Skip to content

Commit 0967bc3

Browse files
tomkerkhovetomkerkhove
authored
annocation -> label
1 parent f0f837c commit 0967bc3

File tree

1 file changed

+6
-1
lines changed

1 file changed

+6
-1
lines changed

articles/aks/workload-identity-overview.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -88,11 +88,16 @@ If you've used [Azure AD pod-managed identity][use-azure-ad-pod-identity], think
8888
|`azure.workload.identity/tenant-id` |Represents the Azure tenant ID where the<br> Azure AD application is registered. |AZURE_TENANT_ID environment variable extracted<br> from `azure-wi-webhook-config` ConfigMap.|
8989
|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the<br> projected service account token. It's an optional field that you configure to prevent downtime<br> caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. |3600<br> Supported range is 3600-86400.|
9090

91+
### Pod labels
92+
93+
|Label |Description |Recommended value |Required |
94+
|------|------------|------------------|---------|
95+
|`azure.workload.identity/use` | Represents the pod is to be used for workload identity. |true |Yes |
96+
9197
### Pod annotations
9298

9399
|Annotation |Description |Default |
94100
|-----------|------------|--------|
95-
|`azure.workload.identity/use` | Represents the pod is to be used for workload identity. |true |Yes |
96101
|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. |
97102
|`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. |
98103
|`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an Azure AD token on behalf of the user with federated identity credential. |true |

0 commit comments

Comments
 (0)