0

I tried to use the Azure AAD pod identity and bind a Managed Identity to it. Then I used this pod identity to perform some azure resource actions like creating a resource group. It seems from the log analytics the log entry only contains info that this action is performed by caller with the Managed Identity's object ID. Let's say if now there are two pod identities binding to the same MI, is there a way to differentiate them in the log analytics?

Edit: We have no knowledge about the timestamp of the action and the callerIpAddress in those log entries are same because they are in the same aks cluster

user13643099
  • 25
  • 4
  • Hey @user13643099 had it solved your problem else you can share more details so I can troubleshoot? – Kartik Bhiwapurkar May 11 '22 at 17:25
  • Yeah really appreciate your answer! I think the main thing I would like check is that if it would be possible to differentiate logs in Azure log analytics(azure activity log) by pod-identity when they are using same MIs. – user13643099 May 11 '22 at 20:53
  • Thanks for your gesture and reply. Hope what you are looking for might be possible. – Kartik Bhiwapurkar May 12 '22 at 03:24

1 Answers1

0

• As per the specified limitations of NMI (Node Managed Identity) or pod identity as you can say it, the pod identity modifies the IP tables to intercept calls to the Azure Instance Metadata endpoint. This configuration means any request made to the Metadata endpoint is intercepted by NMI even if the pod doesn't use aad-pod-identity. Thus, as the managed identity assigned to the pod intercepts the requests made to the Azure instance metadata endpoint, you will have to configure the AzurePodIdentityException CRD to match the labels accordingly that are defined earlier in it should be proxied without any processing in it.

• The system pods with kubernetes.azure.com/managedby: aks label in kube-system namespace should be excluded in aad-pod-identity by configuring the AzurePodIdentityException CRD. Hence, you should be able to differentiate and identify the requests from any pod based on the label configuration in CRD. Also, when the pod requests a token from the IMDS endpoint, it does not need to specify the identity, that is figured out automatically by the NMI based on the identity binding in the pod specification for the pod making the request.

For more information regarding this, I would suggest you to please refer to the below links: -

Azure Kubernetes managed identity vs AAD pod identities

https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#limitations

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9