Use the ack-pod-identity-webhook add-on - Container Compute Service

The ack-pod-identity-webhook add-on simplifies the use of RAM Roles for Service Accounts (RRSA) in Container Compute Service. It automatically injects required configurations, such as OIDC token mounts and environment variables, into your application pods to eliminate manual configuration. This topic describes the features, usage, and changelog of the ack-pod-identity-webhook add-on.

How it works

The following figure shows the architecture of the ack-pod-identity-webhook add-on.

Example

In this example, you deploy an application that uses the RRSA feature to assume a specified role and retrieve a list of clusters. This example uses the following resources:

Namespace: rrsa-demo
Service account: demo-sa
RAM role: ack-pod-identity-webhook-demo

When you add the pod-identity.alibabacloud.com/injection: 'on' label to the namespace where your pod resides, the ack-pod-identity-webhook add-on automatically injects the necessary configurations into the pod based on the annotations of the pod's service account. Follow these steps to deploy the example.

Enable the RRSA feature for your cluster.
1. Log on to the ACS console. In the left navigation pane, click Clusters.
2. On the Clusters page, click the name of the target cluster. In the left navigation pane, choose Cluster Information.
3. On the cluster details page, click the Basic Information tab. In the Security and Auditing section, click Enable next to RRSA OIDC.
4. In the Enable RRSA dialog box, click OK.
  Note
  - Enabling the RRSA feature takes about 2 to 3 minutes. If the Cluster Status remains in the Updating state, click the button in the upper-right corner of the page to refresh.
  - When the cluster status changes from Updating to Running, the RRSA feature is enabled for the cluster. You can hover over Enabled next to RRSA OIDC to view the URL and ARN of the OIDC provider.
Install the ack-pod-identity-webhook add-on.
1. In the left-side navigation pane, choose Operations > Add-ons.
2. Click the Security tab, find the ack-pod-identity-webhook add-on, and then click Install.
3. In the dialog box that appears, confirm the add-on information and click OK.

Create a RAM role named ack-pod-identity-webhook-demo.

Log on to the RAM console using your Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Roles. On the Role page, click Create Role.
In the Create Role panel, click Switch to Policy Editor to create the role.

This example uses the Visual Editor. Configure the role as described in the following table and click OK.

Parameter	Description
Effect	The default value is Allow.
Principal	Select Identity Provider and click Edit. Select OIDC as the identity provider type, and then select the identity provider for your cluster, such as ack-rrsa-<cluster_id>. Replace <cluster_id> with your cluster ID.
Action	The sts:AssumeRole action is selected by default.
Condition	oidc:iss: This condition is automatically added after you select the identity provider. Keep the default value. oidc:aud: This condition is automatically added after you select the identity provider. Keep the default value. oidc:sub: Manually Add Condition. Key: `oidc:sub` Operator: `StringEquals` Value: Use the format system:serviceaccount:<namespace>:<serviceAccountName>. <namespace>: the namespace where the application resides. <serviceAccountName>: the name of the service account. Based on the information for the sample application, enter `system:serviceaccount:rrsa-demo:demo-sa`.

In the dialog box that appears, enter the role name ack-pod-identity-webhook-demo and click OK.

Attach the AliyunCSReadOnlyAccess policy to the RAM role you created. For more information, see Manage permissions for a RAM role.
Deploy the sample application.
1. Connect to your cluster. For more information, see Connect to a cluster.
2. Create a file named demo.yaml with the following content.
  
  In the following YAML manifest, the pod-identity.alibabacloud.com/injection: 'on' label is added to the rrsa-demo namespace, and the pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo annotation is added to the demo-sa service account. This enables the automatic injection feature of the ack-pod-identity-webhook add-on. For more information about the RRSA demo implementation, see the source code.
  
  Note
  The registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0 image used in the following example is pulled over the internet. Make sure your cluster has internet access enabled. For more information, see Enable internet access for a cluster.
```
---
apiVersion: v1
kind: Namespace
metadata:
  name: rrsa-demo
  labels:
    pod-identity.alibabacloud.com/injection: 'on'
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-sa
  namespace: rrsa-demo
  annotations:
    pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo
---
apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  serviceAccountName: demo-sa
  containers:
    - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0 
      imagePullPolicy: "Always"
      args:
        - rrsa
        - demo
      name: demo
  restartPolicy: OnFailure
```
3. Run the following command to deploy the sample application:
```
kubectl apply -f demo.yaml
```

Verify that the ack-pod-identity-webhook add-on automatically injected the required configurations into the application pod.

