github.com/Azure/aad-pod-identity@v1.8.17/deploy/infra/noazurejson/deployment.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 annotations: 5 api-approved.kubernetes.io: unapproved 6 controller-gen.kubebuilder.io/version: v0.5.0 7 name: azureassignedidentities.aadpodidentity.k8s.io 8 spec: 9 group: aadpodidentity.k8s.io 10 names: 11 kind: AzureAssignedIdentity 12 listKind: AzureAssignedIdentityList 13 plural: azureassignedidentities 14 singular: azureassignedidentity 15 scope: Namespaced 16 versions: 17 - name: v1 18 schema: 19 openAPIV3Schema: 20 description: AzureAssignedIdentity contains the identity <-> pod mapping which is matched. 21 properties: 22 apiVersion: 23 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 24 type: string 25 kind: 26 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 27 type: string 28 metadata: 29 type: object 30 spec: 31 description: AzureAssignedIdentitySpec contains the relationship between an AzureIdentity and an AzureIdentityBinding. 32 properties: 33 azureBindingRef: 34 description: AzureBindingRef is an embedded resource referencing the AzureIdentityBinding used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 35 properties: 36 apiVersion: 37 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 38 type: string 39 kind: 40 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 41 type: string 42 metadata: 43 type: object 44 spec: 45 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 46 properties: 47 azureIdentity: 48 type: string 49 metadata: 50 type: object 51 selector: 52 type: string 53 weight: 54 description: Weight is used to figure out which of the matching identities would be selected. 55 type: integer 56 type: object 57 status: 58 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 59 properties: 60 availableReplicas: 61 format: int32 62 type: integer 63 metadata: 64 type: object 65 type: object 66 type: object 67 x-kubernetes-embedded-resource: true 68 azureIdentityRef: 69 description: AzureIdentityRef is an embedded resource referencing the AzureIdentity used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 70 properties: 71 apiVersion: 72 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 73 type: string 74 kind: 75 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 76 type: string 77 metadata: 78 type: object 79 spec: 80 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 81 properties: 82 adEndpoint: 83 type: string 84 adResourceID: 85 description: For service principal. Option param for specifying the AD details. 86 type: string 87 auxiliaryTenantIDs: 88 description: Service principal auxiliary tenant ids 89 items: 90 type: string 91 nullable: true 92 type: array 93 clientID: 94 description: Both User Assigned MSI and SP can use this field. 95 type: string 96 clientPassword: 97 description: Used for service principal 98 properties: 99 name: 100 description: Name is unique within a namespace to reference a secret resource. 101 type: string 102 namespace: 103 description: Namespace defines the space within which the secret name must be unique. 104 type: string 105 type: object 106 metadata: 107 type: object 108 replicas: 109 format: int32 110 nullable: true 111 type: integer 112 resourceID: 113 description: User assigned MSI resource id. 114 type: string 115 tenantID: 116 description: Service principal primary tenant id. 117 type: string 118 type: 119 description: UserAssignedMSI or Service Principal 120 type: integer 121 type: object 122 status: 123 description: AzureIdentityStatus contains the replica status of the resource. 124 properties: 125 availableReplicas: 126 format: int32 127 type: integer 128 metadata: 129 type: object 130 type: object 131 type: object 132 x-kubernetes-embedded-resource: true 133 metadata: 134 type: object 135 nodename: 136 type: string 137 pod: 138 type: string 139 podNamespace: 140 type: string 141 replicas: 142 format: int32 143 nullable: true 144 type: integer 145 type: object 146 status: 147 description: AzureAssignedIdentityStatus contains the replica status of the resource. 148 properties: 149 availableReplicas: 150 format: int32 151 type: integer 152 metadata: 153 type: object 154 status: 155 type: string 156 type: object 157 type: object 158 served: true 159 storage: true 160 status: 161 acceptedNames: 162 kind: "" 163 plural: "" 164 conditions: [] 165 storedVersions: [] 166 --- 167 apiVersion: apiextensions.k8s.io/v1 168 kind: CustomResourceDefinition 169 metadata: 170 annotations: 171 api-approved.kubernetes.io: unapproved 172 controller-gen.kubebuilder.io/version: v0.5.0 173 name: azureidentities.aadpodidentity.k8s.io 174 spec: 175 group: aadpodidentity.k8s.io 176 names: 177 kind: AzureIdentity 178 listKind: AzureIdentityList 179 plural: azureidentities 180 singular: azureidentity 181 scope: Namespaced 182 versions: 183 - additionalPrinterColumns: 184 - jsonPath: .spec.type 185 name: Type 186 type: string 187 - jsonPath: .spec.clientID 188 name: ClientID 189 type: string 190 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 191 jsonPath: .metadata.creationTimestamp 192 name: Age 193 type: date 194 name: v1 195 schema: 196 openAPIV3Schema: 197 description: AzureIdentity is the specification of the identity data structure. 