Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

azure: msi: add managed identity field, logic #48854

Merged
merged 4 commits into from
Jul 14, 2017

Conversation

colemickens
Copy link
Contributor

What this PR does / why we need it: Enables managed service identity support for the Azure cloudprovider. "Managed Service Identity" allows us to ask the Azure Compute infra to provision an identity for the VM. Users can then retrieve the identity and assign it RBAC permissions to talk to Azure ARM APIs for the purpose of the cloudprovider needs.

Per the commit text:

The azure cloudprovider will now use the Managed Service Identity
to retrieve access tokens for the Azure ARM APIs, rather than
requiring hard-coded, user-specified credentials.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): n/a

Special notes for your reviewer: none

Release note:

azure: support retrieving access tokens via managed identity extension

cc: @brendandburns @jdumars @anhowe

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jul 13, 2017
@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Jul 13, 2017
@colemickens
Copy link
Contributor Author

/assign @brendandburns

@colemickens colemickens force-pushed the msi branch 2 times, most recently from a3582ce to 770a50a Compare July 13, 2017 07:59
@k8s-github-robot k8s-github-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 13, 2017
@colemickens
Copy link
Contributor Author

I added a couple more commits:

  1. refactor azure.go to isolate the config/env parsing and the service principal token logic into reusable functions.
  2. modify the ACR credential provider to use those functions (thereby benefiting from the MSI changes in azure.go).

@colemickens
Copy link
Contributor Author

colemickens commented Jul 13, 2017

Tried to test the ACR change:

  1. The registry list never seems to return anything, even though the user has access to the entire resource group and I deployed the ACR instance in the same RG as the cluster. I bumped it v=5 since you list the discovered registries at V(4), but it never lists anything (nor does it show any indicate of error)

  2. Even if it did, ACR only accepts client_id/client_secret or admin static password inputs. There's no way to shuttle it an access_token to validate an identity.

Maybe I could just drop the last commit since the refactor could eventually be utilized whenever ACR ships some form of access token auth?


edit: This comment above is not correct. There is a way to support this potentially. I will file a follow issue.

The azure cloudprovider will now use the Managed Service Identity
to retrieve access tokens for the Azure ARM APIs, rather than
requiring hard-coded, user-specified credentials.
@colemickens
Copy link
Contributor Author

I'm stumped on this pull-kubernetes-federation-e2e-gce failure. I can't see how my tests would affect federation, but it's failing consistency through my small changes/rebases...

Any suggestions are appreciated, thanks.

@slack
Copy link

slack commented Jul 13, 2017

/sig azure

@jdumars
Copy link
Member

jdumars commented Jul 14, 2017

/retest

@brendandburns
Copy link
Contributor

/lgtm
/approve no-issue

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 14, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: brendandburns, colemickens

Associated issue requirement bypassed by: brendandburns

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 14, 2017
@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 47066, 48892, 48933, 48854, 48894)

@k8s-github-robot k8s-github-robot merged commit df47592 into kubernetes:master Jul 14, 2017
k8s-github-robot pushed a commit that referenced this pull request Jul 19, 2017
Automatic merge from submit-queue (batch tested with PRs 48981, 47316, 49180)

azure: acr: support MSI with preview ACR with AAD auth

**What this PR does / why we need it**:

The recently added support for Managed Identity in Azure (#48854) was incompatible with automatic ACR docker credential integration (#48980).

This PR resolves that, by leveraging a feature available in Preview regions, on new managed clusters with support for AAD `access_token` authentication.

Notes:
* This includes code copied from [Azure/acr-docker-credential-helper](https://github.com/Azure/acr-docker-credential-helper). I copied the MIT license from that project and added a copyright line for Microsoft on it. (but one of the hack/verify-* scripts requires the Kubernetes copyright header. So there are two copyright headers in the file now...)
* Eventually this should vendor  [Azure/acr-docker-credential-helper](https://github.com/Azure/acr-docker-credential-helper) when it exposes the right functionality.
* This includes a small, non-function-impacting workaround for a temporary service-side bug.


**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #48980

**Special notes for your reviewer**:
Please don't LGTM it without reviewing the `azure_acr_helper.go` file's license header...

**Release note**:
```release-note
azure: acr: support MSI with preview ACR with AAD auth
```
@wojtek-t wojtek-t added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cherrypick-candidate labels Aug 22, 2017
@wojtek-t wojtek-t added this to the v1.7 milestone Aug 22, 2017
@wojtek-t wojtek-t added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. labels Aug 22, 2017
k8s-github-robot pushed a commit that referenced this pull request Aug 25, 2017
…54-upstream-release-1.7

Automatic merge from submit-queue

Automated cherry pick of #48854

Cherry pick of #48854 on release-1.7.

#48854: azure: msi: add managed identity field, logic
@k8s-cherrypick-bot
Copy link

Commit found in the "release-1.7" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants