github.com/Azure/aad-pod-identity@v1.8.17/deploy/infra/noazurejson/deployment-rbac.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: aad-pod-id-nmi-service-account 5 namespace: default 6 --- 7 apiVersion: apiextensions.k8s.io/v1 8 kind: CustomResourceDefinition 9 metadata: 10 annotations: 11 api-approved.kubernetes.io: unapproved 12 controller-gen.kubebuilder.io/version: v0.5.0 13 name: azureassignedidentities.aadpodidentity.k8s.io 14 spec: 15 group: aadpodidentity.k8s.io 16 names: 17 kind: AzureAssignedIdentity 18 listKind: AzureAssignedIdentityList 19 plural: azureassignedidentities 20 singular: azureassignedidentity 21 scope: Namespaced 22 versions: 23 - name: v1 24 schema: 25 openAPIV3Schema: 26 description: AzureAssignedIdentity contains the identity <-> pod mapping which is matched. 27 properties: 28 apiVersion: 29 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 30 type: string 31 kind: 32 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 33 type: string 34 metadata: 35 type: object 36 spec: 37 description: AzureAssignedIdentitySpec contains the relationship between an AzureIdentity and an AzureIdentityBinding. 38 properties: 39 azureBindingRef: 40 description: AzureBindingRef is an embedded resource referencing the AzureIdentityBinding used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 41 properties: 42 apiVersion: 43 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 44 type: string 45 kind: 46 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 47 type: string 48 metadata: 49 type: object 50 spec: 51 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 52 properties: 53 azureIdentity: 54 type: string 55 metadata: 56 type: object 57 selector: 58 type: string 59 weight: 60 description: Weight is used to figure out which of the matching identities would be selected. 61 type: integer 62 type: object 63 status: 64 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 65 properties: 66 availableReplicas: 67 format: int32 68 type: integer 69 metadata: 70 type: object 71 type: object 72 type: object 73 x-kubernetes-embedded-resource: true 74 azureIdentityRef: 75 description: AzureIdentityRef is an embedded resource referencing the AzureIdentity used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 76 properties: 77 apiVersion: 78 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 79 type: string 80 kind: 81 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 82 type: string 83 metadata: 84 type: object 85 spec: 86 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 87 properties: 88 adEndpoint: 89 type: string 90 adResourceID: 91 description: For service principal. Option param for specifying the AD details. 92 type: string 93 auxiliaryTenantIDs: 94 description: Service principal auxiliary tenant ids 95 items: 96 type: string 97 nullable: true 98 type: array 99 clientID: 100 description: Both User Assigned MSI and SP can use this field. 101 type: string 102 clientPassword: 103 description: Used for service principal 104 properties: 105 name: 106 description: Name is unique within a namespace to reference a secret resource. 107 type: string 108 namespace: 109 description: Namespace defines the space within which the secret name must be unique. 110 type: string 111 type: object 112 metadata: 113 type: object 114 replicas: 115 format: int32 116 nullable: true 117 type: integer 118 resourceID: 119 description: User assigned MSI resource id. 120 type: string 121 tenantID: 122 description: Service principal primary tenant id. 123 type: string 124 type: 125 description: UserAssignedMSI or Service Principal 126 type: integer 127 type: object 128 status: 129 description: AzureIdentityStatus contains the replica status of the resource. 130 properties: 131 availableReplicas: 132 format: int32 133 type: integer 134 metadata: 135 type: object 136 type: object 137 type: object 138 x-kubernetes-embedded-resource: true 139 metadata: 140 type: object 141 nodename: 142 type: string 143 pod: 144 type: string 145 podNamespace: 146 type: string 147 replicas: 148 format: int32 149 nullable: true 150 type: integer 151 type: object 152 status: 153 description: AzureAssignedIdentityStatus contains the replica status of the resource. 154 properties: 155 availableReplicas: 156 format: int32 157 type: integer 158 metadata: 159 type: object 160 status: 161 type: string 162 type: object 163 type: object 164 served: true 165 storage: true 166 status: 167 acceptedNames: 168 kind: "" 169 plural: "" 170 conditions: [] 171 storedVersions: [] 172 --- 173 apiVersion: apiextensions.k8s.io/v1 174 kind: CustomResourceDefinition 175 metadata: 176 annotations: 177 api-approved.kubernetes.io: unapproved 178 controller-gen.kubebuilder.io/version: v0.5.0 179 name: azureidentities.aadpodidentity.k8s.io 180 spec: 181 group: aadpodidentity.k8s.io 182 names: 183 kind: AzureIdentity 184 listKind: AzureIdentityList 185 plural: azureidentities 186 singular: azureidentity 187 scope: Namespaced 188 versions: 189 - additionalPrinterColumns: 190 - jsonPath: .spec.type 191 name: Type 192 type: string 193 - jsonPath: .spec.clientID 194 name: ClientID 195 type: string 196 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 197 jsonPath: .metadata.creationTimestamp 198 name: Age 199 type: date 200 name: v1 201 schema: 202 openAPIV3Schema: 203 description: AzureIdentity is the specification of the identity data structure. 204 properties: 205 apiVersion: 206 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 207 type: string 208 kind: 209 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 210 type: string 211 metadata: 212 type: object 213 spec: 214 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 215 properties: 216 adEndpoint: 217 type: string 218 adResourceID: 219 description: For service principal. Option param for specifying the AD details. 220 type: string 221 auxiliaryTenantIDs: 222 description: Service principal auxiliary tenant ids 223 items: 224 type: string 225 nullable: true 226 type: array 227 clientID: 228 description: Both User Assigned MSI and SP can use this field. 229 type: string 230 clientPassword: 231 description: Used for service principal 232 properties: 233 name: 234 description: Name is unique within a namespace to reference a secret resource. 235 type: string 236 namespace: 237 description: Namespace defines the space within which the secret name must be unique. 238 type: string 239 type: object 240 metadata: 241 type: object 242 replicas: 243 format: int32 244 nullable: true 245 type: integer 246 resourceID: 247 description: User assigned MSI resource id. 248 type: string 249 tenantID: 250 description: Service principal primary tenant id. 251 type: string 252 type: 253 description: UserAssignedMSI or Service Principal 254 type: integer 255 type: object 256 status: 257 description: AzureIdentityStatus contains the replica status of the resource. 258 properties: 259 availableReplicas: 260 format: int32 261 type: integer 262 metadata: 263 type: object 264 type: object 265 type: object 266 served: true 267 storage: true 268 subresources: {} 269 status: 270 acceptedNames: 271 kind: "" 272 plural: "" 273 conditions: [] 274 storedVersions: [] 275 --- 276 apiVersion: apiextensions.k8s.io/v1 277 kind: CustomResourceDefinition 278 metadata: 279 annotations: 280 api-approved.kubernetes.io: unapproved 281 controller-gen.kubebuilder.io/version: v0.5.0 282 name: azureidentitybindings.aadpodidentity.k8s.io 283 spec: 284 group: aadpodidentity.k8s.io 285 names: 286 kind: AzureIdentityBinding 287 listKind: AzureIdentityBindingList 288 plural: azureidentitybindings 289 singular: azureidentitybinding 290 scope: Namespaced 291 versions: 292 - additionalPrinterColumns: 293 - jsonPath: .spec.azureIdentity 294 name: AzureIdentity 295 type: string 296 - jsonPath: .spec.selector 297 name: Selector 298 type: string 299 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 300 jsonPath: .metadata.creationTimestamp 301 name: Age 302 type: date 303 name: v1 304 schema: 305 openAPIV3Schema: 306 description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. 307 properties: 308 apiVersion: 309 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 310 type: string 311 kind: 312 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 313 type: string 314 metadata: 315 type: object 316 spec: 317 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 318 properties: 319 azureIdentity: 320 type: string 321 metadata: 322 type: object 323 selector: 324 type: string 325 weight: 326 description: Weight is used to figure out which of the matching identities would be selected. 