kubectl -n rrsa-demo get pod demo -o yaml

Expected output

apiVersion: v1
kind: Pod
metadata:
  annotations:
    ProviderCreate: done
    alibabacloud.com/client-token: 5e68e5bf-1726-4f5e-****-abe61d2c1cff
    alibabacloud.com/instance-id: acs-uf6008givz63ta2v****
    alibabacloud.com/pod-ephemeral-storage: 30Gi
    alibabacloud.com/pod-use-spec: 0.25-0.5Gi
    alibabacloud.com/request-id: 5914A73F-8B24-5B9B-****-400F6B632D44
    alibabacloud.com/schedule-result: finished
    alibabacloud.com/user-id: "1488999589******"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"demo","namespace":"rrsa-demo"},"spec":{"containers":[{"args":["rrsa","demo"],"image":"registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0","imagePullPolicy":"Always","name":"demo"}],"restartPolicy":"OnFailure","serviceAccountName":"demo-sa"}}
    kubernetes.io/pod-stream-port: "10250"
    kubernetes.io/preferred-scheduling-node: virtual-kubelet-cn-shanghai-g/1
    network.alibabacloud.com/allocated-eni-id: eni-uf6fhxwakz5b0d******
    network.alibabacloud.com/enable-dns-cache: "false"
    network.alibabacloud.com/security-group-id: sg-uf60h6mbwry22r******
    network.alibabacloud.com/security-group-ids: sg-uf60h6mbwry22r******
    network.alibabacloud.com/vpc-id: vpc-uf6ncu6tpunqchrrr****
    network.alibabacloud.com/vswitch-id: vsw-uf6g4yjk3kemgei******
    network.alibabacloud.com/vswitch-ids: vsw-uf6g4yjk3kemgei******
    topology.kubernetes.io/region: cn-shanghai
    topology.kubernetes.io/zone: cn-shanghai-g
  creationTimestamp: "2024-08-19T09:29:57Z"
  labels:
    alibabacloud.com/cluster-id: cbec9a1f7b433470ebe4c900552******
    alibabacloud.com/compute-class: general-purpose
    alibabacloud.com/compute-qos: default
    topology.kubernetes.io/region: cn-shanghai
  name: demo
  namespace: rrsa-demo
  resourceVersion: "6795900"
  uid: 57ab5f1d-32b7-4d9d-****-16a4f2c1a1fa
spec:
  containers:
  - args:
    - rrsa
    - demo
    env:
    - name: ALIBABA_CLOUD_ROLE_ARN
      value: acs:ram::1488999589******:role/ack-pod-identity-webhook-demo
    - name: ALIBABA_CLOUD_OIDC_PROVIDER_ARN
      value: acs:ram::1488999589******:oidc-provider/ack-rrsa-cbec9a1f7b433470ebe4c900552******
    - name: ALIBABA_CLOUD_OIDC_TOKEN_FILE
      value: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens/token
    - name: KUBERNETES_SERVICE_HOST
      value: 192.168.1.215
    - name: KUBERNETES_SERVICE_PORT
      value: "6443"
    image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
    imagePullPolicy: Always
    name: demo
    resources:
      limits:
        cpu: 250m
        ephemeral-storage: 30Gi
        memory: 512Mi
      requests:
        cpu: 250m
        ephemeral-storage: 30Gi
        memory: 512Mi
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-lrcfl
      readOnly: true
    - mountPath: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens
      name: rrsa-oidc-token
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: virtual-kubelet-cn-shanghai-g
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: OnFailure
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: demo-sa
  serviceAccountName: demo-sa
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
  volumes:
  - name: kube-api-access-lrcfl
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
  - name: rrsa-oidc-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.aliyuncs.com
          expirationSeconds: 3600
          path: token
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:29:57Z"
    message: The container instance is creating.
    reason: Creating
    status: "False"
    type: ContainerInstanceScheduled
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:10Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:13Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:13Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:10Z"
    status: "True"
    type: ContainerHasSufficientDisk
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:12Z"
    status: "True"
    type: ContainerInstanceCreated
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:13Z"
    status: "True"
    type: PodReadyToStartContainers
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:12Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://5d4f205e068372f30a90715016465562b9988a981cb285e81c76b5b0dc******
    image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
    imageID: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool@sha256:ad4172d3ed3d6dab23f09218f9d478295e93c163915aac9e4e38a90c4d******
    lastState: {}
    name: demo
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-08-19T09:30:13Z"
  hostIP: 192.168.1.5
  phase: Running
  podIP: 192.168.1.5
  podIPs:
  - ip: 192.168.1.5
  qosClass: Guaranteed

The output shows that the add-on automatically injected the following configurations into the pod.

