3

Looking at terraform documentation I have trouble determining how to assign UAMI as kubelet_identity for aks cluster.

The identity { ... } block which sets controlPlane UAMI as described here is not what I am looking for.

The question is - is there a terraform way I can assign additional UAMI apart from the one in identity {..} block and use it to access ACR?

I want to set a separate UAMI as a kubelet identity as described here

PMuz
  • 55
  • 8

3 Answers3

2

is there a terraform way I can assign additional UAMI apart from the one in identity {..} block and use it to access ACR?

According to the details you provided, you can create an additional UAMI and associate it with the AKS cluster kubelet identity, then assign the role to the UAMI, example code here: resource "azurerm_kubernetes_cluster" "example" { name = "example-aks1" location = azurerm_resource_group.example.location resource_group_name = azurerm_resource_group.example.name dns_prefix = "exampleaks1"

  default_node_pool {
    name       = "default"
    node_count = 1
    vm_size    = "Standard_D2_v2"
  }

  identity {
    type = "SystemAssigned"
  }

  kubelet_identity {
    client-id = azurerm_user_assigned_identity.kubelet.client_id
    object-id = azurerm_user_assigned_identity.kubelet.principal_id
    user_assigned_identity_id = azurerm_user_assigned_identity.kubelet.id
  }
  ...
}

resource "azurerm_role_assignment" "acr_for_kubelet" {
  principal_id         = azurerm_user_assigned_identity.kubelet.client_id
  scope                = azurerm_container_registry.container_registry.id
  role_definition_name = "AcrPull"
}

Update:

Actually, when you create the AKS and enable the system-assigned managed identity, then it will create the two user-assigned identities for the AKS cluster, one is to access other resources, and one is to manage the AKS cluster itself and this one is the kubelet identity.

It doesn't make sense to assign the kubelet identity permission to access the ACR. What you need to do is to assign the AKS identity permission to access the ACR. Or use the secret and service account inside the Kubernetes to access the ACR.

Charles Xu
  • 29,862
  • 2
  • 22
  • 39
  • Thank you Charles. This covers ACR role creation part however how can I associate that kubelet UAMI with AKS? – PMuz May 25 '21 at 07:03
  • @PMuz My mistake. I updated the answer. Actually, the `kubelet_identity` is the option for the AKS. – Charles Xu May 25 '21 at 07:34
  • can you please tell me what is the version of terraform and azurerm provider you are using? I have tried that and got `"kubelet_identity this value cannot be set"` – PMuz May 25 '21 at 08:12
  • @PMuz You can get details [here](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#kubelet_identity). I use the terraform version is 0.15.0 – Charles Xu May 25 '21 at 08:21
  • yup, though the link you reference leads to Attributes reference, not arguments. If I understand that correctly this is the list of the AKS cluster attributes that we can get via terraform but not necessarily set. – PMuz May 25 '21 at 10:26
  • @PMuz Apologise for the mistake. That's the attribute of the AKS. I update the answer. – Charles Xu May 26 '21 at 02:20
  • @PMuz Any updates on the question? Does it solve your problem? If it works for you please accept it. – Charles Xu May 28 '21 at 01:51
  • Hi Charles, regarding your update answer - what I am looking for is a solution where I set a User Assigned Managed Identity - not System Managed Identity. About UAMIs I want to have control over the UAMIs assigned. Setting a system managed one I won't know the UAMI details until I deploy it and it gets generated. I have raised an issue in azurerm repository and asked to enable kubelet_identity setting in their provider. – PMuz May 28 '21 at 07:35
  • @PMuz AKS uses the user-assigned managed identity, it creates the user-assigned managed identity for the kubelet. It can be manually changed and it also makes no sense to assign the kubelet identity to access the ACR. – Charles Xu May 28 '21 at 07:46
  • I guess all in all it comes to lack of this functionality in azurerm -https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-kubelet-mi-preview I would like to have control over the kubelet_identity UAMI. – PMuz May 28 '21 at 08:52
  • @PMuz Of course, terraform lacks various features that are supported by Azure. If the terraform does not support the feature when Azure CLI command support, you can use the [`local-exec`](https://www.terraform.io/docs/language/resources/provisioners/local-exec.html) to run the Azure CLI command in the Terraform code, this is the workload here. – Charles Xu May 28 '21 at 09:02
  • Right, I could use local-exec though that would be for single azure-cli command. With the link I have provided looks like we would have to wrap the whole ARM template in terraform to deploy AKS cluster properly. The kubelet_identity can be only assigned wit `az aks create` and not with `az aks update` which would be useful in case of local-exec https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#create-a-cluster-using-kubelet-identity – PMuz May 28 '21 at 09:25
  • @PMuz It seems yes. So I think you can create other resources needed and use the Azure CLI to create the AKS in the terraform. – Charles Xu May 28 '21 at 09:31
  • Thanks for your time Charles. Accepting your answer as the closest one. Will post updates once azurerm provider allows to set kubelet_identity. – PMuz May 28 '21 at 09:32
  • 1
    @PMuz You're welcome! I think it would be a long time to wait, but I wish that I'm wrong. – Charles Xu May 28 '21 at 09:36
  • 2
    @CharlesXu According to the [docs](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#summary-of-managed-identities), and my experience, the Kubelet identity is what auths to ACR therefore it is necessary to grant the Kubelet UAMI `AcrPull` access to the ACR(s). – Witt Jul 27 '22 at 15:11
1

You need something like this,

resource "azurerm_kubernetes_cluster" "kube_cluster" {
  name                = local.cluster_name
  dns_prefix          = local.cluster_name
  location            = var.location
  resource_group_name = local.resource_group

  default_node_pool {
    name       = "default"
    node_count = 2
    vm_size    = "Standard_DS2_v2"
  }

  identity {
    type                      = "UserAssigned"
    user_assigned_identity_id = data.azurerm_user_assigned_identity.managed_identity.id
  }
}

resource "azurerm_role_assignment" "acr_role_assignment" {
  principal_id         = azurerm_kubernetes_cluster.kube_cluster.kubelet_identity[0].object_id
  scope                = data.azurerm_container_registry.container_registry.id
  role_definition_name = "AcrPull"
}

You can view the whole script here

Sajeetharan
  • 216,225
  • 63
  • 350
  • 396
  • The thing here is that I want to set a separate UAMI as a kubelet identity as described [here](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-kubelet-mi-preview) The approach you have presented describes how to set UAMI for [controlPlane](https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-kubelet-mi-preview) – PMuz May 24 '21 at 18:00
  • Both links are going to the same page, may be i am wrong! – Sajeetharan May 24 '21 at 18:03
  • ah sorry the difference is between controlplane https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-control-plane-mi and kubelet https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#bring-your-own-kubelet-mi-preview – PMuz May 24 '21 at 18:14
0

There seems to be an option in Terraform to assign UAMI as a kubelet identity. https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/kubernetes_cluster#kubelet_identity

Example:

identity {
    type         = "UserAssigned"
    identity_ids = var.control_plane_user_assigned_managed_identity_ids
  }

  kubelet_identity {
    client_id = var.kubelet_identity_client_id
    object_id = var.kubelet_identity_object_id
    user_assigned_identity_id = var.kubelet_identity_user_assigned_identity_id
  }

And as stated above you need to assign the kubelet identity to ACR as per doc (can be done via Terraform azurerm_role_assignment:

https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#add-role-assignment

Use a pre-created kubelet managed identity
A Kubelet identity enables access granted to the existing identity prior to cluster creation. This feature enables scenarios such as connection to ACR with a pre-created managed identity.
qamago
  • 1