github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Best Practices/_index.md (about) 1 --- 2 title: "Best Practices" 3 linkTitle: "Best Practices" 4 weight: 5 5 date: 2020-10-04 6 description: > 7 This document highlights the best practices when using aad-pod-identity. 8 --- 9 10 ## Retry on token retrieval 11 12 aad-pod-identity retrieves access tokens on behalf of your workload by intercepting token requests to the Instance Metadata Service (IMDS) endpoint (169.254.169.254). However, it does not perform any sort of token caching. We believe that either the users or the SDK that your application is using is responsible for token management. 13 14 Note that there is a brief window between when your application started running and the identity gets assigned to the underlying node. If your application tried to retrieve an access token during that period, it might fail. The following table describes the duration that you could expect to wait based on your cluster's node type: 15 16 | Node Type | Identity Assignment Duration | 17 |---------------------------|------------------------------| 18 | Virtual Machine | 10 - 20 seconds | 19 | Virtual Machine Scale Set | 40 - 60 seconds | 20 21 > Note: the delay only occurs when the user-assigned identity is not assigned to the underlying node on Azure. Subsequent token requests will not incur this delay after identity assignment. 22 23 By default, when fetching an access token, NMI performs 16 retries with 5 seconds in between each retry to check whether the `AzureIdentity` assigned to your pod has been successfully assigned to the underlying node on Azure. It will return an error if it is still not assigned after `16 retries x 5 seconds = 80 seconds`. Also, your workload might encounter an error if it times out before NMI finishes this operation. You can adjust the number of retries and the delay in between each retry via the NMI flags `--retry-attempts-for-created` and `--find-identity-retry-interval`. 24 25 Additional retry logic is also implemented internally in most of Azure's SDKs to prevent your application from erroring out. For example, [azure-sdk-for-go](https://github.com/Azure/azure-sdk-for-go) by default performs five retries with exponential backoff when fetching an access token from IMDS. 26 27 Alternatively, you could set up a simple init container to probe for successful identity assignment by MIC and prevent applications from starting prematurely. Here is an example init-container with Azure CLI. 28 29 ```yaml 30 ... 31 initContainers: 32 - name: init 33 image: mcr.microsoft.com/azure-cli 34 command: 35 - sh 36 - -c 37 - az login --identity --allow-no-subscriptions --debug 38 ... 39 ``` 40 41 ## A pod using multiple AzureIdentities 42 43 In some scenarios, you might want to assign multiple `AzureIdentities` to a workload. Here is an example of how to achieve that: 44 45 ### AzureIdentities 46 47 ```yaml 48 apiVersion: aadpodidentity.k8s.io/v1 49 kind: AzureIdentity 50 metadata: 51 name: az-id-1 52 spec: 53 type: 0 54 resourceID: <ResourceID of az-id-1> 55 clientID: <ClientID of az-id-1> 56 ``` 57 58 ```yaml 59 apiVersion: aadpodidentity.k8s.io/v1 60 kind: AzureIdentity 61 metadata: 62 name: az-id-2 63 spec: 64 type: 0 65 resourceID: <ResourceID of az-id-2> 66 clientID: <ClientID of az-id-2> 67 ``` 68 69 ### AzureIdentityBinding 70 71 ```yaml 72 apiVersion: aadpodidentity.k8s.io/v1 73 kind: AzureIdentityBinding 74 metadata: 75 name: az-id-1-binding 76 spec: 77 azureIdentity: az-id-1 78 selector: az-id-combined 79 ``` 80 81 ```yaml 82 apiVersion: aadpodidentity.k8s.io/v1 83 kind: AzureIdentityBinding 84 metadata: 85 name: az-id-2-binding 86 spec: 87 azureIdentity: az-id-2 88 selector: az-id-combined 89 ``` 90 91 ### Pod 92 93 ```yaml 94 apiVersion: v1 95 kind: Pod 96 metadata: 97 name: demo 98 labels: 99 aadpodidbinding: az-id-combined 100 ... 101 ``` 102 103 Note: if you do not specify which managed identity to use (e.g. `az login -i`) then one of the managed identities matching the `aadpodidbinding` selector will be selected at random. To make sure the right managed identity is used for a particular workload, make sure you specify the managed identity's `clientId` (e.g. `az login -i -u <CLIENT ID>`) or `resourceID` (e.g `az login -i -u <RESOURCE ID>`) when authenticating. 104 105 106 ## Pods using unauthorized AzureIdentities 107 108 By default, aad-pod-identity matches pods with `AzureIdentities` across all namespaces. That means that a malicious pod could assign itself an unauthorized pod identity label and acquire a token with that particular `AzureIdentity`. This scenario can be mitigated by performing the following: 109 110 - Deploy aad-pod-identity with [namespaced mode](../configure/match_pods_in_namespace/). This will restrict pods from binding with `AzureIdentities` across different namespaces. Note that `AzureIdentities` and `AzureIdentityBindings` must be deployed to the same namespace as your workload when using namespaced mode. 111 112 - Set up Kubernetes-native RBAC to restrict access and creation of `AzureIdentities` across sensitive namespaces. 113 114 - Set up RBAC on Azure to restrict access and creation of user-assigned identities. 115 116 ## Using aad-pod-identity in different Kubernetes workloads 117 118 ### [Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/) 119 120 ```yaml 121 apiVersion: apps/v1 122 kind: Deployment 123 metadata: 124 name: azure-cli 125 spec: 126 selector: 127 matchLabels: 128 name: azure-cli 129 template: 130 metadata: 131 labels: 132 name: azure-cli 133 aadpodidbinding: <selector defined in AzureIdentityBinding> 134 spec: 135 containers: 136 - name: azure-cli 137 image: mcr.microsoft.com/azure-cli 138 command: 139 - sh 140 - -c 141 - az login --identity --allow-no-subscriptions --debug 142 ``` 143 144 ### [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) 145 146 ```yaml 147 apiVersion: apps/v1 148 kind: DaemonSet 149 metadata: 150 name: azure-cli 151 spec: 152 selector: 153 matchLabels: 154 name: azure-cli 155 template: 156 metadata: 157 labels: 158 name: azure-cli 159 aadpodidbinding: <selector defined in AzureIdentityBinding> 160 spec: 161 containers: 162 - name: azure-cli 163 image: mcr.microsoft.com/azure-cli 164 command: 165 - sh 166 - -c 167 - az login --identity --allow-no-subscriptions --debug 168 ``` 169 170 ### [Job](https://kubernetes.io/docs/concepts/workloads/controllers/job/) 171 172 ```yaml 173 apiVersion: batch/v1 174 kind: Job 175 metadata: 176 name: azure-cli 177 spec: 178 template: 179 metadata: 180 labels: 181 aadpodidbinding: <selector defined in AzureIdentityBinding> 182 spec: 183 containers: 184 - name: azure-cli 185 image: mcr.microsoft.com/azure-cli 186 command: 187 - sh 188 - -c 189 - az login --identity --allow-no-subscriptions --debug 190 restartPolicy: Never 191 backoffLimit: 4 192 ``` 193 194 ### [CronJob](https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/) 195 196 ```yaml 197 apiVersion: batch/v1beta1 198 kind: CronJob 199 metadata: 200 name: azure-cli 201 spec: 202 schedule: "*/1 * * * *" 203 jobTemplate: 204 spec: 205 template: 206 metadata: 207 labels: 208 aadpodidbinding: <selector defined in AzureIdentityBinding> 209 spec: 210 containers: 211 - name: azure-cli 212 image: mcr.microsoft.com/azure-cli 213 command: 214 - sh 215 - -c 216 - az login --identity --allow-no-subscriptions --debug 217 restartPolicy: OnFailure 218 ```