Field	Parameter	Description
`env`	`ALIBABA_CLOUD_ROLE_ARN`	The ARN of the RAM role to be assumed.
	`ALIBABA_CLOUD_OIDC_PROVIDER_ARN`	The ARN of the OIDC identity provider.
	`ALIBABA_CLOUD_OIDC_TOKEN_FILE`	The file path that contains the OIDC token.
`VolumeMounts`	`rrsa-oidc-token`	Mounts the rrsa-oidc-token volume into the container.
`Volumes`	`rrsa-oidc-token`	Defines the rrsa-oidc-token volume using a projected service account token.

View the application logs.

kubectl -n rrsa-demo logs demo

Expected output:

cluster id: c66e40b731ab24f96b36bec5b1a******, cluster name: test-****
cluster id: cbec9a1f7b433470ebe4c900552******, cluster name: test-****

Custom configurations

You can customize the ack-pod-identity-webhook add-on at the namespace, service account, and pod levels.

Namespace configuration

Parameter

Type

Description

Code sample

pod-identity.alibabacloud.com/injection

Label

Specifies whether to enable automatic configuration injection for pods in this namespace.

If the value is on, injection is enabled.
If this label is not configured or set to any other value, injection is disabled.

apiVersion: v1
kind: Namespace
metadata:
  name: test
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

Service account configuration

Parameter

Type

Description

Code sample

pod-identity.alibabacloud.com/role-name

Annotation

The name of the RAM role associated with this service account.

If this annotation is not configured or its value is not a valid RAM role name, configurations are not injected into pods using this service account.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/role-name: test-role

pod-identity.alibabacloud.com/service-account-token-expiration

Annotation

Specifies the validity period of the OIDC token mounted in pods using this service account.

The value must be within the range of [600, 43200].
Unit: seconds.
Default value: 3600.

If you specify an invalid value, the default value of 3600 is used.

Note

If this annotation is specified on both a service account and a pod, the pod-level configuration takes precedence and the service account-level configuration is ignored.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/service-account-token-expiration: '3600'

Pod configuration

Parameter	Type	Description	Code sample
pod-identity.alibabacloud.com/service-account-token-expiration	Annotation	Specifies the validity period of the OIDC token that is mounted in this pod. The value must be within the range of [600, 43200]. Unit: seconds. Default value: 3600. If you specify an invalid value, the default value of 3600 is used. Note If this annotation is specified on both a service account and a pod, the pod-level configuration takes precedence and the service account-level configuration is ignored.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/service-account-token-expiration: '3600'`
pod-identity.alibabacloud.com/only-containers	Annotation	Injects configurations only into the specified containers within the pod. Use commas (,) to separate multiple container names. Note If a container name is specified in both the `pod-identity.alibabacloud.com/only-containers` and `pod-identity.alibabacloud.com/skip-containers` annotations, the configuration in `pod-identity.alibabacloud.com/only-containers` is ignored for that container.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/only-containers: 'controller,test'`
pod-identity.alibabacloud.com/skip-containers	Annotation	Injects configurations into all containers within the pod except for the specified ones. Use commas (,) to separate multiple container names. Note If a container name is specified in both the `pod-identity.alibabacloud.com/only-containers` and `pod-identity.alibabacloud.com/skip-containers` annotations, the configuration in `pod-identity.alibabacloud.com/only-containers` is ignored for that container.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/skip-containers: 'controller,test'`

RRSA SDK reference

Language	Supported SDK version	Example
Go	Alibaba Cloud Credentials for Go 1.2.6 or later	Go SDK example
Java	Alibaba Cloud Credentials for Java 0.2.10 or later	Java SDK example
Python 3	Alibaba Cloud Credentials for Python 0.3.1 or later	Python 3 SDK example
Node.js and TypeScript	Alibaba Cloud Credentials for TypeScript/Node.js 2.2.6 or later	Node.js and TypeScript example

Changelog

June 2024

Version	Image address	Description	Release date	Impact
0.1.1	registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.1.0-gbddcb74-aliyun	Improves compatibility with ACK Serverless clusters. Enables automatic mounting of OIDC tokens and configuration of environment variables for application pods. Supports ACS clusters.	June 30, 2024	An exception during the add-on upgrade may cause pod creation to fail. We recommend performing the upgrade during off-peak hours.