Automatically inject OIDC tokens into pods to enable password-free, per-pod RAM role access.
Introduction
ack-pod-identity-webhook uses the Kubernetes MutatingAdmissionWebhook mechanism to simplify RAM Roles for Service Accounts (RRSA) in ACK. It automatically injects OIDC token volume mounts and environment variables into application pods, eliminating manual configuration.
Usage
ack-pod-identity-webhook automates RRSA configuration, allowing pods to directly assume RAM roles. This enables password-free, per-pod permission isolation. See Configure RRSA for service accounts to isolate permissions among pods.
Custom configurations
Customize ack-pod-identity-webhook at the component, namespace, service account, and pod levels.
Component configuration
|
Parameter |
Type |
Description |
|
|
boolean |
Supported in version 0.4.0 and later. Specifies whether to inject STS-related environment variables into pods by default.
|
Namespace configuration
|
Parameter |
Type |
Description |
Sample code |
|
|
label |
Specifies whether to enable automatic configuration injection for pods in the namespace.
|
|
|
|
label |
Supported in version 0.4.2 and later. Specifies whether to enable automatic configuration override for pods in the namespace. If enabled, injected environment variables take precedence over existing ones with the same name.
|
|
Service account configuration
|
Parameter |
Type |
Description |
Sample code |
|
|
annotation |
The RAM role name for this service account. If absent or invalid, no configurations are injected into pods using this service account. |
|
|
|
annotation |
The OIDC token validity period for pods using this service account. Valid values: 600 to 43200. Unit: seconds. Default value: 3600. Invalid values fall back to the default. |
|
|
|
annotation |
Supported in version 0.3.0 and later. Specifies whether to inject the
|
|
Pod configuration
|
Parameter |
Type |
Description |
Sample code |
|
|
label |
Supported in version 0.2.0 and later. Specifies whether to enable automatic configuration injection for this pod.
|
|
|
|
annotation |
Supported in version 0.4.2 and later. Specifies whether to enable automatic configuration override for this pod. If enabled, injected environment variables take precedence over existing ones with the same name.
|
|
|
|
annotation |
The OIDC token validity period for this pod. Valid values: 600 to 43200. Unit: seconds. Default value: 3600. Invalid values fall back to the default. Note
If this annotation is specified on both the service account and the pod, the pod-level annotation takes precedence. |
|
|
|
annotation |
The containers to inject configurations into. Separate names with commas (,). If absent, all containers receive injected configurations. |
|
|
|
annotation |
Containers to exclude from configuration injection. Separate names with commas (,). Note
If a container name is specified in both |
|
Release notes
April 2026
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.4.3 |
registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:0.4.3 |
April 23, 2026 |
|
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
January 2026
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.4.2 |
registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:0.4.2 |
January 29, 2026 |
|
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
November 2025
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.4.0 |
registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:0.4.0 |
November 24, 2025 |
|
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
September 2025
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.3.1 |
registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:0.3.1 |
September 8, 2025 |
Upgraded Go to 1.24.6 to improve stability. |
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
June 2025
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.3.0 |
registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.3.0.0-g433f84b-aliyun |
June 6, 2025 |
Added |
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
March 2025
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.2.1 |
registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.2.1.0-g52e519c-aliyun |
March 18, 2025 |
Upgraded Go to 1.23.7 to improve stability. |
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
December 2024
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.2.0 |
registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.2.0.11-g2f0c2e7-aliyun |
December 19, 2024 |
|
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
June 2023
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.1.1 |
registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.1.0-gbddcb74-aliyun |
June 7, 2023 |
Improved compatibility with ACK Serverless clusters. |
Pod creation may fail if an exception occurs during upgrade. Upgrade during off-peak hours. |
February 2023
|
Version |
Image address |
Release date |
Changes |
Impact |
|
0.1.0 |
registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.0.9-g26b8fde-aliyun |
February 1, 2023 |
Implemented automatic OIDC token mounting and environment variable injection for application pods. |
Initial release. |