I have been looking into managed identity and AKS cluster and this is my understanding:
- I can assign only a single user managed identity to the AKS cluster.
- I have to do the relevant role assignments to the identity for getting access.
Now my question is, let's say I have two different pods. One pods want to access keyvault and the other pods wants to access Azure DNS. The only way of making this work is modifying the user managed identity to give access to both the resources. But now it seems both the pods can access both the resources.
Now my question:
- Is my above understanding right and is this the usual way of doing things using AAD Pod Identity ?
- Is there a better way to do this to avoid the above security concern ?