Inject OIDC Tokens into Pods via ack-pod-identity-webhook - Container Compute Service

ack-pod-identity-webhook is a component that works with the RAM Roles for Service Accounts (RRSA) feature of Container Compute Service (ACS). It automatically injects the OpenID Connect (OIDC) tokens and environment variables that application pods need to access Alibaba Cloud services, so you don't need to configure these manually.

How it works

When a pod is created in a namespace labeled pod-identity.alibabacloud.com/injection: 'on', ack-pod-identity-webhook reads the service account annotations and injects the following into the pod:

Three environment variables: ALIBABA_CLOUD_ROLE_ARN, ALIBABA_CLOUD_OIDC_PROVIDER_ARN, and ALIBABA_CLOUD_OIDC_TOKEN_FILE
A projected volume that mounts the OIDC token at /var/run/secrets/ack.alibabacloud.com/rrsa-tokens/token

Alibaba Cloud SDKs that support RRSA read these environment variables automatically — no code changes are needed to pass credentials.

Example

This example walks through setting up ack-pod-identity-webhook end to end. The application assumes a RAM role to list all clusters in the Alibaba Cloud account.

Resources used in this example:

Namespace: rrsa-demo
Service account: demo-sa
RAM role: ack-pod-identity-webhook-demo

Setup overview

Complete the following steps in order:

Enable RRSA — Required once per cluster.
Install ack-pod-identity-webhook — Required once per cluster.
Create a RAM role — Required for each unique set of permissions.
Attach a policy to the role — Required for each unique set of permissions.
Deploy an application — Required for each application that needs RRSA.
Verify injection — Confirm the webhook injected the expected configurations.
Check application output — Confirm the application can access the target resource.

Step 1: Enable RRSA

Log on to the ACS console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the cluster you want to manage. In the left-side navigation pane of the cluster details page, click Cluster Information.
Click the Basic Information tab. In the Cluster Information section, click Enable RRSA to the right of RRSA OIDC.
In the dialog that appears, click Confirm. When the cluster status changes from Updating to Running, RRSA is enabled. The URL and Alibaba Cloud Resource Name (ARN) of the identity provider (IdP) are displayed next to RRSA OIDC.

Step 2: Install ack-pod-identity-webhook

In the left-side navigation pane, choose Operations > Add-ons.
Click the Security tab, find ack-pod-identity-webhook, and click Install.
In the dialog that appears, confirm the information and click OK.

Step 3: Create the RAM role

Log on to the RAM console with an Alibaba Cloud account.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, select IdP in the Select Trusted Entity section, then click Next.

On the Configure Role page, set the following parameters and click OK.

Parameter	Value
Role Name	`ack-pod-identity-webhook-demo`
IdP Type	OIDC
Select IdP	Select the IdP named `ack-rrsa-<cluster_id>`, where `<cluster_id>` is your cluster ID.
Conditions — `oidc:iss`	Use the default value.
Conditions — `oidc:aud`	Select `sts.aliyuncs.com`.
Conditions — `oidc:sub`	Set the condition operator to StringEquals and the value to `system:serviceaccount:<namespace>:<serviceAccountName>`. For this example, enter `system:serviceaccount:rrsa-demo:demo-sa`.

Step 4: Attach a policy to the RAM role

Attach the AliyunCSReadOnlyAccess policy to the ack-pod-identity-webhook-demo role. For details, see Grant permissions to a RAM role.

Step 5: Deploy the application

Connect to your ACS cluster. For details, see Connect to a cluster.

Create a file named demo.yaml with the following content. The YAML below adds the pod-identity.alibabacloud.com/injection: 'on' label to the rrsa-demo namespace and the pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo annotation to the demo-sa service account, enabling auto injection. For the full RRSA demo source, see Code.

The registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0 image is pulled over the Internet. Make sure Internet access is enabled for the cluster. For details, see Enable an existing ACS cluster to access the Internet.

---
apiVersion: v1
kind: Namespace
metadata:
  name: rrsa-demo
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-sa
  namespace: rrsa-demo
  annotations:
    pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo

---
apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  serviceAccountName: demo-sa
  containers:
    - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
      imagePullPolicy: "Always"
      args:
        - rrsa
        - demo
      name: demo
  restartPolicy: OnFailure

