You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/use-managed-identity.md
+5-5Lines changed: 5 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ ms.topic: article
5
5
ms.custom:
6
6
- devx-track-azurecli
7
7
- ignite-2023
8
-
ms.date: 02/27/2024
8
+
ms.date: 03/07/2024
9
9
---
10
10
11
11
# Use a managed identity in Azure Kubernetes Service (AKS)
@@ -24,12 +24,12 @@ When you deploy an AKS cluster, a system-assigned managed identity is automatica
24
24
25
25
AKS doesn't automatically create a [service principal](kubernetes-service-principal.md), so you have to create one. Clusters that use a service principal eventually expire, and the service principal must be renewed to avoid impacting cluster authentication with the identity. Managing service principals adds complexity, so it's easier to use managed identities instead. The same permission requirements apply for both service principals and managed identities. Managed identities use certificate-based authentication. Each managed identity's credentials have an expiration of *90 days* and are rolled after *45 days*.
26
26
27
-
AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable.
27
+
AKS uses both system-assigned and user-assigned managed identity types, and these identities are immutable. These identity types shouldn't be confused with a [Microsoft Entra Workload identity][workload-identity-overview], which is intended for use by an application running on a pod.
28
28
29
29
> [!IMPORTANT]
30
30
> The open source [Microsoft Entra pod-managed identity][entra-id-pod-managed-identity] (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023. For more information, see the [deprecation notice](https://github.com/Azure/aad-pod-identity#-announcement). The AKS Managed add-on begins deprecation in Sept. 2024.
31
31
>
32
-
> We recommend you first review [Microsoft Entra Workload ID][workload-identity-overview] overview. This authentication method replaces Microsoft Entra pod-managed identity (preview) and is the recommended method.
32
+
> We recommend you first review [Microsoft Entra Workload ID][workload-identity-overview] overview. Entra Workload ID authentication replaces Microsoft Entra pod-managed identity (preview) and is the recommended method to enable an application running on a pod to authenticate itself against other Azure services that support it.
33
33
34
34
## Before you begin
35
35
@@ -67,7 +67,7 @@ AKS uses several managed identities for built-in services and add-ons.
67
67
| Add-on | omsagent | Used to send AKS metrics to Azure Monitor. | Monitoring Metrics Publisher role | No
68
68
| Add-on | Virtual-Node (ACIConnector) | Manages required network resources for Azure Container Instances (ACI). | Contributor role for node resource group | No
69
69
| Add-on | Cost analysis | Used to gather cost allocation data ||
70
-
| OSS project | Microsoft Entra ID-pod-identity | Enables applications to access cloud resources securely with Microsoft Entra ID. | N/A | Steps to grant permission at [Microsoft Entra Pod Identity Role Assignment configuration](./use-azure-ad-pod-identity.md).
70
+
|Workload identity| Microsoft Entra workload ID| Enables applications to access cloud resources securely with Microsoft Entra workload ID. | N/A |No |
71
71
72
72
## Enable managed identities on a new AKS cluster
73
73
@@ -103,7 +103,7 @@ To update your existing AKS cluster that's using a service principal to use a sy
103
103
az aks update -g myResourceGroup -n myManagedCluster --enable-managed-identity
104
104
```
105
105
106
-
After updating your cluster, the control plane and pods use the managed identity. kubelet continues using a service principal until you upgrade your agentpool. You can use the `az aks nodepool upgrade --resource-group myResourceGroup --cluster-name myAKSCluster --name mynodepool --node-image-only` command on your nodes to update to a managed identity. A node pool upgrade causes downtime for your AKS cluster as the nodes in the node pools are cordoned/drained and reimaged.
106
+
After updating your cluster, the control plane and pods use the managed identity. Kubelet continues using a service principal until you upgrade your agentpool. You can use the `az aks nodepool upgrade --resource-group myResourceGroup --cluster-name myAKSCluster --name mynodepool --node-image-only` command on your nodes to update to a managed identity. A node pool upgrade causes downtime for your AKS cluster as the nodes in the node pools are cordoned/drained and reimaged.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments