Using Azure Pod Identity

As described in Namespace Onboarding, your team namespace is initialized with an Azure AD Pod Identity that can be used to securely access resources in Azure. In this guide you'll be learning how to bind the Pod Identity to your Deployment.

Get identity name

Execute the following command to get names of available identities in your team namespace:

kubectl get azureidentity -o jsonpath='{.items[].metadata.name}' -n your-team-namespace

Bind the identity to your Deployment

Use the name acquired in the previous step to bind your Pod Identity to your Deployment by setting the label aadpodidbinding:

yaml

deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: "your-team-namespace"
  name: "test-app"
  labels:
    app: "test-app"
spec:
  selector:
    matchLabels:
      app: "test-app"
  template:
    metadata:
      name: "test-app"
      labels:
        aadpodidbinding: "your-team-pod-identity" # Change this
        app: "test-app"
    spec:
      containers:
        - name: "test-app"
          image: "gjensidige.azurecr.io/test-app:12345"

app-template-libsonnet

app.jsonnet

k8s_deployment+::{
  container_image: "gjensidige.azurecr.io/test-app:12345",
  aadpodidbinding: "yout-team-pod-identity"
}

Your Deployment is now ready to use Azure AD Pod Identity 🚀

Useful Azure resources on using Pod Identity

• Azure SDKs

Official Documentation

• Azure Active Directory Pod Identity For Kubernetes