github.com/Azure/aad-pod-identity@v1.8.17/manifest_staging/deploy/infra/deployment-rbac.yaml (about) 1 apiVersion: v1 2 kind: ServiceAccount 3 metadata: 4 name: aad-pod-id-nmi-service-account 5 namespace: default 6 --- 7 apiVersion: apiextensions.k8s.io/v1 8 kind: CustomResourceDefinition 9 metadata: 10 annotations: 11 api-approved.kubernetes.io: unapproved 12 controller-gen.kubebuilder.io/version: v0.5.0 13 name: azureassignedidentities.aadpodidentity.k8s.io 14 spec: 15 group: aadpodidentity.k8s.io 16 names: 17 kind: AzureAssignedIdentity 18 listKind: AzureAssignedIdentityList 19 plural: azureassignedidentities 20 singular: azureassignedidentity 21 scope: Namespaced 22 versions: 23 - name: v1 24 schema: 25 openAPIV3Schema: 26 description: AzureAssignedIdentity contains the identity <-> pod mapping which is matched. 27 properties: 28 apiVersion: 29 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 30 type: string 31 kind: 32 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 33 type: string 34 metadata: 35 type: object 36 spec: 37 description: AzureAssignedIdentitySpec contains the relationship between an AzureIdentity and an AzureIdentityBinding. 38 properties: 39 azureBindingRef: 40 description: AzureBindingRef is an embedded resource referencing the AzureIdentityBinding used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 41 properties: 42 apiVersion: 43 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 44 type: string 45 kind: 46 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 47 type: string 48 metadata: 49 type: object 50 spec: 51 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 52 properties: 53 azureIdentity: 54 type: string 55 metadata: 56 type: object 57 selector: 58 type: string 59 weight: 60 description: Weight is used to figure out which of the matching identities would be selected. 61 type: integer 62 type: object 63 status: 64 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 65 properties: 66 availableReplicas: 67 format: int32 68 type: integer 69 metadata: 70 type: object 71 type: object 72 type: object 73 x-kubernetes-embedded-resource: true 74 azureIdentityRef: 75 description: AzureIdentityRef is an embedded resource referencing the AzureIdentity used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true 76 properties: 77 apiVersion: 78 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 79 type: string 80 kind: 81 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 82 type: string 83 metadata: 84 type: object 85 spec: 86 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 87 properties: 88 adEndpoint: 89 type: string 90 adResourceID: 91 description: For service principal. Option param for specifying the AD details. 92 type: string 93 auxiliaryTenantIDs: 94 description: Service principal auxiliary tenant ids 95 items: 96 type: string 97 nullable: true 98 type: array 99 clientID: 100 description: Both User Assigned MSI and SP can use this field. 101 type: string 102 clientPassword: 103 description: Used for service principal 104 properties: 105 name: 106 description: Name is unique within a namespace to reference a secret resource. 107 type: string 108 namespace: 109 description: Namespace defines the space within which the secret name must be unique. 110 type: string 111 type: object 112 metadata: 113 type: object 114 replicas: 115 format: int32 116 nullable: true 117 type: integer 118 resourceID: 119 description: User assigned MSI resource id. 120 type: string 121 tenantID: 122 description: Service principal primary tenant id. 123 type: string 124 type: 125 description: UserAssignedMSI or Service Principal 126 type: integer 127 type: object 128 status: 129 description: AzureIdentityStatus contains the replica status of the resource. 