198 properties: 199 apiVersion: 200 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 201 type: string 202 kind: 203 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 204 type: string 205 metadata: 206 type: object 207 spec: 208 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 209 properties: 210 adEndpoint: 211 type: string 212 adResourceID: 213 description: For service principal. Option param for specifying the AD details. 214 type: string 215 auxiliaryTenantIDs: 216 description: Service principal auxiliary tenant ids 217 items: 218 type: string 219 nullable: true 220 type: array 221 clientID: 222 description: Both User Assigned MSI and SP can use this field. 223 type: string 224 clientPassword: 225 description: Used for service principal 226 properties: 227 name: 228 description: Name is unique within a namespace to reference a secret resource. 229 type: string 230 namespace: 231 description: Namespace defines the space within which the secret name must be unique. 232 type: string 233 type: object 234 metadata: 235 type: object 236 replicas: 237 format: int32 238 nullable: true 239 type: integer 240 resourceID: 241 description: User assigned MSI resource id. 242 type: string 243 tenantID: 244 description: Service principal primary tenant id. 245 type: string 246 type: 247 description: UserAssignedMSI or Service Principal 248 type: integer 249 type: object 250 status: 251 description: AzureIdentityStatus contains the replica status of the resource. 252 properties: 253 availableReplicas: 254 format: int32 255 type: integer 256 metadata: 257 type: object 258 type: object 259 type: object 260 served: true 261 storage: true 262 subresources: {} 263 status: 264 acceptedNames: 265 kind: "" 266 plural: "" 267 conditions: [] 268 storedVersions: [] 269 --- 270 apiVersion: apiextensions.k8s.io/v1 271 kind: CustomResourceDefinition 272 metadata: 273 annotations: 274 api-approved.kubernetes.io: unapproved 275 controller-gen.kubebuilder.io/version: v0.5.0 276 name: azureidentitybindings.aadpodidentity.k8s.io 277 spec: 278 group: aadpodidentity.k8s.io 279 names: 280 kind: AzureIdentityBinding 281 listKind: AzureIdentityBindingList 282 plural: azureidentitybindings 283 singular: azureidentitybinding 284 scope: Namespaced 285 versions: 286 - additionalPrinterColumns: 287 - jsonPath: .spec.azureIdentity 288 name: AzureIdentity 289 type: string 290 - jsonPath: .spec.selector 291 name: Selector 292 type: string 293 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 294 jsonPath: .metadata.creationTimestamp 295 name: Age 296 type: date 297 name: v1 298 schema: 299 openAPIV3Schema: 300 description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. 301 properties: 302 apiVersion: 303 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 304 type: string 305 kind: 306 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 307 type: string 308 metadata: 309 type: object 310 spec: 311 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 312 properties: 313 azureIdentity: 314 type: string 315 metadata: 316 type: object 317 selector: 318 type: string 319 weight: 320 description: Weight is used to figure out which of the matching identities would be selected. 321 type: integer 322 type: object 323 status: 324 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 325 properties: 326 availableReplicas: 327 format: int32 328 type: integer 329 metadata: 330 type: object 331 type: object 332 type: object 333 served: true 334 storage: true 335 subresources: {} 336 status: 337 acceptedNames: 338 kind: "" 339 plural: "" 340 conditions: [] 341 storedVersions: [] 342 --- 343 apiVersion: apiextensions.k8s.io/v1 344 kind: CustomResourceDefinition 345 metadata: 346 annotations: 347 api-approved.kubernetes.io: unapproved 348 controller-gen.kubebuilder.io/version: v0.5.0 349 name: azurepodidentityexceptions.aadpodidentity.k8s.io 350 spec: 351 group: aadpodidentity.k8s.io 352 names: 353 kind: AzurePodIdentityException 354 listKind: AzurePodIdentityExceptionList 355 plural: azurepodidentityexceptions 356 singular: azurepodidentityexception 357 scope: Namespaced 358 versions: 359 - name: v1 360 schema: 361 openAPIV3Schema: 362 description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. 