Security concerns of using managed identity using AAD Pod Identities

1
votes

I have been looking into managed identity and AKS cluster and this is my understanding:

  • I can assign only a single user managed identity to the AKS cluster.
  • I have to do the relevant role assignments to the identity for getting access.

Now my question is, let's say I have two different pods. One pods want to access keyvault and the other pods wants to access Azure DNS. The only way of making this work is modifying the user managed identity to give access to both the resources. But now it seems both the pods can access both the resources.

Now my question:

  • Is my above understanding right and is this the usual way of doing things using AAD Pod Identity ?
  • Is there a better way to do this to avoid the above security concern ?
1
azurekubernetesazure-active-directoryazure-aksazure-managed-identity

1 Answers

2
votes

Regarding the managed identities in AKS there are two things they are uses for. The AKS cluster itself and its pods.

Regarding the managed identity for the cluster, that one is used to access several azure resources as described in the docs:

Currently, an Azure Kubernetes Service (AKS) cluster (specifically, the Kubernetes cloud provider) requires an identity to create additional resources like load balancers and managed disks in Azure. This identity can be either a managed identity or a service principal.

Then you have managed identities for Pods. This is currently in preview and available on linux nodes only! You can create more than one of them and assign permissions per identity. Then you need to add a pod identity that refers to the managed identity and use it when you deploy the pod.

You can have up to 200 pod identities this way.

So, back to this question

Now my question is, let's say I have two different pods. One pods want to access keyvault and the other pods wants to access Azure DNS. The only way of making this work is modifying the user managed identity to give access to both the resources. But now it seems both the pods can access both the resources.

That is not correct, as stated you can have multiple pod identities each with their own access permissions.