github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/pod_identity_in_managed_mode.md

github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/pod_identity_in_managed_mode.md (about)

     1  ---
     2  title: "Pod Identity in Managed Mode"
     3  linkTitle: "Pod Identity in Managed Mode"
     4  weight: 6
     5  description: >
     6    In this mode, there is only the NMI component deployed in the cluster. The identity assignment needs to be manually performed.
     7  ---
     8  
     9  > Available from 1.6.0 release
    10  
    11  > NOTE: The AKS pod-managed identities add-on installs AAD Pod Identity in Managed mode.
    12  
    13  ## Introduction
    14  
    15  Starting from 1.6.0 release, 2 modes of operation are supported for pod-identity
    16  - Standard Mode
    17  - Managed Mode
    18  
    19  ### Standard Mode
    20  
    21  This is the default mode in which pod-identity will be deployed. In this mode, there are 2 components, MIC (Managed Identity Controller) and NMI (Node Managed Identity). MIC handles the identity assignment/removal from the underlying vm/vmss when new pods using the identity are created/deleted.
    22  
    23  ### Managed Mode
    24  
    25  In this mode, there is only the NMI component deployed in the cluster. The identity assignment needs to be manually performed.
    26  
    27  Deploy `aad-pod-identity` components to an RBAC-enabled cluster in managed mode:
    28  
    29  - This installs NMI in managed mode in the kube-system namespace
    30  
    31  ```bash
    32  kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/managed-mode-deployment.yaml
    33  ```
    34  
    35  **NOTE** Managed mode is only supported in namespaced mode. This ensures pods in namespace are only matched with `AzureIdentity` and `AzureIdentityBinding` in the same namespace.
    36  
    37  #### Helm
    38  
    39  AAD Pod Identity allows users to customize their installation via Helm.
    40  
    41  ```
    42  helm repo add aad-pod-identity https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts
    43  helm install aad-pod-identity aad-pod-identity/aad-pod-identity --set operationMode=managed
    44  ```
    45  
    46  ##### Values
    47  
    48  For a list of customizable values that can be injected when invoking `helm install`, please see the [Helm chart configurations](https://github.com/Azure/aad-pod-identity/tree/master/charts/aad-pod-identity#configuration).
    49  
    50  
    51  To assign the identity to the VM, run the following command -
    52  
    53  ```shell
    54  az vm identity assign -g <VM resource group name> -n <VM name> --identities <resource ID of managed identity>
    55  ```
    56  
    57  To assign the identity to VMSS, run the following command -
    58  
    59  ```shell
    60  az vmss identity assign -g <VM resource group name> -n <VMSS name> --identities <resource ID of managed identity>
    61  ```
    62  
    63  ## Why use Managed mode
    64  
    65  - Identity assignment on VM takes 10-20s and 40-60s in case of VMSS. In case of cronjobs or applications that require access to the identity and can't tolerate the assignment delay, it's best to use managed mode as the identity is manually pre-assigned to the VM/VMSS.
    66  - In standard mode, MIC requires write permissions on VM/VMSS and Managed Identity Operator permission on all user assigned MSIs. While running in managed mode, since there is no MIC, the role assignments are not required.