github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/standard_to_managed_mode.md

github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/Configure/standard_to_managed_mode.md (about)

     1  ---
     2  title: "Migrating from Standard to Managed Mode"
     3  linkTitle: "Migrating from Standard to Managed Mode"
     4  weight: 6
     5  description: >
     6    Migrating from Standard to Managed mode for AAD Pod Identity
     7  ---
     8  
     9  > Available from 1.6.0 release
    10  
    11  ## Introduction
    12  
    13  AAD Pod Identity supports 2 modes of operation ([full explanation of both modes](https://azure.github.io/aad-pod-identity/docs/configure/pod_identity_in_managed_mode/)):
    14  
    15  1. Standard Mode: In this mode, there is MIC and NMI components deployed to the cluster. MIC handles assigning/un-assigning the identity to the underlying VM/VMSS. NMI will intercept token request, validate if the pod has access to the identity it's requesting a token for and fetch the token on behalf of the application.
    16  2. Managed Mode: In this mode, there is only NMI. The identity needs to be manually assigned and managed by the user. Refer to [this doc](../pod_identity_in_managed_mode) for more details on this mode.
    17  
    18  ## Steps to migrate AAD Pod Identity from Standard to Managed mode
    19  
    20  If you already have AAD Pod Identity setup with Standard mode and would like to migrate to Managed mode:
    21  
    22  > NOTE: AAD Pod Identity in Managed Mode only works in namespaced mode. This means the `AzureIdentity` and `AzureIdentityBinding` needs to be in the same namespace as the application pod referencing it. This it to ensure RBAC best practices. If you're running in non-namespace mode, move the `AzureIdentity` and `AzureIdentityBinding` to the correct namespaces before proceeding with the steps.
    23  
    24  1. Assign the pod identities to the VM/VMSS:
    25  
    26      To assign the identity to the VM, run the following command:
    27  
    28      ```shell
    29      az vm identity assign -g <VM resource group name> -n <VM name> --identities <resource ID of managed identity>
    30      ```
    31  
    32      To assign the identity to VMSS, run the following command:
    33  
    34      ```shell
    35      az vmss identity assign -g <VM resource group name> -n <VMSS name> --identities <resource ID of managed identity>
    36      ```
    37  
    38  1. Delete the MIC deployment and NMI daemonset
    39  
    40      ```shell
    41      kubectl delete deploy <mic deployment name> -n <namespace>
    42      kubectl delete daemonset <nmi daemonset name> -n <namespace>
    43      ```
    44  
    45      Delete the MIC service accounts and cluster-role
    46  
    47      ```shell
    48      kubectl delete sa aad-pod-id-mic-service-account -n <namespace>
    49      kubectl delete clusterrole aad-pod-id-mic-role
    50      kubectl delete clusterrolebinding aad-pod-id-mic-binding
    51      ```
    52  
    53  1. Delete AzureAssignedIdentity custom resource definition
    54  
    55      The `AzureAssignedIdentity` is created and managed by MIC in standard mode. This is not required for managed mode.
    56  
    57      Refer to [this doc](../../troubleshooting/#unable-to-remove-azureassignedidentity-after-mic-pods-are-deleted) on how to delete the `AzureAssignedIdentities`.
    58  
    59  1. Install AAD Pod Identity in managed mode
    60  
    61      Refer to [this doc](../pod_identity_in_managed_mode) on how install AAD Pod Identity in managed mode.