github.com/Azure/aad-pod-identity@v1.8.17/website/content/en/docs/_index.md (about) 1 --- 2 title: "Documentation" 3 linkTitle: "Documentation" 4 menu: 5 main: 6 weight: 20 7 --- 8 9 ## 📣 Announcement 10 11 **❗ IMPORTANT**: As of Monday 10/24/2022, AAD Pod Identity is **deprecated**. As mentioned in the [announcement](https://cloudblogs.microsoft.com/opensource/2022/01/18/announcing-azure-active-directory-azure-ad-workload-identity-for-kubernetes/), AAD Pod Identity has been replaced with [Azure Workload Identity](https://azure.github.io/azure-workload-identity). Going forward, we will no longer add new features or bug fixes to this project in favor of Azure Workload Identity, which reached [General Availability (GA) in Azure Kubernetes Service (AKS)](https://azure.microsoft.com/en-us/updates/ga-azure-active-directory-workload-identity-with-aks-2/). We will provide CVE patches until September 2023, at which time the project will be archived. **There will be no new releases after September 2023.** 12 13 AAD Pod Identity enables Kubernetes applications to access cloud resources securely with [Azure Active Directory](https://azure.microsoft.com/en-us/services/active-directory/) using User-assigned managed identity and Service Principal. 14 15 > Note: Configuring system-assigned managed identity with AAD Pod Identity to access cloud resources is not supported. 16 17 Using Kubernetes primitives, administrators configure identities and bindings to match pods. Then without any code modifications, your containerized applications can leverage any resource in the cloud that depends on AAD as an identity provider. 18 19 ## Breaking Changes 20 21 ### v1.8.4 22 23 The metadata header required flag is enabled by default to prevent SSRF attacks. Check [Metadata Header Required](./configure/feature_flags/#metadata-header-required-flag) for more information. To disable the metadata header check, set `--metadata-header-required=false` in NMI [container args](https://github.com/Azure/aad-pod-identity/blob/v1.8.6/deploy/infra/deployment-rbac.yaml#L483). 24 25 ### v1.8.0 26 27 - The API version of Pod Identity's CRDs (`AzureIdentity`, `AzureIdentityBinding`, `AzureAssignedIdentity`, `AzurePodIdentityException`) have been upgraded from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`. For Kubernetes clusters with < 1.16, `apiextensions.k8s.io/v1` CRDs would not work. You can either: 28 1. Continue using AAD Pod Identity v1.7.5 or 29 2. Upgrade your cluster to 1.16+, then upgrade AAD Pod Identity. 30 31 If AAD Pod Identity was previously installed using Helm, subsequent `helm install` or `helm upgrade` would not upgrade the CRD API version from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1` (although `kubectl get crd -oyaml` would display `apiextensions.k8s.io/v1` since the API server internally converts v1beta1 CRDs to v1, it lacks a [structural schema](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#specifying-a-structural-schema), which is what AAD Pod Identity introduced in v1.8.0). If you wish to upgrade to the official v1 CRDs for AAD Pod Identity: 32 33 ```bash 34 kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts/aad-pod-identity/crds/crd.yaml 35 ``` 36 37 With [managed mode](./configure/pod_identity_in_managed_mode) enabled, you can remove the unused AzureAssignedIdentity CRD if you wish. 38 39 ```bash 40 # MANAGED MODE ONLY! 41 kubectl delete crd azureassignedidentities.aadpodidentity.k8s.io 42 ``` 43 44 ### v1.7.5 45 46 - AAD Pod Identity has dropped Helm 2 starting from chart version 4.0.0/app version 1.7.5. To install or upgrade to the latest version of AAD Pod Identity, please use Helm 3 instead. Refer to this [guide](https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/) on how to migrate from Helm 2 to Helm 3. 47 48 ### v1.7.2 49 50 - The `forceNameSpaced` helm configuration variable is removed. Use `forceNamespaced` instead to configure pod identity to run in namespaced mode. 51 52 ### v1.7.1 53 54 - `azureIdentities` in `values.yaml` is converted to a map instead of a list of identities. 55 56 The following is an example of the required change in `values.yaml` from helm chart 2.x.x to 3.x.x: 57 58 ```diff 59 -azureIdentities: 60 - - name: "azure-identity" 61 - # if not defined, then the azure identity will be deployed in the same namespace as the chart 62 - namespace: "" 63 - # type 0: MSI, type 1: Service Principal 64 - type: 0 65 - # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name 66 - resourceID: "resource-id" 67 - clientID: "client-id" 68 - binding: 69 - name: "azure-identity-binding" 70 - # The selector will also need to be included in labels for app deployment 71 - selector: "demo" 72 +azureIdentities: 73 + "azure-identity": 74 + # if not defined, then the azure identity will be deployed in the same namespace as the chart 75 + namespace: "" 76 + # type 0: MSI, type 1: Service Principal 77 + type: 0 78 + # /subscriptions/subscription-id/resourcegroups/resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/identity-name 79 + resourceID: "resource-id" 80 + clientID: "client-id" 81 + binding: 82 + name: "azure-identity-binding" 83 + # The selector will also need to be included in labels for app deployment 84 + selector: "demo" 85 ``` 86 87 ### v1.7.0 88 89 - With [Azure/aad-pod-identity#842](https://github.com/Azure/aad-pod-identity/pull/842), aad-pod-identity no longer works on clusters with kubenet as the network plugin. For more details, please see [Deploy AAD Pod Identity in a Cluster with Kubenet](configure/aad_pod_identity_on_kubenet/). 90 91 If you still wish to install aad-pod-identity on a kubenet-enabled cluster, set the helm chart value `nmi.allowNetworkPluginKubenet` to `true` in the helm command: 92 93 ```bash 94 helm (install|upgrade) ... --set nmi.allowNetworkPluginKubenet=true ... 95 ``` 96 97 ### v1.6.0 98 99 With [Azure/aad-pod-identity#398](https://github.com/Azure/aad-pod-identity/pull/398), the [client-go](https://github.com/kubernetes/client-go) library is upgraded to v0.17.2, where CRD [fields are now case sensitive](https://github.com/kubernetes/kubernetes/issues/64612). If you are upgrading MIC and NMI from v1.x.x to v1.6.0, MIC v1.6.0+ will upgrade the fields of existing `AzureIdentity` and `AzureIdentityBinding` on startup to the new format to ensure backward compatibility. A configmap called `aad-pod-identity-config` is created to record and confirm the successful type upgrade. 100 101 However, for future `AzureIdentity` and `AzureIdentityBinding` created using v1.6.0+, the following fields need to be changed: 102 103 ### `AzureIdentity` 104 105 | < 1.6.0 | >= 1.6.0 | 106 | ---------------- | ---------------- | 107 | `ClientID` | `clientID` | 108 | `ClientPassword` | `clientPassword` | 109 | `ResourceID` | `resourceID` | 110 | `TenantID` | `tenantID` | 111 112 ### `AzureIdentityBinding` 113 114 | < 1.6.0 | >= 1.6.0 | 115 | --------------- | --------------- | 116 | `AzureIdentity` | `azureIdentity` | 117 | `Selector` | `selector` | 118 119 ### `AzurePodIdentityException` 120 121 | < 1.6.0 | >= 1.6.0 | 122 | ----------- | ----------- | 123 | `PodLabels` | `podLabels` | 124 125 126 ## Ready to get started? 127 128 To get started, see the [Getting Started](./getting-started/) page, or you can visit the [GitHub repo](https://github.com/Azure/aad-pod-identity).