How to use ack-pod-identity-webhook - Container Service for Kubernetes

ack-pod-identity-webhook is a component that can help you work with the RAM Roles for Service Accounts (RRSA) feature of Container Service for Kubernetes (ACK). ack-pod-identity-webhook can automatically inject the OpenID Connect (OIDC) tokens and environment variables that are required to access your application into the pods of your application. This way, you do not need to configure the OIDC tokens and environment variables. This topic describes ack-pod-identity-webhook and provides usage notes and release notes for ack-pod-identity-webhook.

Introduction
Example
Custom configurations
RRSA SDK demos
Release notes
References

Introduction

The following figure shows the architecture of ack-pod-identity-webhook.

Example

The application in this example uses the RRSA feature to assume the specified role to obtain information about all clusters that belong to the current Alibaba Cloud account. The following resources are used in this example:

Namespace: rrsa-demo
Service account: demo-sa
RAM role: ack-pod-identity-webhook-demo

After you add the pod-identity.alibabacloud.com/injection: 'on' label to the namespace of your pod, ack-pod-identity-webhook automatically injects relevant configurations into the pod based on the annotations of the service account used by the pod. The following steps are performed in this example.

Enable the RRSA feature for the cluster.
1. Log on to the ACK console. In the left-side navigation pane, click Clusters.
2. On the Clusters page, click the name of the cluster that you want to manage.
3. On the cluster details page, click the Basic Information tab. In the Cluster Information section, click Enable RRSA on the right side of RRSA OIDC.
4. In the message that appears, click Confirm.
  If the status of the cluster changes from Updating to Running, the RRSA feature is enabled for the cluster. The URL and Alibaba Cloud Resource Name (ARN) of the identity provider (IdP) are displayed on the right side of RRSA OIDC.
Install ack-pod-identity-webhook.
1. On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Add-ons in the left-side navigation pane.
2. On the Add-ons page, click the Security tab, find ack-pod-identity-webhook, and then click Install in the lower-right corner.
3. In the message that appears, confirm the information and click OK.

Create a RAM role named ack-pod-identity-webhook-demo.

Log on to the RAM console with your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
In the Create Role panel, select IdP for Select Trusted Entity and click Next.

Configure the following parameters and click OK.

Parameter	Description
RAM Role Name	ack-pod-identity-webhook-demo
IdP Type	OIDC
Select IdP	ack-rrsa-<cluster_id>. Specify the ID of your cluster in <cluster_id>.
Conditions	oidc:iss: Use the default value. oidc:aud: Select sts.aliyuncs.com. oidc:sub: Set the condition operator to StringEquals and the value to system:serviceaccount:<namespace>:<serviceAccountName>. <namespace>: Specify the namespace of the application. <serviceAccountName>: Specify the name of the service account. In this example, enter `system:serviceaccount:rrsa-demo:demo-sa`.

Attach the AliyunCSReadOnlyAccess policy to the RAM role to grant the required permissions to the application. For more information, see Grant permissions to a RAM role.

Deploy the application.

Create a file named demo.yaml and copy the following content to the file.

In the following YAML content, the pod-identity.alibabacloud.com/injection: 'on' label is added to the namespace, the pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo annotation is added to the service account, and the auto injection feature of ack-pod-identity-webhook is enabled. For more information about the RRSA demo, see Code.

---
apiVersion: v1
kind: Namespace
metadata:
  name: rrsa-demo
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-sa
  namespace: rrsa-demo
  annotations:
    pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo

---
apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  serviceAccountName: demo-sa
  containers:
    - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
      imagePullPolicy: "Always"
      args:
        - rrsa
        - demo
      name: demo
  restartPolicy: OnFailure

Run the following command to deploy the application:
```
kubectl apply -f demo.yaml
```

Run the following command to check whether ack-pod-identity-webhook has injected the required configurations into the pod that is created for the application:

kubectl -n rrsa-demo get pod demo -o yaml

Expected output

apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  containers:
  - args:
    - rrsa
    - demo
    env:
    - name: ALIBABA_CLOUD_ROLE_ARN
      value: acs:ram::1***:role/ack-pod-identity-webhook-demo
    - name: ALIBABA_CLOUD_OIDC_PROVIDER_ARN
      value: acs:ram::1***:oidc-provider/ack-rrsa-c***
    - name: ALIBABA_CLOUD_OIDC_TOKEN_FILE
      value: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens/token
    image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
    imagePullPolicy: Always
    name: demo
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-4bwdg
      readOnly: true
    - mountPath: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens
      name: rrsa-oidc-token
      readOnly: true
  restartPolicy: OnFailure
  serviceAccount: demo-sa
  serviceAccountName: demo-sa
  volumes:
  - name: kube-api-access-4bwdg
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
  - name: rrsa-oidc-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.aliyuncs.com
          expirationSeconds: 3600
          path: token

The output indicates that ack-pod-identity-webhook has injected the following configurations into the pod.

Category	Configuration item	Description
Environment variables	ALIBABA_CLOUD_ROLE_ARN	The ARN of the RAM role to be assumed.
	ALIBABA_CLOUD_OIDC_PROVIDER_ARN	The ARN of the OIDC IdP.
	ALIBABA_CLOUD_OIDC_TOKEN_FILE	The path of the OIDC token file.
VolumeMount	rrsa-oidc-token	The configuration for mounting the OIDC token.
Volume	rrsa-oidc-token	The configuration for mounting the OIDC token.

Run the following command to print the log of the application:

kubectl -n rrsa-demo logs demo

Expected output:

cluster id: cf***, cluster name: foo*
cluster id: c8***, cluster name: bar*
cluster id: c4***, cluster name: foob*

Custom configurations

You can customize the following configurations for ack-pod-identity-webhook: namespace, service account, and pod configurations.

Namespace configuration

Parameter

Type

Description

Sample code

pod-identity.alibabacloud.com/injection

Label

Specify whether to enable auto injection for the pods in the current namespace.

Set the parameter to on to enable auto injection.
Set the parameter to a value other than on or leave the parameter empty to disable auto injection.

apiVersion: v1
kind: Namespace
metadata:
  name: test
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

Service account configuration

Parameter

Type

Description

Sample code

pod-identity.alibabacloud.com/role-name

Annotation

The name of the RAM role assigned to the service account. If you leave this parameter empty or set it to an invalid value, auto injection does not take effect on the pod that uses the service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/role-name: test-role

pod-identity.alibabacloud.com/service-account-token-expiration

Annotation

The validity period of the OIDC token mounted to the pod that uses the service account.

Valid values: 600 to 43200. Unit: seconds.

Default value: 3600. The default value is used when the parameter is set to an invalid value.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/service-account-token-expiration: '3600'

Pod configuration

Parameter	Type	Description	Sample code
pod-identity.alibabacloud.com/service-account-token-expiration	Annotation	The validity period of the OIDC token mounted to the pod. Valid values: 600 to 43200. Unit: seconds. Default value: 3600. The default value is used when the parameter is set to an invalid value. Note When this parameter is specified for both the service account and the pod, the setting of the pod prevails.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/service-account-token-expiration: '3600'`
pod-identity.alibabacloud.com/only-containers	Annotation	Specify the names of the containers in the pod into which you want to inject configurations. Configurations are injected into only the specified containers. Separate multiple container names with commas (,). If you leave this parameter empty, configurations are injected into all containers in the pod.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/only-containers: 'controller,test'`
pod-identity.alibabacloud.com/skip-containers	Annotation	Specify the names of the containers in the pod into which you do not want to inject configurations. Separate multiple container names with commas (,). Note When a container name is specified in both the `pod-identity.alibabacloud.com/only-containers` and `pod-identity.alibabacloud.com/skip-containers` parameters, the container name specified in the `pod-identity.alibabacloud.com/only-containers` parameter is ignored.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/skip-containers: 'controller,test'`

RRSA SDK demos

Programming language	Supported SDK version	Demo
Go	Alibaba Cloud Credentials for Go 1.2.6 and later	SDK demos for Go
Java	Alibaba Cloud Credentials for Java 0.2.10 and later	SDK demos for Java
Python 3	Alibaba Cloud Credentials for Python 0.3.1 and later	SDK demos for Python 3
Node.js and TypeScript	Alibaba Cloud Credentials for TypeScript/Node.js 2.2.6 and later	SDK demos for Node.js and TypeScript

Release notes

June 2023

Version number	Image address	Description	Release date	Impact
0.1.1	registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.1.0-gbddcb74-aliyun	Compatibility with ACK Serverless clusters is improved.	2023-06-07	If exceptions occur during the component update, pods may fail to be created. We recommend that you perform the update during off-peak hours.

February 2023

Version number	Image address	Description	Release date	Impact
0.1.0	registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.0.9-g26b8fde-aliyun	OIDC tokens can be automatically mounted and environment variables can be automatically configured for application pods.	2023-02-01	The first version is released.

References

Configure RRSA for service accounts to isolate permissions among pods

Container Service for Kubernetes:ack-pod-identity-webhook

Table of contents