  • Get OIDC URI: You can us GitHub Workflow Get OIDC URI
az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv
  • Deploy Identity: You can us GitHub Workflow Deploy Identity
  • Get Access to AKS az aks get-credentials -n spAKSCluster -g "${RESOURCE_GROUP}"
  • Create Service Account
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: "${USER_ASSIGNED_CLIENT_ID}"
  name: "${SERVICE_ACCOUNT_NAME}"
  namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
EOF
  • Validate Service Account creation kubectl get sa
  • Create Azure Storage Account and assign identity with "Contributor Role"
az storage account create -n "${STORAGE_ACCOUNT_NAME}" -g "${RESOURCE_GROUP}" -l westus --sku Standard_LRS
  • Deploy Pod with Managed Identity support
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: pod-workload-identity
  namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: "${SERVICE_ACCOUNT_NAME}"
  containers:
  - name: oaidentity
    image: oaviles/oaidentity:latest
    imagePullPolicy: Always
    env:
    - name: STORAGE_ACCOUNT_NAME
      value: "${STORAGE_ACCOUNT_NAME}"
    - name: STORAGE_ACCOUNT_CONTAINER_NAME
      value: "oafiles"
EOF
  • Validate pod execution kubectl logs pod-workload-identity

More Resources

Check More DevSquad Projects

Note: This page is getting updated so make sure to check regularly for new resources.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.

About

Reference Implementation about Workload Identity. Build and Deploy Application/Pod with Managed Identity support to Azure Kubernetes Services based on DevSecOps Practices

Topics

kubernetes identity azure devsecops aks devsquad

Resources

Readme
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages