-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(SURE-2565) Support for managed identity in AKS #11678
Comments
Validated on build: As stated in issue description and reported version v2.4 - "The UI presents mandatory fields to enter the SP for AKS; I propose to add a ratio button where the user can select to create a MI instead." However, we still use service principal for AKS clusters (not managed identity) @kkaempf @davidstauffer Please review this, as support for it is not added yet. |
Moving to Backlog, cc: @mjura |
Upon investigation, it seems that the
It is also indicated in the Azure Portal by accessing the There are two types of managed identities (source): system-assigned and user-assigned. The CRD used by the Cluster using system-assigned managed identity
Cluster using user-assigned managed identity
Note that when using user-assigned identity, the identity needs to have been created prior to creating the cluster. Also these fields are used during cluster creation only.
Turns out |
Validated on v2.9.0, agreed with @yiannistri's assessment, however to use feature it would require UI changes. |
See also rancher/rancher#27559
We got an issue when using Rancher to provision Windows nodes using Managed identities for Azure resources (formerly known as Managed Service Identity - MSI).
Rancher provisioning script only handles cases where we authenticate using service principal and will not work properly with managed identity.
Relevant code: https://github.com/rancher/rke-tools/blob/a23ff70c7a1ae0b8ec5c91bc56d51b0ad9f541ad/windows/cloud-provider.psm1#L70
Currently, we have to patch the file in runtime to use
az login --identity
instead ofaz login --service-principal
Steps to reproduce (least amount of steps as possible):
Create an AKS cluster without specifying any Service Principal
Result:
An AKS cluster is created using the
--enable-managed-identity
flag.Other details that may be helpful:
The feature is stable in AKS: https://docs.microsoft.com/en-us/azure/aks/use-managed-identity
Environment information
Rancher version (
rancher/rancher
/rancher/server
image tag or shown bottom left in the UI): 2.4.4Installation option (single install/HA): single container
The UI presents mandatory fields to enter the SP for AKS; I propose to add a ratio button where the user can select to create a MI instead.
The text was updated successfully, but these errors were encountered: