github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/application_exception.md

github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/application_exception.md (about)

     1  ---
     2  title: "Disable AAD Pod Identity for a specific Pod/Application"
     3  linkTitle: "Disable AAD Pod Identity for a specific Pod/Application"
     4  weight: 3
     5  description: >
     6    NMI pods modify the nodes' iptables to intercept calls to Azure Instance Metadata endpoint. This means any request that's made to the Metadata endpoint will be intercepted by NMI even if the pod doesn't use aad-pod-identity.
     7  ---
     8  
     9  > Available from 1.5 release
    10  
    11  NMI pods modify the nodes' iptables to intercept calls to Azure Instance Metadata endpoint. This means any request that's made to the Metadata endpoint will be intercepted by NMI even if the pod doesn't use aad-pod-identity. `AzurePodIdentityException` CRD can be configured to inform aad-pod-identity that any requests to metadata endpoint originating from a pod that matches labels defined in CRD should be proxied without any processing in NMI. NMI will proxy the request to the metdata endpoint and return the token back as is without any validation.
    12  
    13  1. Create the `AzurePodIdentityException` with the same label that will be defined in the pod -
    14  
    15  ```yaml
    16  apiVersion: "aadpodidentity.k8s.io/v1"
    17  kind: AzurePodIdentityException
    18  metadata:
    19    name: test-exception
    20  spec:
    21    podLabels:
    22      foo: bar
    23      app: custom
    24  ```
    25  
    26  Use the [sample template](https://github.com/Azure/aad-pod-identity/blob/master/examples/azurepodidentityexception.yaml), replace the podLabels with a list of desired values and then create the resource on the cluster:
    27  
    28  ```shell
    29  kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/examples/azurepodidentityexception.yaml
    30  ```
    31  
    32  When creating application pods that will not be using aad-pod-identity for calls to Azure Instance Metadata endpoint, include at least one of the labels in `spec.template.metadata.labels`.
    33  
    34  Example pod with same label as above defined in the spec -
    35  
    36  ```yaml
    37  apiVersion: apps/v1
    38  kind: Deployment
    39  metadata:
    40    name: sample
    41    labels:
    42      app: sample
    43  spec:
    44    replicas: 2
    45    selector:
    46      matchLabels:
    47        app: sample
    48    template:
    49      metadata:
    50        labels:
    51          app: sample
    52          foo: bar      <------- Label defined in exception CRD included in deployment
    53      spec:
    54        [...]
    55  ```
    56  
    57  To verify the pods have the right label that match the ones defined in the exception crd -
    58  ```shell
    59  kubectl get pods --show-labels
    60  NAME                           READY   STATUS    RESTARTS   AGE   LABELS
    61  sample-td                      1/1     Running   0          16s   app=sample,foo=bar
    62  ```
    63  
    64  **NOTE**
    65  - `AzurePodIdentityException` is per namespace. This means if the same label needs to be used in multiple namespaces to except pods, a CRD resource needs to be created in each namespace.
    66  - All the labels defined in the exception CRD doesn't need to be defined in the deployment/pod spec. A single match is enough for the pod to be excepted.