Today, we are excited to announce an open-source project called Azure AD workload identity for Kubernetes. It leverages the public preview capability of Azure AD workload identity federation. With this project, developers can use native Kubernetes concepts of service accounts and federation to entry Azure AD protected sources, such as Azure and Microsoft Graph, without needing secrets.
The existing Azure AD Pod Identity project addresses this need. However, the Azure AD workload identity approach is simpler to use and deploy, and overcomes several limitations in Azure AD Pod Identity:
- Removes the scale and performance issues that existed for identity task.
- Supports Kubernetes clusters hosted in any cloud.
- Supports both Linux and Windows workloads.
- Removes the need for Custom Resource Definitions and pods that intercept IMDS (Instance Metadata Service) traffic.
- Avoids the complication and error-prone installation steps such as cluster position task.
How does this work?
As proven in the following graphic, the Kubernetes cluster becomes a token issuer, issuing tokens to Kubernetes Service Accounts. These tokens can be configured to be trusted on Azure AD applications. They can then be exchanged for an Azure AD entry token using the Azure Identity SDKs or the Microsoft Authentication Library (MSAL).
To learn more, see the documentation in the Azure Workload Identity open-source project. See also the Azure AD documentation for workload identity federation for an overview.
What is next?
Azure AD workload identity federation for Kubernetes is currently supported only on Azure AD applications. We intend to extend the same model for Azure managed identities.
In the coming months, we plan to replace Azure AD Pod Identity with Azure Workload Identity. Our goal is to equip users who are already using Azure AD Pod Identity to move to Azure Workload Identity with minimal changes.
We respect all enter from the community. Please share any feedback or questions via GitHub issues or discussions. Your support will help form the project to meet community needs for ensuring secure entry to Azure AD protected sources from Kubernetes workloads.