github.com/Azure/aad-pod-identity@v1.8.17/tutorial/README.md (about) 1 # AAD Pod Identity Tutorial 2 3 This tutorial is based on [this repository](https://github.com/xtellurian/aad-pods). 4 5 ## Prerequisites 6 7 - [Azure Account](https://azure.microsoft.com/en-us/free/) 8 9 In this tutorial we are going to be using the Azure CLI, bash scripts, and kubectl. There are three sections, and each section contains several scripts to run. You'll find all the scripts in the `/scripts` directory. 10 11 Lines like `./scripts/path/to/script.sh` indicate you should execute that script. 12 13 To begin, clone this repository 14 15 ```sh 16 17 git clone https://github.com/Azure/aad-pod-identity 18 cd aad-pod-identity/docs/tutorial 19 20 ``` 21 22 ### Using Azure CLI, kubectl and bash 23 24 The following steps require the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest), make sure to download and [login](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli?view=azure-cli-latest) before starting. 25 26 If you're on Windows, you should use [Windows Subsystem for Linux](https://docs.microsoft.com/en-us/windows/wsl/install-win10) or another Bash terminal. 27 28 You can install kubectl via the Azure CLI, or by [another method](https://kubernetes.io/docs/tasks/tools/install-kubectl/) 29 30 `az aks install-cli` 31 32 ## 1. Create a Kubernetes Cluster on Azure (AKS) 33 34 ### 1.1. Register the required resource types 35 36 `./scripts/1-init-aks/1-azure-provider-registration.sh` 37 38 AKS requires the following resources: Microsoft.Network, Microsoft.Storage, Microsoft.Compute, Microsoft.ContainerService. Register them on your subscription with the above script. 39 40 41 ### 1.2. Create a Resource Group 42 43 Set an environment variable in your shell, for the name of your resource group. 44 45 `export RG="k8s-test"` 46 47 This resource group is for your AKS cluster. Create it with this command. 48 49 `./scripts/1-init-aks/2-create-rg.sh` 50 51 ### 1.3. Create Azure Kubernetes Service 52 53 This will create an AKS instance in the resource group created above. It may take a couple of minutes to complete. Set the name of the this command in the shell. 54 55 ```sh 56 57 K8S_NAME="Cluster-Name" 58 ./scripts/1-init-aks/3-create-aks.sh 59 60 ``` 61 62 63 ### 1.4. Configure the kubernetes CLI - `kubectl` 64 65 With `kubectl` installed, run the following script 66 67 `./scripts/1-init-aks/4-configure-cli.sh` 68 69 Now the `kubectl` command should control your AKS cluster. Try it out, it should look similar to below: 70 71 ```sh 72 73 $ kubectl get nodes 74 NAME STATUS ROLES AGE VERSION 75 aks-nodepool1-15831963-0 Ready agent 01h v1.9.6 76 77 ``` 78 79 ## 2. Configure AKS with required infrastructure on the cluster 80 81 Pod Identity requires two components: 82 83 1. Managed Identity Controller (MIC). A pod that binds Azure Ids to other pods - creates azureAssignedIdentity CRD. 84 2. Node Managed Identity (NMI). Identifies the pod based on the remote address of the incoming request, and then queries the k8s (through MIC) for a matching Azure Id. It then make a adal request to get the token for the client id and returns as a response to the request. Implemented as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/). 85 86 Deploy the infrastructure with the following command to deploy MIC, NMI, and MIC CRDs. 87 88 `./scripts/2-config-aks/2-deploy-infra.sh` 89 90 NOTE: If you have RBAC enabled, use the following deployment instead: 91 92 ``` 93 kubectl create -f ../../deploy/infra/deployment-rbac.yaml 94 ``` 95 96 ## 3. Deploy the demo 97 98 The demo is basic, but does prove the concept. 99 100 ### 3.1. Create an Azure Id 101 102 We will be assigning the demo pod an [Azure Managed Service Identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview). The Azure Id will need to be in the same Resource Group *as was created automatically by the provisioning of the AKS cluster* [see this issue for more information](https://github.com/Azure/aad-pod-identity/issues/38). 103 104 You might find the Resource Group name with 105 106 `az group list | grep $RG` 107 108 Then set the environment variable 109 110 `export MC_RG="resource-group-name"` 111 112 Run the following to create an azure id 113 114 `./scripts/3-deploy-demo/1-create-azure-id.sh` 115 116 ### 3.2. Deploy demo 117 118 The `/deploy/demo/deployment.yaml` describes the pod that will be deployed. 119 120 It automatically adds the following values from your environment: 121 122 - subscriptionid: Id of your Azure Subscription 123 - clientid: From the Azure Id you created in the step above 124 - resourcegroup: From the Azure Id you created above 125 126 Run the following to deploy the demo 127 128 `./scripts/3-deploy-demo/2-deploy-demo.sh` 129 130 ### 3.3. Deploy Azure Id to Kubernetes 131 132 We need to tell the cluster about the Id we created, so it can bind it to the pod (the next step). To do that, we will deploy the spec found in `/deploy/demo/aadpodidentity.yaml`. 133 134 Run the following to deploy the Azure ID to Kubernetes: 135 136 `./scripts/3-deploy-demo/3-deploy-id-to-k8s.sh` 137 138 ### 3.4. Bind the Id to our demo pod 139 140 Last thing we need to do is bind the Id we created in step 1, and deployed in step 3, to the pod we deployed in step 2. 141 142 Deploy the binding with the following 143 144 `./scripts/3-deploy-demo/4-deploy-id-binding.sh` 145 146 ## Did it work? 147 148 You'll need to check the logs of each pod to know if everything worked. 149 150 First, get the pod names with the following command: 151 152 ```sh 153 154 $ kubectl get pods 155 NAME READY STATUS RESTARTS AGE 156 demo-757967c54-64pzr 1/1 Running 0 1h # the demo pod 157 mic-64ddcf5f65-h4hft 1/1 Running 0 19h # the MIC pod 158 nmi-b9xbg 1/1 Running 0 1h # the NMI pod 159 160 ``` 161 162 ### Check the Managed Identity Controller pod 163 164 Check the logs of the MIC controller and see the binding successfully applied on the node. 165 166 ```sh 167 168 $ kubectl logs mic-64ddcf5f65-h4hft 169 .... 170 I0606 23:19:45.867711 1 crd.go:123] Got id podid to assign 171 I0606 23:19:45.867829 1 crd.go:142] Creating assigned Id: demo-5788d95785-ghzwv-default-podid 172 I0606 23:19:45.874002 1 cloudprovider.go:170] Find aks-nodepool1-15831963-0 in resource group: MC_k8s-test_clusterFrank_eastus 173 I0606 23:20:11.051552 1 cloudprovider.go:162] Underlying cloud provider operation took 25.04421296s 174 I0606 23:20:11.051846 1 mic.go:259] Sync took: 25.220821436s 175 I0606 23:20:11.052905 1 event.go:218] Event(v1.ObjectReference{Kind:"AzureIdentityBinding", Namespace:"default", Name:"myIdBinding", UID:"19a07e0e-69e0-11e8-9e9f-4addade2df92", APIVersion:"aadpodidentity.k8s.io/v1", ResourceVersion:"89529", FieldPath:""}): type: 'Normal' reason: 'binding applied' Binding myIdBinding applied on node aks-nodepool1-15831963-0 for pod demo-5788d95785-ghzwv-default-podid 176 177 ``` 178 179 ### Check the Node Managed Identity pod 180 181 Check the logs of the NMI pod to see only info level logging and 200 responses. If you see 403 or 404 responses, then something is wrong. 182 183 ```sh 184 185 $ kubectl logs nmi-b9xbg 186 ... 187 time="2018-06-07T01:30:04Z" level=info msg="Status (200) took 55422159 ns" req.method=GET req.path=/metadata/identity/oauth2/token req.remote=10.244.0.25 188 time="2018-06-07T01:30:04Z" level=info msg="matched identityType:0 clientid:a40e83f9-6198-4633-afae-d860eb5b7f7c resource:https://management.azure.com/" req.method=GET req.path=/metadata/identity/oauth2/token req.remote=10.244.0.25 189 190 ``` 191 192 ### Check the demo pod 193 194 The demo pod should be reporting on the virtual machines in the resource group. If you see intermittant 403 responses, that is OK. 195 196 ```sh 197 198 $ kubectl logs demo-757967c54-64pzr 199 ... 200 time="2018-06-07T01:32:30Z" level=error msg="failed list all vm compute.VirtualMachinesClient#List: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"AuthorizationFailed\" Message=\"The client '48affddb-9972-4b7e-a82b-c5d32d2a3dd5' with object id '48affddb-9972-4b7e-a82b-c5d32d2a3dd5' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/read' over scope '/subscriptions/c5760548-23c2-4223-b41e-5d68a8320a0c/resourceGroups/MC_k8s-test_clusterFrank_eastus/providers/Microsoft.Compute'.\"" podip=10.244.0.25 podname=demo-757967c54-64pzr podnamespace=demo-757967c54-64pzr 201 time="2018-06-07T01:32:30Z" level=info msg="successfully acquired a token using the MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token)" podip=10.244.0.25 podname=demo-757967c54-64pzr podnamespace=demo-757967c54-64pzr 202 time="2018-06-07T01:32:30Z" level=info msg="successfully acquired a token, userAssignedID MSI, msiEndpoint(http://169.254.169.254/metadata/identity/oauth2/token) clientID(a40e83f9-6198-4633-afae-d860eb5b7f7c)" podip=10.244.0.25 podname=demo-757967c54-64pzr podnamespace=demo-757967c54-64pzr 203 time="2018-06-07T01:32:30Z" level=info msg="successfully made GET on instance metadata, {\"compute\":{\"location\":\"eastus\",\"name\":\"aks-nodepool1-15831963-0\",\"offer\":\"UbuntuServer\",\"osType\":\"Linux\",\"placementGroupId\":\"\",\"platformFaultDomain\":\"0\",\"platformUpdateDomain\":\"0\",\"publisher\":\"Canonical\",\"resourceGroupName\":\"MC_k8s-test_clusterFrank_eastus\",\"sku\":\"16.04-LTS\",\"subscriptionId\":\"c5760548-23c2-4223-b41e-5d68a8320a0c\",\"tags\":\"acsengineVersion:v0.17.0-aks;creationSource:aks-aks-nodepool1-15831963-0;orchestrator:Kubernetes:1.9.6;poolName:nodepool1;resourceNameSuffix:15831963\",\"version\":\"16.04.201805090\",\"vmId\":\"3fea4c7e-4aaf-400f-a588-2a851f6fd0cf\",\"vmSize\":\"Standard_DS1_v2\"},\"network\":{\"interface\":[{\"ipv4\":{\"ipAddress\":[{\"privateIpAddress\":\"10.240.0.4\",\"publicIpAddress\":\"\"}],\"subnet\":[{\"address\":\"10.240.0.0\",\"prefix\":\"16\"}]},\"ipv6\":{\"ipAddress\":[]},\"macAddress\":\"000D3A13DEE3\"}]}}" podip=10.244.0.25 podname=demo-757967c54-64pzr podnamespace=demo-757967c54-64pzr 204 205 ``` 206 207 ### Check the descriptions 208 209 `kubectl describe azureidentity` 210 211 `kubectl describe azureidentitybinding` 212 213 ### Video 214 215 [](https://www.youtube.com/watch?v=BXhIMJYDO4w) 216 217 ## Continuous Deployment with VSTS 218 219 This section is optional. 220 221 It shows how to deploy the same pods and infrastructure as above using [VSTS Continuous Integration](https://www.visualstudio.com/team-services/continuous-integration/). 222 223 ### Configure Kubernetes Connection in VSTS 224 225 Give VSTS permission to use your Kubernetes cluster by adding the endpoint to your project. Click the Cog Wheel, and go to Services. Add a new endpoint, and choose Kubernetes. See [this tutorial](https://almvm.azurewebsites.net/labs/vstsextend/kubernetes/) for a more details. 226 227  228 229 ### Release Definition 230 231 Create a new empty Release Definition, and add this repository and a source with alias `_aad_pods` 232 233 Add a Task of type 'Deploy to Kubernetes'. Create one of these tasks for each of the following: 234 235 > The command of each is `apply`, and the each below shows the reqired arguments. 236 237 - `-f _aad-pods/deploy/infra/deployment.yaml` 238 - `-f _aad-pods/deploy/demo/deployment.yaml` 239 - `-f _aad-pods/deploy/demo/aadpodidentity.yaml` 240 - `-f _aad-pods/deploy/demo/aadpodidentitybinding.yaml` 241 242 The result should look like this 243 244  245 246 ### Customising each Deployment 247 248 You probably don't want to deploy the same Demo every time. To customise the Kubernetes deployment, use the [YAML Writer](https://marketplace.visualstudio.com/items?itemName=jakkaj.vsts-yaml-writer) extension, and edit the values in the YAML files. 249