Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(SURE-2565) Support for managed identity in AKS #11678

Open
kkaempf opened this issue Feb 4, 2023 · 4 comments
Open

(SURE-2565) Support for managed identity in AKS #11678

kkaempf opened this issue Feb 4, 2023 · 4 comments
Labels
area/windows Windows JIRA kind/enhancement QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this
Milestone
v2.11.0

Comments

@kkaempf
Copy link

kkaempf commented Feb 4, 2023
edited
Loading

See also rancher/rancher#27559

We got an issue when using Rancher to provision Windows nodes using Managed identities for Azure resources (formerly known as Managed Service Identity - MSI).

Rancher provisioning script only handles cases where we authenticate using service principal and will not work properly with managed identity.

Relevant code: https://github.com/rancher/rke-tools/blob/a23ff70c7a1ae0b8ec5c91bc56d51b0ad9f541ad/windows/cloud-provider.psm1#L70

Currently, we have to patch the file in runtime to use az login --identity instead of az login --service-principal

Steps to reproduce (least amount of steps as possible):

Create an AKS cluster without specifying any Service Principal

Result:

An AKS cluster is created using the --enable-managed-identity flag.

Other details that may be helpful:

The feature is stable in AKS: https://docs.microsoft.com/en-us/azure/aks/use-managed-identity

Environment information

Rancher version (rancher/rancher/rancher/server image tag or shown bottom left in the UI): 2.4.4
Installation option (single install/HA): single container

The UI presents mandatory fields to enter the SP for AKS; I propose to add a ratio button where the user can select to create a MI instead.
@cpinjani cpinjani self-assigned this Dec 13, 2023
@cpinjani
Copy link

cpinjani commented Dec 21, 2023
edited
Loading

Validated on build: v2.8-7113f094007e3105a906b414fe18ee370c77bb5e-head

As stated in issue description and reported version v2.4 - "The UI presents mandatory fields to enter the SP for AKS; I propose to add a ratio button where the user can select to create a MI instead."

Rancher v2.4:
image

However, we still use service principal for AKS clusters (not managed identity)
prerequisites-in-microsoft-azure

image

@kkaempf @davidstauffer Please review this, as support for it is not added yet.

@cpinjani
Copy link

cpinjani commented Jan 3, 2024

Moving to Backlog, cc: @mjura

@cpinjani cpinjani removed their assignment Feb 5, 2024
@kkaempf kkaempf added this to the v2.9.0 milestone Mar 12, 2024
@mjura mjura self-assigned this Apr 5, 2024
@kkaempf kkaempf modified the milestones: v2.9.0, v2.10.0 Jul 2, 2024
@yiannistri yiannistri assigned yiannistri and unassigned mjura Aug 15, 2024
@yiannistri
Copy link

yiannistri commented Aug 15, 2024
edited
Loading

Upon investigation, it seems that the aks-operator already creates clusters using managed identities. After a cluster gets provisioned from Rancher, the following command can be used to determine what type of managed identity the cluster is using (source):

az aks show --name myAKSCluster --resource-group myResourceGroup --query identity.type --output tsv

It is also indicated in the Azure Portal by accessing the Managed Identities service. There should be a managed identity associated with the cluster's node pool.

There are two types of managed identities (source): system-assigned and user-assigned. The CRD used by the aks-operator allows users to create clusters with either type, see below for examples.

Cluster using system-assigned managed identity

apiVersion: aks.cattle.io/v1
kind: AKSClusterConfig
metadata:
  name: myAKSCluster
  namespace: cattle-global-data
spec:
  azureCredentialSecret:  cattle-global-data:cc-abcde
  clusterName: myAKSCluster
  dnsPrefix: myAKSCluster
  managedIdentity: true # also true if field is omitted and aks-operator detects a tenantId
  imported: false
  kubernetesVersion: 1.30.3
  linuxAdminUsername: azureuser
  loadBalancerSku: Standard
  networkPlugin: kubenet
  nodePools:
  - availabilityZones:
    - "1"
    count: 1
    enableAutoScaling: false
    maxPods: 110
    mode: System
    name: agentpool
    orchestratorVersion: 1.30.3
    osDiskSizeGB: 30
    osDiskType: Managed
    osType: Linux
    vmSize: Standard_B4ms
  privateCluster: false
  resourceLocation: eastus
  resourceGroup: myResourceGroup

Cluster using user-assigned managed identity

apiVersion: aks.cattle.io/v1
kind: AKSClusterConfig
metadata:
  name: myAKSCluster
  namespace: cattle-global-data
spec:
  azureCredentialSecret:  cattle-global-data:cc-abcde
  clusterName: myAKSCluster
  dnsPrefix: myAKSCluster
  managedIdentity: true
  userAssignedIdentity: '/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/myResourceGroup/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity1'
  imported: false
  kubernetesVersion: 1.30.3
  linuxAdminUsername: azureuser
  loadBalancerSku: Standard
  networkPlugin: kubenet
  nodePools:
  - availabilityZones:
    - "1"
    count: 1
    enableAutoScaling: false
    maxPods: 110
    mode: System
    name: agentpool
    orchestratorVersion: 1.30.3
    osDiskSizeGB: 30
    osDiskType: Managed
    osType: Linux
    vmSize: Standard_B4ms
  privateCluster: false
  resourceLocation: eastus
  resourceGroup: myResourceGroup

Note that when using user-assigned identity, the identity needs to have been created prior to creating the cluster. Also these fields are used during cluster creation only.

While looking into this, I came across an issue with user-assigned managed identities not being associated correctly to node pools, at least the association is not shown in the Azure portal as it is shown for system-assigned managed identities. Not sure if we prefer to close this one and open a new issue though cc @kkaempf @cpinjani

Turns out spec.managedIdentity needs to be set to true when using user-assigned identities, which makes sense. I think this can be closed now since it works as expected wdyt @kkaempf @cpinjani ?

@cpinjani
Copy link

Validated on v2.9.0, agreed with @yiannistri's assessment, however to use feature it would require UI changes.
Since currently ability to provide managed identity is available only while creating private AKS cluster.

image

@yiannistri yiannistri removed their assignment Aug 22, 2024
@yiannistri yiannistri transferred this issue from rancher/aks-operator Aug 22, 2024
@github-actions github-actions bot added the QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this label Aug 22, 2024
@nwmac nwmac modified the milestones: v2.10.0, v2.11.0 Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/windows Windows JIRA kind/enhancement QA/dev-automation Issues that engineers have written automation around so QA doesn't have look at this
Projects
CAPI & Hosted Kubernetes providers (EKS/AKS/GKE)
Status: Blocked
Milestone
v2.11.0
Development

No branches or pull requests
5 participants
@kkaempf @nwmac @mjura @yiannistri @cpinjani