How to use ack-pod-identity-webhook - Container Service for Kubernetes

ack-pod-identity-webhook is a component that can help you work with the RAM Roles for Service Accounts (RRSA) feature of Container Service for Kubernetes (ACK). ack-pod-identity-webhook can automatically inject the OpenID Connect (OIDC) tokens and environment variables that are required to access your application into the pods of your application. This way, you do not need to configure the OIDC tokens and environment variables. This topic describes ack-pod-identity-webhook and provides usage notes and release notes for ack-pod-identity-webhook.

Introduction

The following figure shows the architecture of ack-pod-identity-webhook.

架构图

Example

The application in this example uses the RRSA feature to assume the specified role to obtain information about all clusters that belong to the current Alibaba Cloud account. The following resources are used in this example:

Namespace: rrsa-demo
Service account: demo-sa
RAM role: ack-pod-identity-webhook-demo

After you add the pod-identity.alibabacloud.com/injection: 'on' label to the namespace of your pod, ack-pod-identity-webhook automatically injects relevant configurations into the pod based on the annotations of the service account used by the pod. The following steps are performed in this example.

Enable the RRSA feature for the cluster. For information, see Enable RRSA.
After RRSA is enabled, obtain the URL and ARN information of the cluster.
Install ack-pod-identity-webhook.
1. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose Operations > Add-ons.
2. On the Add-ons page, click the Security tab, find ack-pod-identity-webhook, and then click Install in the lower-right corner.
3. In the message that appears, confirm the information and click OK.

Create a RAM role named ack-pod-identity-webhook-demo.

Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Create Role panel, select IdP for Select Trusted Entity and click Next.

Configure the following parameters and click OK.

Parameter	Description
RAM Role Name	ack-pod-identity-webhook-demo
IdP Type	OIDC
Select IdP	ack-rrsa-<cluster_id>. Specify the ID of your cluster in <cluster_id>.
Conditions	oidc:iss: Use the default value. oidc:aud: Select sts.aliyuncs.com. oidc:sub: Set the condition operator to StringEquals and the value to system:serviceaccount:<namespace>:<serviceAccountName>. <namespace>: Specify the namespace of the application. <serviceAccountName>: Specify the name of the service account. In this example, enter `system:serviceaccount:rrsa-demo:demo-sa`.

Attach the AliyunCSReadOnlyAccess policy to the RAM role to grant the required permissions to the application. For more information, see Grant permissions to a RAM role.

Deploy the application.

Create a file named demo.yaml and copy the following content to the file.

In the following YAML content, the pod-identity.alibabacloud.com/injection: 'on' label is added to the namespace, the pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo annotation is added to the service account, and the auto injection feature of ack-pod-identity-webhook is enabled. For more information about the RRSA demo, see Code.

---
apiVersion: v1
kind: Namespace
metadata:
  name: rrsa-demo
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-sa
  namespace: rrsa-demo
  annotations:
    pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo

---
apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  serviceAccountName: demo-sa
  containers:
    - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
      imagePullPolicy: "Always"
      args:
        - rrsa
        - demo
      name: demo
  restartPolicy: OnFailure

Run the following command to deploy the application:
```
kubectl apply -f demo.yaml
```

Run the following command to check whether ack-pod-identity-webhook has injected the required configurations into the pod that is created for the application:

kubectl -n rrsa-demo get pod demo -o yaml

Expected output

apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  containers:
  - args:
    - rrsa
    - demo
    env:
    - name: ALIBABA_CLOUD_ROLE_ARN
      value: acs:ram::1***:role/ack-pod-identity-webhook-demo
    - name: ALIBABA_CLOUD_OIDC_PROVIDER_ARN
      value: acs:ram::1***:oidc-provider/ack-rrsa-c***
    - name: ALIBABA_CLOUD_OIDC_TOKEN_FILE
      value: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens/token
    image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
    imagePullPolicy: Always
    name: demo
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-4bwdg
      readOnly: true
    - mountPath: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens
      name: rrsa-oidc-token
      readOnly: true
  restartPolicy: OnFailure
  serviceAccount: demo-sa
  serviceAccountName: demo-sa
  volumes:
  - name: kube-api-access-4bwdg
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
  - name: rrsa-oidc-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.aliyuncs.com
          expirationSeconds: 3600
          path: token

The output indicates that ack-pod-identity-webhook has injected the following configurations into the pod.

Category	Configuration item	Description
Environment variables	ALIBABA_CLOUD_ROLE_ARN	The ARN of the RAM role to be assumed.
	ALIBABA_CLOUD_OIDC_PROVIDER_ARN	The ARN of the OIDC IdP.
	ALIBABA_CLOUD_OIDC_TOKEN_FILE	The path of the OIDC token file.
VolumeMount	rrsa-oidc-token	The configuration for mounting the OIDC token.
Volume	rrsa-oidc-token	The configuration for mounting the OIDC token.

Run the following command to print the log of the application:

kubectl -n rrsa-demo logs demo

Expected output:

cluster id: cf***, cluster name: foo*
cluster id: c8***, cluster name: bar*
cluster id: c4***, cluster name: foob*

Custom configurations

You can customize the following configurations for ack-pod-identity-webhook: namespace, service account, and pod configurations.

Namespace configuration

Parameter

Type

Description

Sample code

pod-identity.alibabacloud.com/injection

Label

Specify whether to enable auto injection for the pods in the current namespace.

Set the parameter to on to enable namespace-level auto injection.
Set the parameter to a value other than on or leave the parameter empty to disable namespace-level auto injection.

apiVersion: v1
kind: Namespace
metadata:
  name: test
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

Service account configuration

Parameter

Type

Description

Sample code

pod-identity.alibabacloud.com/role-name

Annotation

The name of the RAM role assigned to the service account. If you leave this parameter empty or set it to an invalid value, auto injection does not take effect on the pod that uses the service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/role-name: test-role

pod-identity.alibabacloud.com/service-account-token-expiration

Annotation

The validity period of the OIDC token mounted to the pod that uses the service account.

Valid values: 600 to 43200. Unit: seconds.

Default value: 3600. The default value is used when the parameter is set to an invalid value.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/service-account-token-expiration: '3600'

Pod configuration

Parameter	Type	Description	Sample code
pod-identity.alibabacloud.com/injection	Label	Specify whether to enable auto injection for the pod. Set the parameter to on to enable auto injection. Set the parameter to a value other than on or leave the parameter empty to control whether to enable auto injection through the namespace configuration.	`apiVersion: v1 kind: Pod metadata: name: test labels: pod-identity.alibabacloud.com/injection: 'on'`
pod-identity.alibabacloud.com/service-account-token-expiration	Annotation	The validity period of the OIDC token mounted to the pod. Valid values: 600 to 43200. Unit: seconds. Default value: 3600. The default value is used when the parameter is set to an invalid value. Note When this parameter is specified for both the service account and the pod, the setting of the pod prevails.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/service-account-token-expiration: '3600'`
pod-identity.alibabacloud.com/only-containers	Annotation	Specify the names of the containers in the pod into which you want to inject configurations. Configurations are injected into only the specified containers. Separate multiple container names with commas (,). If you leave this parameter empty, configurations are injected into all containers in the pod.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/only-containers: 'controller,test'`
pod-identity.alibabacloud.com/skip-containers	Annotation	Specify the names of the containers in the pod into which you do not want to inject configurations. Separate multiple container names with commas (,). Note When a container name is specified in both the `pod-identity.alibabacloud.com/only-containers` and `pod-identity.alibabacloud.com/skip-containers` parameters, the container name specified in the `pod-identity.alibabacloud.com/only-containers` parameter is ignored.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/skip-containers: 'controller,test'`

RRSA SDK demos

Alibaba Cloud SDK V2.0 supports OIDC token authentication of RRSA. By default, all cloud service SDKs that support STS token authentication and are developed based on Alibaba Cloud SDK V2.0 support RRSA OIDC token authentication. The following table describes the supported SDK versions and demos.

Programming language	Supported SDK version	Demo
Go	Alibaba Cloud Credentials for Go 1.2.6 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Go
Java	Alibaba Cloud Credentials for Java 0.2.10 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Java
Python 3	Alibaba Cloud Credentials for Python 0.3.1 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Python 3
Node.js and TypeScript	Alibaba Cloud Credentials for TypeScript/Node.js 2.2.6 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Node.js and SDK for TypeScript

Release notes

December 2024

Version number

Image address

Description

Release date

Impact

0.2.0

registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.2.0.11-g2f0c2e7-aliyun

This version is in canary release.

Auto injection can be enabled by adding the pod label pod-identity.alibabacloud.com/injection: 'on'.
The support for Kubernetes 1.32 is optimized.

2024-12-19

If exceptions occur during the component update, pods may fail to be created. We recommend that you perform the update during off-peak hours.

June 2023

Version number	Image address	Description	Release date	Impact
0.1.1	registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.1.0-gbddcb74-aliyun	Compatibility with ACK Serverless clusters is improved.	2023-06-07	If exceptions occur during the component update, pods may fail to be created. We recommend that you perform the update during off-peak hours.

February 2023

Version number	Image address	Description	Release date	Impact
0.1.0	registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.0.9-g26b8fde-aliyun	OIDC tokens can be automatically mounted and environment variables can be automatically configured for application pods.	2023-02-01	The first version is released.

References

Configure RRSA for service accounts to isolate permissions among pods