Skip to content

Commit f79e70e

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #223174 from miwithro/patch-190
Update workload-identity-overview.md
2 parents 41ee4a0 + a33432f commit f79e70e

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

articles/aks/workload-identity-overview.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ title: Use an Azure AD workload identities (preview) on Azure Kubernetes Service
33
description: Learn about Azure Active Directory workload identity (preview) for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.
44
services: container-service
55
ms.topic: article
6-
ms.date: 10/20/2022
6+
ms.date: 01/06/2023
77
author: mgoedtel
88

99
---
@@ -96,8 +96,12 @@ If you've used [Azure AD pod-managed identity][use-azure-ad-pod-identity], think
9696

9797
### Pod annotations
9898

99+
> [!NOTE]
100+
> For applications using Workload Identity it is now required to add the label 'azure.workload.identity/use: "true"' in the pod labels in order for AKS to move Workload Identity to a "Fail Close" scenario before GA to provide a consistent and reliable behavior for pods that need to use workload identity.
101+
99102
|Annotation |Description |Default |
100103
|-----------|------------|--------|
104+
|`azure.workload.identity/use` |Represents the service account<br> is to be used for workload identity. | |
101105
|`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. |
102106
|`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. |
103107
|`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an Azure AD token on behalf of the user with federated identity credential. |true |

0 commit comments

Comments
 (0)