Deploy the application:
```
kubectl apply -f demo.yaml
```

Step 6: Verify injection

Run the following command to check that ack-pod-identity-webhook has injected the required configurations into the pod:

kubectl -n rrsa-demo get pod demo -o yaml

The expected output is similar to:

apiVersion: v1
kind: Pod
metadata:
  annotations:
    ProviderCreate: done
    alibabacloud.com/client-token: 5e68e5bf-1726-4f5e-****-abe61d2c1cff
    alibabacloud.com/instance-id: acs-uf6008givz63ta2v****
    alibabacloud.com/pod-ephemeral-storage: 30Gi
    alibabacloud.com/pod-use-spec: 0.25-0.5Gi
    alibabacloud.com/request-id: 5914A73F-8B24-5B9B-****-400F6B632D44
    alibabacloud.com/schedule-result: finished
    alibabacloud.com/user-id: "1488999589******"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"demo","namespace":"rrsa-demo"},"spec":{"containers":[{"args":["rrsa","demo"],"image":"registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0","imagePullPolicy":"Always","name":"demo"}],"restartPolicy":"OnFailure","serviceAccountName":"demo-sa"}}
    kubernetes.io/pod-stream-port: "10250"
    kubernetes.io/preferred-scheduling-node: virtual-kubelet-cn-shanghai-g/1
    network.alibabacloud.com/allocated-eni-id: eni-uf6fhxwakz5b0d******
    network.alibabacloud.com/enable-dns-cache: "false"
    network.alibabacloud.com/security-group-id: sg-uf60h6mbwry22r******
    network.alibabacloud.com/security-group-ids: sg-uf60h6mbwry22r******
    network.alibabacloud.com/vpc-id: vpc-uf6ncu6tpunqchrrr****
    network.alibabacloud.com/vswitch-id: vsw-uf6g4yjk3kemgei******
    network.alibabacloud.com/vswitch-ids: vsw-uf6g4yjk3kemgei******
    topology.kubernetes.io/region: cn-shanghai
    topology.kubernetes.io/zone: cn-shanghai-g
  creationTimestamp: "2024-08-19T09:29:57Z"
  labels:
    alibabacloud.com/cluster-id: cbec9a1f7b433470ebe4c900552******
    alibabacloud.com/compute-class: general-purpose
    alibabacloud.com/compute-qos: default
    topology.kubernetes.io/region: cn-shanghai
  name: demo
  namespace: rrsa-demo
  resourceVersion: "6795900"
  uid: 57ab5f1d-32b7-4d9d-****-16a4f2c1a1fa
spec:
  containers:
  - args:
    - rrsa
    - demo
    env:
    - name: ALIBABA_CLOUD_ROLE_ARN
      value: acs:ram::1488999589******:role/ack-pod-identity-webhook-demo
    - name: ALIBABA_CLOUD_OIDC_PROVIDER_ARN
      value: acs:ram::1488999589******:oidc-provider/ack-rrsa-cbec9a1f7b433470ebe4c900552******
    - name: ALIBABA_CLOUD_OIDC_TOKEN_FILE
      value: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens/token
    - name: KUBERNETES_SERVICE_HOST
      value: 192.168.1.215
    - name: KUBERNETES_SERVICE_PORT
      value: "6443"
    image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
    imagePullPolicy: Always
    name: demo
    resources:
      limits:
        cpu: 250m
        ephemeral-storage: 30Gi
        memory: 512Mi
      requests:
        cpu: 250m
        ephemeral-storage: 30Gi
        memory: 512Mi
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-lrcfl
      readOnly: true
    - mountPath: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens
      name: rrsa-oidc-token
      readOnly: true
  dnsPolicy: ClusterFirst
  enableServiceLinks: true
  nodeName: virtual-kubelet-cn-shanghai-g
  preemptionPolicy: PreemptLowerPriority
  priority: 0
  restartPolicy: OnFailure
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: demo-sa
  serviceAccountName: demo-sa
  terminationGracePeriodSeconds: 30
  tolerations:
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
  volumes:
  - name: kube-api-access-lrcfl
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
  - name: rrsa-oidc-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.aliyuncs.com
          expirationSeconds: 3600
          path: token
status:
  conditions:
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:29:57Z"
    message: The container instance is creating.
    reason: Creating
    status: "False"
    type: ContainerInstanceScheduled
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:10Z"
    status: "True"
    type: Initialized
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:13Z"
    status: "True"
    type: Ready
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:13Z"
    status: "True"
    type: ContainersReady
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:10Z"
    status: "True"
    type: ContainerHasSufficientDisk
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:12Z"
    status: "True"
    type: ContainerInstanceCreated
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:13Z"
    status: "True"
    type: PodReadyToStartContainers
  - lastProbeTime: null
    lastTransitionTime: "2024-08-19T09:30:12Z"
    status: "True"
    type: PodScheduled
  containerStatuses:
  - containerID: containerd://5d4f205e068372f30a90715016465562b9988a981cb285e81c76b5b0dc******
    image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
    imageID: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool@sha256:ad4172d3ed3d6dab23f09218f9d478295e93c163915aac9e4e38a90c4d******
    lastState: {}
    name: demo
    ready: true
    restartCount: 0
    started: true
    state:
      running:
        startedAt: "2024-08-19T09:30:13Z"
  hostIP: 192.168.1.5
  phase: Running
  podIP: 192.168.1.5
  podIPs:
  - ip: 192.168.1.5
  qosClass: Guaranteed

The output confirms that ack-pod-identity-webhook injected the following configurations:

Field	Parameter	Description
`env`	`ALIBABA_CLOUD_ROLE_ARN`	ARN of the RAM role to assume
`env`	`ALIBABA_CLOUD_OIDC_PROVIDER_ARN`	ARN of the OIDC IdP
`env`	`ALIBABA_CLOUD_OIDC_TOKEN_FILE`	Path of the OIDC token file
`volumeMounts`	`rrsa-oidc-token`	Mounts the OIDC token into the container
`volumes`	`rrsa-oidc-token`	Defines the projected volume for the OIDC token

Compatible SDKs read ALIBABA_CLOUD_ROLE_ARN, ALIBABA_CLOUD_OIDC_PROVIDER_ARN, and ALIBABA_CLOUD_OIDC_TOKEN_FILE automatically. See RRSA SDK demos for language-specific examples.

Step 7: Check application output

kubectl -n rrsa-demo logs demo

Expected output:

cluster id: c66e40b731ab24f96b36bec5b1a******, cluster name: test-****
cluster id: cbec9a1f7b433470ebe4c900552******, cluster name: test-****

Each line corresponds to a cluster in the account, confirming that the application successfully assumed the RAM role and retrieved the cluster list.

Custom configurations

ack-pod-identity-webhook supports configuration at three levels: namespace, service account, and pod.

After updating service account annotations, restart the pod for the changes to take effect.

Namespace configuration

Parameter	Type	Required	Description	Example
`pod-identity.alibabacloud.com/injection`	Label	Yes	Controls auto injection for all pods in the namespace. Set to `on` to enable. Any other value or leaving it blank disables injection.	`pod-identity.alibabacloud.com/injection: 'on'`

apiVersion: v1
kind: Namespace
metadata:
  name: test
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

Service account configuration

Parameter	Type	Required	Default	Description
`pod-identity.alibabacloud.com/role-name`	Annotation	Yes	—	Name of the RAM role assigned to the service account. If left blank or set to an invalid value, auto injection does not take effect for pods using this service account.
`pod-identity.alibabacloud.com/service-account-token-expiration`	Annotation	No	`3600`	Validity period of the OIDC token (in seconds) mounted to pods using this service account. Valid range: 600–43200. The default value is used when set to an invalid value.

When pod-identity.alibabacloud.com/service-account-token-expiration is set at both the service account and the pod level, the pod-level setting takes precedence.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: test-sa
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/role-name: test-role
    pod-identity.alibabacloud.com/service-account-token-expiration: '3600'

Pod configuration

Parameter	Type	Required	Default	Description
`pod-identity.alibabacloud.com/service-account-token-expiration`	Annotation	No	`3600`	Validity period of the OIDC token (in seconds) mounted to this pod. Valid range: 600–43200. The default value is used when set to an invalid value. Takes precedence over the service account-level setting.
`pod-identity.alibabacloud.com/only-containers`	Annotation	No	—	Comma-separated list of container names to inject configurations into.
`pod-identity.alibabacloud.com/skip-containers`	Annotation	No	—	Comma-separated list of container names to exclude from injection.

When a container name appears in both pod-identity.alibabacloud.com/only-containers and pod-identity.alibabacloud.com/skip-containers, the entry in only-containers is ignored and the container is skipped.

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: test
  annotations:
    pod-identity.alibabacloud.com/service-account-token-expiration: '3600'
    pod-identity.alibabacloud.com/only-containers: 'controller,test'

RRSA SDK demos

The following SDKs support RRSA. All examples read the injected environment variables automatically.

Language	Minimum supported version	Demo
Go	Alibaba Cloud Credentials for Go 1.2.6 and later	SDK demos for Go
Java	Alibaba Cloud Credentials for Java 0.2.10 and later	SDK demos for Java
Python 3	Alibaba Cloud Credentials for Python 0.3.1 and later	SDK demos for Python 3
Node.js and TypeScript	Alibaba Cloud Credentials for TypeScript/Node.js 2.2.6 and later	SDK demos for Node.js and TypeScript

Release notes

June 2024

Version	Image	Changes	Release date	Impact
0.1.1	`registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.1.0-gbddcb74-aliyun`	Improved compatibility with ACK Serverless clusters. OIDC tokens and environment variables are automatically mounted and configured for application pods. ACS clusters are now supported.	2024-06-30	If exceptions occur during the component update, pods may fail to be created. Perform the update during off-peak hours.