130 properties: 131 availableReplicas: 132 format: int32 133 type: integer 134 metadata: 135 type: object 136 type: object 137 type: object 138 x-kubernetes-embedded-resource: true 139 metadata: 140 type: object 141 nodename: 142 type: string 143 pod: 144 type: string 145 podNamespace: 146 type: string 147 replicas: 148 format: int32 149 nullable: true 150 type: integer 151 type: object 152 status: 153 description: AzureAssignedIdentityStatus contains the replica status of the resource. 154 properties: 155 availableReplicas: 156 format: int32 157 type: integer 158 metadata: 159 type: object 160 status: 161 type: string 162 type: object 163 type: object 164 served: true 165 storage: true 166 status: 167 acceptedNames: 168 kind: "" 169 plural: "" 170 conditions: [] 171 storedVersions: [] 172 --- 173 apiVersion: apiextensions.k8s.io/v1 174 kind: CustomResourceDefinition 175 metadata: 176 annotations: 177 api-approved.kubernetes.io: unapproved 178 controller-gen.kubebuilder.io/version: v0.5.0 179 name: azureidentities.aadpodidentity.k8s.io 180 spec: 181 group: aadpodidentity.k8s.io 182 names: 183 kind: AzureIdentity 184 listKind: AzureIdentityList 185 plural: azureidentities 186 singular: azureidentity 187 scope: Namespaced 188 versions: 189 - additionalPrinterColumns: 190 - jsonPath: .spec.type 191 name: Type 192 type: string 193 - jsonPath: .spec.clientID 194 name: ClientID 195 type: string 196 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 197 jsonPath: .metadata.creationTimestamp 198 name: Age 199 type: date 200 name: v1 201 schema: 202 openAPIV3Schema: 203 description: AzureIdentity is the specification of the identity data structure. 204 properties: 205 apiVersion: 206 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 207 type: string 208 kind: 209 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 210 type: string 211 metadata: 212 type: object 213 spec: 214 description: AzureIdentitySpec describes the credential specifications of an identity on Azure. 215 properties: 216 adEndpoint: 217 type: string 218 adResourceID: 219 description: For service principal. Option param for specifying the AD details. 220 type: string 221 auxiliaryTenantIDs: 222 description: Service principal auxiliary tenant ids 223 items: 224 type: string 225 nullable: true 226 type: array 227 clientID: 228 description: Both User Assigned MSI and SP can use this field. 229 type: string 230 clientPassword: 231 description: Used for service principal 232 properties: 233 name: 234 description: Name is unique within a namespace to reference a secret resource. 235 type: string 236 namespace: 237 description: Namespace defines the space within which the secret name must be unique. 238 type: string 239 type: object 240 metadata: 241 type: object 242 replicas: 243 format: int32 244 nullable: true 245 type: integer 246 resourceID: 247 description: User assigned MSI resource id. 248 type: string 249 tenantID: 250 description: Service principal primary tenant id. 251 type: string 252 type: 253 description: UserAssignedMSI or Service Principal 254 type: integer 255 type: object 256 status: 257 description: AzureIdentityStatus contains the replica status of the resource. 258 properties: 259 availableReplicas: 260 format: int32 261 type: integer 262 metadata: 263 type: object 264 type: object 265 type: object 266 served: true 267 storage: true 268 subresources: {} 269 status: 270 acceptedNames: 271 kind: "" 272 plural: "" 273 conditions: [] 274 storedVersions: [] 275 --- 276 apiVersion: apiextensions.k8s.io/v1 277 kind: CustomResourceDefinition 278 metadata: 279 annotations: 280 api-approved.kubernetes.io: unapproved 281 controller-gen.kubebuilder.io/version: v0.5.0 282 name: azureidentitybindings.aadpodidentity.k8s.io 283 spec: 284 group: aadpodidentity.k8s.io 285 names: 286 kind: AzureIdentityBinding 287 listKind: AzureIdentityBindingList 288 plural: azureidentitybindings 289 singular: azureidentitybinding 290 scope: Namespaced 291 versions: 292 - additionalPrinterColumns: 293 - jsonPath: .spec.azureIdentity 294 name: AzureIdentity 295 type: string 296 - jsonPath: .spec.selector 297 name: Selector 298 type: string 299 - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. 