363 properties: 364 apiVersion: 365 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 366 type: string 367 kind: 368 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 369 type: string 370 metadata: 371 type: object 372 spec: 373 description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. 374 properties: 375 metadata: 376 type: object 377 podLabels: 378 additionalProperties: 379 type: string 380 type: object 381 type: object 382 status: 383 description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. 384 properties: 385 metadata: 386 type: object 387 status: 388 type: string 389 type: object 390 type: object 391 served: true 392 storage: true 393 status: 394 acceptedNames: 395 kind: "" 396 plural: "" 397 conditions: [] 398 storedVersions: [] 399 --- 400 apiVersion: apps/v1 401 kind: DaemonSet 402 metadata: 403 labels: 404 component: nmi 405 tier: node 406 name: nmi 407 namespace: default 408 spec: 409 selector: 410 matchLabels: 411 component: nmi 412 tier: node 413 template: 414 metadata: 415 labels: 416 component: nmi 417 tier: node 418 spec: 419 hostNetwork: true 420 dnsPolicy: ClusterFirstWithHostNet 421 volumes: 422 - hostPath: 423 path: /run/xtables.lock 424 type: FileOrCreate 425 name: iptableslock 426 - name: kubelet-config 427 hostPath: 428 path: /etc/default/kubelet 429 type: FileOrCreate 430 containers: 431 - name: nmi 432 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.17" 433 args: 434 - "--node=$(NODE_NAME)" 435 - "--http-probe-port=8085" 436 - "--enableScaleFeatures=true" 437 - "--metadata-header-required=true" 438 env: 439 - name: HOST_IP 440 valueFrom: 441 fieldRef: 442 fieldPath: status.podIP 443 - name: NODE_NAME 444 valueFrom: 445 fieldRef: 446 fieldPath: spec.nodeName 447 resources: 448 limits: 449 cpu: 200m 450 memory: 512Mi 451 requests: 452 cpu: 100m 453 memory: 256Mi 454 securityContext: 455 runAsUser: 0 456 capabilities: 457 drop: 458 - ALL 459 add: 460 - DAC_READ_SEARCH 461 - NET_ADMIN 462 - NET_RAW 463 volumeMounts: 464 - mountPath: /run/xtables.lock 465 name: iptableslock 466 - name: kubelet-config 467 mountPath: /etc/default/kubelet 468 readOnly: true 469 livenessProbe: 470 httpGet: 471 path: /healthz 472 port: 8085 473 initialDelaySeconds: 10 474 periodSeconds: 5 475 tolerations: 476 - operator: Exists 477 nodeSelector: 478 kubernetes.io/os: linux 479 --- 480 apiVersion: v1 481 data: 482 Cloud: <base64-encoded-cloud> 483 SubscriptionID: <base64-encode-subscription-id> 484 ResourceGroup: <base64-encoded-resource-group> 485 VMType: <base64-encoded-vm-type> 486 TenantID: <base64-encoded-tenant-id> 487 ClientID: <base64-encoded-client-id> 488 ClientSecret: <base64-encoded-client-secret> 489 kind: Secret 490 metadata: 491 name: aadpodidentity-admin-secret 492 namespace: default 493 --- 494 apiVersion: apps/v1 495 kind: Deployment 496 metadata: 497 labels: 498 component: mic 499 name: mic 500 namespace: default 501 spec: 502 replicas: 2 503 selector: 504 matchLabels: 505 component: mic 506 template: 507 metadata: 508 labels: 509 component: mic 510 spec: 511 containers: 512 - name: mic 513 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/mic:v1.8.17" 514 args: 515 - "--kubeconfig=/var/lib/kubelet/kubeconfig" 516 - "--logtostderr" 517 securityContext: 518 runAsUser: 0 519 readOnlyRootFilesystem: true 520 env: 521 - name: MIC_POD_NAMESPACE 522 valueFrom: 523 fieldRef: 524 fieldPath: metadata.namespace 525 - name: CLOUD 526 valueFrom: 527 secretKeyRef: 528 key: Cloud 529 name: aadpodidentity-admin-secret 530 - name: SUBSCRIPTION_ID 531 valueFrom: 532 secretKeyRef: 533 key: SubscriptionID 534 name: aadpodidentity-admin-secret 535 - name: RESOURCE_GROUP 536 valueFrom: 537 secretKeyRef: 538 key: ResourceGroup 539 name: aadpodidentity-admin-secret 540 - name: VM_TYPE 541 valueFrom: 542 secretKeyRef: 543 key: VMType 544 name: aadpodidentity-admin-secret 545 - name: TENANT_ID 546 valueFrom: 547 secretKeyRef: 548 key: TenantID 549 name: aadpodidentity-admin-secret 550 - name: CLIENT_ID 551 valueFrom: 552 secretKeyRef: 553 key: ClientID 554 name: aadpodidentity-admin-secret 555 - name: CLIENT_SECRET 556 valueFrom: 557 secretKeyRef: 558 key: ClientSecret 559 name: aadpodidentity-admin-secret 560 resources: 561 limits: 562 cpu: 200m 563 memory: 1024Mi 564 requests: 565 cpu: 100m 566 memory: 256Mi 567 volumeMounts: 568 - name: kubelet-config 569 mountPath: /var/lib/kubelet 570 readOnly: true 571 - name: certificates 572 mountPath: /etc/kubernetes/certs 573 readOnly: true 574 livenessProbe: 575 httpGet: 576 path: /healthz 577 port: 8080 578 initialDelaySeconds: 10 579 periodSeconds: 5 580 volumes: 581 - name: kubelet-config 582 hostPath: 583 path: /var/lib/kubelet 584 - name: certificates 585 hostPath: 586 path: /etc/kubernetes/certs 587 nodeSelector: 588 kubernetes.io/os: linux