327 type: integer 328 type: object 329 status: 330 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 331 properties: 332 availableReplicas: 333 format: int32 334 type: integer 335 metadata: 336 type: object 337 type: object 338 type: object 339 served: true 340 storage: true 341 subresources: {} 342 status: 343 acceptedNames: 344 kind: "" 345 plural: "" 346 conditions: [] 347 storedVersions: [] 348 --- 349 apiVersion: apiextensions.k8s.io/v1 350 kind: CustomResourceDefinition 351 metadata: 352 annotations: 353 api-approved.kubernetes.io: unapproved 354 controller-gen.kubebuilder.io/version: v0.5.0 355 name: azurepodidentityexceptions.aadpodidentity.k8s.io 356 spec: 357 group: aadpodidentity.k8s.io 358 names: 359 kind: AzurePodIdentityException 360 listKind: AzurePodIdentityExceptionList 361 plural: azurepodidentityexceptions 362 singular: azurepodidentityexception 363 scope: Namespaced 364 versions: 365 - name: v1 366 schema: 367 openAPIV3Schema: 368 description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. 369 properties: 370 apiVersion: 371 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 372 type: string 373 kind: 374 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 375 type: string 376 metadata: 377 type: object 378 spec: 379 description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. 380 properties: 381 metadata: 382 type: object 383 podLabels: 384 additionalProperties: 385 type: string 386 type: object 387 type: object 388 status: 389 description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. 390 properties: 391 metadata: 392 type: object 393 status: 394 type: string 395 type: object 396 type: object 397 served: true 398 storage: true 399 status: 400 acceptedNames: 401 kind: "" 402 plural: "" 403 conditions: [] 404 storedVersions: [] 405 --- 406 apiVersion: rbac.authorization.k8s.io/v1 407 kind: ClusterRole 408 metadata: 409 name: aad-pod-id-nmi-role 410 rules: 411 - apiGroups: ["apiextensions.k8s.io"] 412 resources: ["customresourcedefinitions"] 413 verbs: ["get", "list"] 414 - apiGroups: [""] 415 resources: ["pods"] 416 verbs: ["get", "list", "watch"] 417 - apiGroups: [""] 418 resources: ["secrets"] 419 verbs: ["get"] 420 - apiGroups: ["aadpodidentity.k8s.io"] 421 resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"] 422 verbs: ["get", "list", "watch"] 423 - apiGroups: ["aadpodidentity.k8s.io"] 424 resources: ["azureassignedidentities"] 425 verbs: ["get", "list", "watch"] 426 --- 427 apiVersion: rbac.authorization.k8s.io/v1 428 kind: ClusterRoleBinding 429 metadata: 430 name: aad-pod-id-nmi-binding 431 labels: 432 k8s-app: aad-pod-id-nmi-binding 433 subjects: 434 - kind: ServiceAccount 435 name: aad-pod-id-nmi-service-account 436 namespace: default 437 roleRef: 438 kind: ClusterRole 439 name: aad-pod-id-nmi-role 440 apiGroup: rbac.authorization.k8s.io 441 --- 442 apiVersion: apps/v1 443 kind: DaemonSet 444 metadata: 445 labels: 446 component: nmi 447 tier: node 448 k8s-app: aad-pod-id 449 name: nmi 450 namespace: default 451 spec: 452 selector: 453 matchLabels: 454 component: nmi 455 tier: node 456 template: 457 metadata: 458 labels: 459 component: nmi 460 tier: node 461 spec: 462 serviceAccountName: aad-pod-id-nmi-service-account 463 hostNetwork: true 464 dnsPolicy: ClusterFirstWithHostNet 465 volumes: 466 - hostPath: 467 path: /run/xtables.lock 468 type: FileOrCreate 469 name: iptableslock 470 - name: kubelet-config 471 hostPath: 472 path: /etc/default/kubelet 473 type: FileOrCreate 474 containers: 475 - name: nmi 476 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.17" 477 args: 478 - "--node=$(NODE_NAME)" 479 - "--http-probe-port=8085" 480 - "--enableScaleFeatures=true" 481 - "--metadata-header-required=true" 482 env: 483 - name: HOST_IP 484 valueFrom: 485 fieldRef: 486 fieldPath: status.podIP 487 - name: NODE_NAME 488 valueFrom: 489 fieldRef: 490 fieldPath: spec.nodeName 491 resources: 492 limits: 493 cpu: 200m 494 memory: 