300 jsonPath: .metadata.creationTimestamp 301 name: Age 302 type: date 303 name: v1 304 schema: 305 openAPIV3Schema: 306 description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. 307 properties: 308 apiVersion: 309 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 310 type: string 311 kind: 312 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 313 type: string 314 metadata: 315 type: object 316 spec: 317 description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. 318 properties: 319 azureIdentity: 320 type: string 321 metadata: 322 type: object 323 selector: 324 type: string 325 weight: 326 description: Weight is used to figure out which of the matching identities would be selected. 327 type: integer 328 type: object 329 status: 330 description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. 331 properties: 332 availableReplicas: 333 format: int32 334 type: integer 335 metadata: 336 type: object 337 type: object 338 type: object 339 served: true 340 storage: true 341 subresources: {} 342 status: 343 acceptedNames: 344 kind: "" 345 plural: "" 346 conditions: [] 347 storedVersions: [] 348 --- 349 apiVersion: apiextensions.k8s.io/v1 350 kind: CustomResourceDefinition 351 metadata: 352 annotations: 353 api-approved.kubernetes.io: unapproved 354 controller-gen.kubebuilder.io/version: v0.5.0 355 name: azurepodidentityexceptions.aadpodidentity.k8s.io 356 spec: 357 group: aadpodidentity.k8s.io 358 names: 359 kind: AzurePodIdentityException 360 listKind: AzurePodIdentityExceptionList 361 plural: azurepodidentityexceptions 362 singular: azurepodidentityexception 363 scope: Namespaced 364 versions: 365 - name: v1 366 schema: 367 openAPIV3Schema: 368 description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. 369 properties: 370 apiVersion: 371 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 372 type: string 373 kind: 374 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 375 type: string 376 metadata: 377 type: object 378 spec: 379 description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. 380 properties: 381 metadata: 382 type: object 383 podLabels: 384 additionalProperties: 385 type: string 386 type: object 387 type: object 388 status: 389 description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. 390 properties: 391 metadata: 392 type: object 393 status: 394 type: string 395 type: object 396 type: object 397 served: true 398 storage: true 399 status: 400 acceptedNames: 401 kind: "" 402 plural: "" 403 conditions: [] 404 storedVersions: [] 405 --- 406 apiVersion: rbac.authorization.k8s.io/v1 407 kind: ClusterRole 408 metadata: 409 name: aad-pod-id-nmi-role 410 rules: 411 - apiGroups: ["apiextensions.k8s.io"] 412 resources: ["customresourcedefinitions"] 413 verbs: ["get", "list"] 414 - apiGroups: [""] 415 resources: ["pods"] 416 verbs: ["get", "list", "watch"] 417 - apiGroups: [""] 418 resources: ["secrets"] 419 verbs: ["get"] 420 - apiGroups: ["aadpodidentity.k8s.io"] 421 resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"] 422 verbs: ["get", "list", "watch"] 423 - apiGroups: ["aadpodidentity.k8s.io"] 424 resources: ["azureassignedidentities"] 425 verbs: ["get", "list", "watch"] 426 --- 427 apiVersion: rbac.authorization.k8s.io/v1 428 kind: ClusterRoleBinding 429 metadata: 430 name: aad-pod-id-nmi-binding 431 labels: 432 k8s-app: aad-pod-id-nmi-binding 433 subjects: 434 - kind: ServiceAccount 435 name: aad-pod-id-nmi-service-account 436 namespace: default 437 roleRef: 438 kind: ClusterRole 439 name: aad-pod-id-nmi-role 440 apiGroup: rbac.authorization.k8s.io 441 --- 442 apiVersion: apps/v1 443 kind: DaemonSet 444 metadata: 445 labels: 446 component: nmi 447 tier: node 448 k8s-app: aad-pod-id 449 name: nmi 450 namespace: default 451 spec: 452 updateStrategy: 453 type: RollingUpdate 454 selector: 455 matchLabels: 456 component: nmi 457 tier: node 458 template: 459 metadata: 460 labels: 461 component: nmi 462 tier: node 463 spec: 464 serviceAccountName: aad-pod-id-nmi-service-account 465 hostNetwork: true 466 dnsPolicy: ClusterFirstWithHostNet 467 volumes: 468 - hostPath: 469 path: /run/xtables.lock 470 type: FileOrCreate 471 name: iptableslock 472 - name: kubelet-config 473 hostPath: 474 path: /etc/default/kubelet 475 type: FileOrCreate 476 containers: 477 - name: nmi 478 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.17" 479 args: 480 - "--node=$(NODE_NAME)" 481 - "--http-probe-port=8085" 482 - "--enableScaleFeatures=true" 483 - "--metadata-header-required=true" 484 env: 485 - name: HOST_IP 486 valueFrom: 487 fieldRef: 488 fieldPath: status.podIP 489 - name: NODE_NAME 490 valueFrom: 491 fieldRef: 492 fieldPath: spec.nodeName 493 resources: 494 limits: 495 cpu: 200m 496 memory: 512Mi 497 requests: 498 cpu: 100m 499 memory: 256Mi 500 securityContext: 501 runAsUser: 0 502 capabilities: 503 drop: 504 - ALL 505 add: 506 - DAC_READ_SEARCH 507 - NET_ADMIN 508 - NET_RAW 509 volumeMounts: 510 - mountPath: /run/xtables.lock 511 name: iptableslock 512 - name: kubelet-config 513 mountPath: /etc/default/kubelet 514 readOnly: true 515 livenessProbe: 516 httpGet: 517 path: /healthz 518 port: 8085 519 initialDelaySeconds: 10 520 periodSeconds: 5 521 tolerations: 522 - operator: Exists 523 nodeSelector: 524 kubernetes.io/os: linux 525 --- 526 apiVersion: v1 527 kind: ServiceAccount 528 metadata: 529 name: aad-pod-id-mic-service-account 530 namespace: default 531 --- 532 apiVersion: rbac.authorization.k8s.io/v1 533 kind: ClusterRole 534 metadata: 535 name: aad-pod-id-mic-role 536 rules: 537 - apiGroups: ["apiextensions.k8s.io"] 538 resources: ["customresourcedefinitions"] 539 verbs: ["*"] 540 - apiGroups: [""] 541 resources: ["pods", "nodes"] 542 verbs: [ "list", "watch" ] 543 - apiGroups: [""] 544 resources: ["events"] 545 verbs: ["create", "patch"] 546 - apiGroups: [""] 547 resources: ["configmaps"] 548 verbs: ["get", "create", "update"] 549 - apiGroups: [""] 550 resources: ["endpoints"] 551 verbs: ["create", "get","update"] 552 - apiGroups: ["aadpodidentity.k8s.io"] 553 resources: ["azureidentitybindings", "azureidentities"] 554 verbs: ["get", "list", "watch", "post", "update"] 555 - apiGroups: ["aadpodidentity.k8s.io"] 556 resources: ["azurepodidentityexceptions"] 557 verbs: ["list", "update"] 558 - apiGroups: ["aadpodidentity.k8s.io"] 559 resources: ["azureassignedidentities"] 560 verbs: ["*"] 561 --- 562 apiVersion: rbac.authorization.k8s.io/v1 563 kind: ClusterRoleBinding 564 metadata: 565 name: aad-pod-id-mic-binding 566 labels: 567 k8s-app: aad-pod-id-mic-binding 568 subjects: 569 - kind: ServiceAccount 570 name: aad-pod-id-mic-service-account 571 namespace: default 572 roleRef: 573 kind: ClusterRole 574 name: aad-pod-id-mic-role 575 apiGroup: rbac.authorization.k8s.io 576 --- 577 apiVersion: apps/v1 578 kind: Deployment 579 metadata: 580 labels: 581 component: mic 582 k8s-app: aad-pod-id 583 name: mic 584 namespace: default 585 spec: 586 replicas: 2 587 selector: 588 matchLabels: 589 component: mic 590 app: mic 591 template: 592 metadata: 593 labels: 594 component: mic 595 app: mic 596 spec: 597 serviceAccountName: aad-pod-id-mic-service-account 598 containers: 599 - name: mic 600 image: "mcr.microsoft.com/oss/azure/aad-pod-identity/mic:v1.8.17" 601 args: 602 - "--cloudconfig=/etc/kubernetes/azure.json" 603 - "--logtostderr" 604 securityContext: 605 runAsUser: 0 606 readOnlyRootFilesystem: true 607 env: 608 - name: MIC_POD_NAMESPACE 609 valueFrom: 610 fieldRef: 611 fieldPath: metadata.namespace 612 resources: 613 limits: 614 cpu: 200m 615 memory: 1024Mi 616 requests: 617 cpu: 100m 618 memory: 256Mi 619 volumeMounts: 620 - name: k8s-azure-file 621 mountPath: /etc/kubernetes/azure.json 622 readOnly: true 623 livenessProbe: 624 httpGet: 625 path: /healthz 626 port: 8080 627 initialDelaySeconds: 10 628 periodSeconds: 5 629 volumes: 630 - name: k8s-azure-file 631 hostPath: 632 path: /etc/kubernetes/azure.json 633 nodeSelector: 634 kubernetes.io/os: linux