apiVersion: v1 kind: ServiceAccount metadata: name: aad-pod-id-nmi-service-account namespace: default --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: unapproved controller-gen.kubebuilder.io/version: v0.5.0 name: azureassignedidentities.aadpodidentity.k8s.io spec: group: aadpodidentity.k8s.io names: kind: AzureAssignedIdentity listKind: AzureAssignedIdentityList plural: azureassignedidentities singular: azureassignedidentity scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: description: AzureAssignedIdentity contains the identity <-> pod mapping which is matched. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: AzureAssignedIdentitySpec contains the relationship between an AzureIdentity and an AzureIdentityBinding. properties: azureBindingRef: description: AzureBindingRef is an embedded resource referencing the AzureIdentityBinding used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. properties: azureIdentity: type: string metadata: type: object selector: type: string weight: description: Weight is used to figure out which of the matching identities would be selected. type: integer type: object status: description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. properties: availableReplicas: format: int32 type: integer metadata: type: object type: object type: object x-kubernetes-embedded-resource: true azureIdentityRef: description: AzureIdentityRef is an embedded resource referencing the AzureIdentity used by the AzureAssignedIdentity, which requires x-kubernetes-embedded-resource fields to be true properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: AzureIdentitySpec describes the credential specifications of an identity on Azure. properties: adEndpoint: type: string adResourceID: description: For service principal. Option param for specifying the AD details. type: string auxiliaryTenantIDs: description: Service principal auxiliary tenant ids items: type: string nullable: true type: array clientID: description: Both User Assigned MSI and SP can use this field. type: string clientPassword: description: Used for service principal properties: name: description: Name is unique within a namespace to reference a secret resource. type: string namespace: description: Namespace defines the space within which the secret name must be unique. type: string type: object metadata: type: object replicas: format: int32 nullable: true type: integer resourceID: description: User assigned MSI resource id. type: string tenantID: description: Service principal primary tenant id. type: string type: description: UserAssignedMSI or Service Principal type: integer type: object status: description: AzureIdentityStatus contains the replica status of the resource. properties: availableReplicas: format: int32 type: integer metadata: type: object type: object type: object x-kubernetes-embedded-resource: true metadata: type: object nodename: type: string pod: type: string podNamespace: type: string replicas: format: int32 nullable: true type: integer type: object status: description: AzureAssignedIdentityStatus contains the replica status of the resource. properties: availableReplicas: format: int32 type: integer metadata: type: object status: type: string type: object type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: unapproved controller-gen.kubebuilder.io/version: v0.5.0 name: azureidentities.aadpodidentity.k8s.io spec: group: aadpodidentity.k8s.io names: kind: AzureIdentity listKind: AzureIdentityList plural: azureidentities singular: azureidentity scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.type name: Type type: string - jsonPath: .spec.clientID name: ClientID type: string - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: AzureIdentity is the specification of the identity data structure. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: AzureIdentitySpec describes the credential specifications of an identity on Azure. properties: adEndpoint: type: string adResourceID: description: For service principal. Option param for specifying the AD details. type: string auxiliaryTenantIDs: description: Service principal auxiliary tenant ids items: type: string nullable: true type: array clientID: description: Both User Assigned MSI and SP can use this field. type: string clientPassword: description: Used for service principal properties: name: description: Name is unique within a namespace to reference a secret resource. type: string namespace: description: Namespace defines the space within which the secret name must be unique. type: string type: object metadata: type: object replicas: format: int32 nullable: true type: integer resourceID: description: User assigned MSI resource id. type: string tenantID: description: Service principal primary tenant id. type: string type: description: UserAssignedMSI or Service Principal type: integer type: object status: description: AzureIdentityStatus contains the replica status of the resource. properties: availableReplicas: format: int32 type: integer metadata: type: object type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: unapproved controller-gen.kubebuilder.io/version: v0.5.0 name: azureidentitybindings.aadpodidentity.k8s.io spec: group: aadpodidentity.k8s.io names: kind: AzureIdentityBinding listKind: AzureIdentityBindingList plural: azureidentitybindings singular: azureidentitybinding scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .spec.azureIdentity name: AzureIdentity type: string - jsonPath: .spec.selector name: Selector type: string - description: CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: AzureIdentityBinding brings together the spec of matching pods and the identity which they can use. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: AzureIdentityBindingSpec matches the pod with the Identity. Used to indicate the potential matches to look for between the pod/deployment and the identities present. properties: azureIdentity: type: string metadata: type: object selector: type: string weight: description: Weight is used to figure out which of the matching identities would be selected. type: integer type: object status: description: AzureIdentityBindingStatus contains the status of an AzureIdentityBinding. properties: availableReplicas: format: int32 type: integer metadata: type: object type: object type: object served: true storage: true subresources: {} status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: unapproved controller-gen.kubebuilder.io/version: v0.5.0 name: azurepodidentityexceptions.aadpodidentity.k8s.io spec: group: aadpodidentity.k8s.io names: kind: AzurePodIdentityException listKind: AzurePodIdentityExceptionList plural: azurepodidentityexceptions singular: azurepodidentityexception scope: Namespaced versions: - name: v1 schema: openAPIV3Schema: description: AzurePodIdentityException contains the pod selectors for all pods that don't require NMI to process and request token on their behalf. properties: apiVersion: description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' type: string kind: description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string metadata: type: object spec: description: AzurePodIdentityExceptionSpec matches pods with the selector defined. If request originates from a pod that matches the selector, nmi will proxy the request and send response back without any validation. properties: metadata: type: object podLabels: additionalProperties: type: string type: object type: object status: description: AzurePodIdentityExceptionStatus contains the status of an AzurePodIdentityException. properties: metadata: type: object status: type: string type: object type: object served: true storage: true status: acceptedNames: kind: "" plural: "" conditions: [] storedVersions: [] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aad-pod-id-nmi-role rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list"] - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["secrets"] verbs: ["get"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureidentitybindings", "azureidentities", "azurepodidentityexceptions"] verbs: ["get", "list", "watch"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureassignedidentities"] verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: aad-pod-id-nmi-binding labels: k8s-app: aad-pod-id-nmi-binding subjects: - kind: ServiceAccount name: aad-pod-id-nmi-service-account namespace: default roleRef: kind: ClusterRole name: aad-pod-id-nmi-role apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: DaemonSet metadata: labels: component: nmi tier: node k8s-app: aad-pod-id name: nmi namespace: default spec: updateStrategy: type: RollingUpdate selector: matchLabels: component: nmi tier: node template: metadata: labels: component: nmi tier: node spec: serviceAccountName: aad-pod-id-nmi-service-account hostNetwork: true dnsPolicy: ClusterFirstWithHostNet volumes: - hostPath: path: /run/xtables.lock type: FileOrCreate name: iptableslock - name: kubelet-config hostPath: path: /etc/default/kubelet type: FileOrCreate containers: - name: nmi image: "mcr.microsoft.com/oss/azure/aad-pod-identity/nmi:v1.8.17" args: - "--node=$(NODE_NAME)" - "--http-probe-port=8085" - "--enableScaleFeatures=true" - "--metadata-header-required=true" env: - name: HOST_IP valueFrom: fieldRef: fieldPath: status.podIP - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName resources: limits: cpu: 200m memory: 512Mi requests: cpu: 100m memory: 256Mi securityContext: runAsUser: 0 capabilities: drop: - ALL add: - DAC_READ_SEARCH - NET_ADMIN - NET_RAW volumeMounts: - mountPath: /run/xtables.lock name: iptableslock - name: kubelet-config mountPath: /etc/default/kubelet readOnly: true livenessProbe: httpGet: path: /healthz port: 8085 initialDelaySeconds: 10 periodSeconds: 5 tolerations: - operator: Exists nodeSelector: kubernetes.io/os: linux --- apiVersion: v1 kind: ServiceAccount metadata: name: aad-pod-id-mic-service-account namespace: default --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: aad-pod-id-mic-role rules: - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["*"] - apiGroups: [""] resources: ["pods", "nodes"] verbs: [ "list", "watch" ] - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "create", "update"] - apiGroups: [""] resources: ["endpoints"] verbs: ["create", "get","update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureidentitybindings", "azureidentities"] verbs: ["get", "list", "watch", "post", "update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azurepodidentityexceptions"] verbs: ["list", "update"] - apiGroups: ["aadpodidentity.k8s.io"] resources: ["azureassignedidentities"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: aad-pod-id-mic-binding labels: k8s-app: aad-pod-id-mic-binding subjects: - kind: ServiceAccount name: aad-pod-id-mic-service-account namespace: default roleRef: kind: ClusterRole name: aad-pod-id-mic-role apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: Deployment metadata: labels: component: mic k8s-app: aad-pod-id name: mic namespace: default spec: replicas: 2 selector: matchLabels: component: mic app: mic template: metadata: labels: component: mic app: mic spec: serviceAccountName: aad-pod-id-mic-service-account containers: - name: mic image: "mcr.microsoft.com/oss/azure/aad-pod-identity/mic:v1.8.17" args: - "--cloudconfig=/etc/kubernetes/azure.json" - "--logtostderr" securityContext: runAsUser: 0 readOnlyRootFilesystem: true env: - name: MIC_POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace resources: limits: cpu: 200m memory: 1024Mi requests: cpu: 100m memory: 256Mi volumeMounts: - name: k8s-azure-file mountPath: /etc/kubernetes/azure.json readOnly: true livenessProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 10 periodSeconds: 5 volumes: - name: k8s-azure-file hostPath: path: /etc/kubernetes/azure.json nodeSelector: kubernetes.io/os: linux