512Mi 495 requests: 496 cpu: 100m 497 memory: 256Mi 498 securityContext: 499 runAsUser: 0 500 capabilities: 501 drop: 502 - ALL 503 add: 504 - DAC_READ_SEARCH 505 - NET_ADMIN 506 - NET_RAW 507 volumeMounts: 508 - mountPath: /run/xtables.lock 509 name: iptableslock 510 - name: kubelet-config 511 mountPath: /etc/default/kubelet 512 readOnly: true 513 livenessProbe: 514 httpGet: 515 path: /healthz 516 port: 8085 517 initialDelaySeconds: 10 518 periodSeconds: 5 519 tolerations: 520 - operator: Exists 521 nodeSelector: 522 kubernetes.io/os: linux 523 --- 524 apiVersion: v1 525 kind: ServiceAccount 526 metadata: 527 name: aad-pod-id-mic-service-account 528 namespace: default 529 --- 530 apiVersion: rbac.authorization.k8s.io/v1 531 kind: ClusterRole 532 metadata: 533 name: aad-pod-id-mic-role 534 rules: 535 - apiGroups: ["apiextensions.k8s.io"] 536 resources: ["customresourcedefinitions"] 537 verbs: ["*"] 538 - apiGroups: [""] 539 resources: ["pods", "nodes"] 540 verbs: [ "list", "watch" ] 541 - apiGroups: [""] 542 resources: ["events"] 543 verbs: ["create", "patch"] 544 - apiGroups: [""] 545 resources: ["configmaps"] 546 verbs: ["get", "create", "update"] 547 - apiGroups: [""] 548 resources: ["endpoints"] 549 verbs: ["create", "get","update"] 550 - apiGroups: ["aadpodidentity.k8s.io"] 551 resources: ["azureidentitybindings", "azureidentities"] 552 verbs: ["get", "list", "watch", "post", "update"] 553 - apiGroups: ["aadpodidentity.k8s.io"] 554 resources: ["azurepodidentityexceptions"] 555 verbs: ["list", "update"] 556 - apiGroups: ["aadpodidentity.k8s.io"] 557 resources: ["azureassignedidentities"] 558 verbs: ["*"] 559 --- 560 apiVersion: rbac.authorization.k8s.io/v1 561 kind: ClusterRoleBinding 562 metadata: 563 name: aad-pod-id-mic-binding 564 labels: 565 k8s-app: aad-pod-id-mic-binding 566 subjects: 567 - kind: ServiceAccount 568 name: aad-pod-id-mic-service-account 569 namespace: default 570 roleRef: 571 kind: ClusterRole 572 name: aad-pod-id-mic-role 573 apiGroup: rbac.authorization.k8s.io 574 --- 575 apiVersion: v1 576 data: 577 Cloud: <base64-encoded-cloud> 578 SubscriptionID: <base64-encode-subscription-id> 579 ResourceGroup: <base64-encoded-resource-group> 580 VMType: <base64-encoded-vm-type> 581 TenantID: <base64-encoded-tenant-id> 582 ClientID: <base64-encoded-client-id> 583 ClientSecret: <base64-encoded-client-secret> 584 kind: Secret 585 metadata: 586 name: aadpodidentity-admin-secret 587 namespace: default 588 --- 589 apiVersion: apps/v1 590 kind: Deployment 591 metadata: 592 labels: 593 component: mic 594 k8s-app: aad-pod-id 595 name: mic 596 namespace: default 597 spec: 598 replicas: 2 599 selector: 600 matchLabels: 601 component: mic 602 template: 603 metadata: 604 labels: 605 component: mic 606 spec: 607 serviceAccountName: aad-pod-id-mic-service-account 608 containers: 609 - name: mic 610 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/mic:v1.8.17" 611 args: 612 - "--logtostderr" 613 securityContext: 614 runAsUser: 0 615 readOnlyRootFilesystem: true 616 env: 617 - name: MIC_POD_NAMESPACE 618 valueFrom: 619 fieldRef: 620 fieldPath: metadata.namespace 621 - name: CLOUD 622 valueFrom: 623 secretKeyRef: 624 key: Cloud 625 name: aadpodidentity-admin-secret 626 - name: SUBSCRIPTION_ID 627 valueFrom: 628 secretKeyRef: 629 key: SubscriptionID 630 name: aadpodidentity-admin-secret 631 - name: RESOURCE_GROUP 632 valueFrom: 633 secretKeyRef: 634 key: ResourceGroup 635 name: aadpodidentity-admin-secret 636 - name: VM_TYPE 637 valueFrom: 638 secretKeyRef: 639 key: VMType 640 name: aadpodidentity-admin-secret 641 - name: TENANT_ID 642 valueFrom: 643 secretKeyRef: 644 key: TenantID 645 name: aadpodidentity-admin-secret 646 - name: CLIENT_ID 647 valueFrom: 648 secretKeyRef: 649 key: ClientID 650 name: aadpodidentity-admin-secret 651 - name: CLIENT_SECRET 652 valueFrom: 653 secretKeyRef: 654 key: ClientSecret 655 name: aadpodidentity-admin-secret 656 resources: 657 limits: 658 cpu: 200m 659 memory: 1024Mi 660 requests: 661 cpu: 100m 662 memory: 256Mi 663 livenessProbe: 664 httpGet: 665 path: /healthz 666 port: 8080 667 initialDelaySeconds: 10 668 periodSeconds: 5 669 nodeSelector: 670 kubernetes.io/os: linux