Merge pull request #263844 from schaffererin/usepodmanagedidentitiesupdate

prmerger-automator[bot] · web-flow · commit f93403bfda8d · 2024-01-22T19:22:56.000Z
Adding clearer notice of the pod-managed identity deprecation and workload identity recommendation
diff --git a/articles/aks/operator-best-practices-identity.md b/articles/aks/operator-best-practices-identity.md
@@ -21,10 +21,19 @@ In this article, we discuss what recommended practices a cluster operator can fo
 > * Authenticate AKS cluster users with Microsoft Entra ID.
 > * Control access to resources with Kubernetes role-based access control (Kubernetes RBAC).
 > * Use Azure RBAC to granularly control access to the AKS resource, the Kubernetes API at scale, and the `kubeconfig`.
-> * Use a [managed identity][managed-identities] to authenticate pods with other services.
+> * Use a [workload identity](./workload-identity-overview.md) to access Azure resources from your pods.
 
 <a name='use-azure-active-directory-azure-ad'></a>
 
+> [!WARNING]
+> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
+>
+> If you have [Microsoft Entra pod-managed identity][aad-pod-identity] enabled on your AKS cluster or are considering implementing it,
+> we recommend you **review the [workload identity overview][workload-identity-overview] article** to understand our
+> recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview).
+> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities
+> to federate with any external identity providers.
+
 ## Use Microsoft Entra ID
 
 > **Best practice guidance**
@@ -118,24 +127,22 @@ There are two levels of access needed to fully operate an AKS cluster:
 
 ## Use pod-managed identities
 
-Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use *pod identities* to automatically request access using Microsoft Entra ID.
+> [!WARNING]
+> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
+>
+> If you have [Microsoft Entra pod-managed identity][aad-pod-identity] enabled on your AKS cluster or are considering implementing it,
+> we recommend you **review the [workload identity overview][workload-identity-overview] article** to understand our
+> recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview).
+> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities
+> to federate with any external identity providers.
 
-> [!NOTE]
-> Pod identities are intended for use with Linux pods and container images only. Pod-managed identities (preview) support for Windows containers is coming soon.
+
+Don't use fixed credentials within pods or container images, as they are at risk of exposure or abuse. Instead, use *pod identities* to automatically request access using Microsoft Entra ID.
 
 To access other Azure resources, like Azure Cosmos DB, Key Vault, or Blob storage, the pod needs authentication credentials. You could define authentication credentials with the container image or inject them as a Kubernetes secret. Either way, you would need to manually create and assign them. Usually, these credentials are reused across pods and aren't regularly rotated.
 
 With pod-managed identities (preview) for Azure resources, you automatically request access to services through Microsoft Entra ID. Pod-managed identities is currently in preview for AKS. Refer to the [Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview)](./use-azure-ad-pod-identity.md) documentation to get started.
 
-> [!NOTE]
-> If you have enabled [Microsoft Entra pod-managed identity][aad-pod-identity] on your AKS cluster or are considering implementing it,
-> we recommend you first review the [workload identity overview][workload-identity-overview] article to understand our
-> recommendations and options to set up your cluster to use a Microsoft Entra Workload ID (preview).
-> This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities
-> to federate with any external identity providers.
->
-> The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022.
-
 Microsoft Entra pod-managed identity (preview) supports two modes of operation:
 
 * **Standard** mode: In this mode, the following 2 components are deployed to the AKS cluster:
@@ -166,9 +173,9 @@ When pods request a security token from Microsoft Entra ID to access to an Azure
     * Identifies pods requesting access to Azure resources based on their remote address.
     * Queries the Azure Resource Provider.
 
-1. The Azure Resource Provider checks for Azure identity mappings in the AKS cluster.
-1. The NMI server requests an access token from Microsoft Entra ID based on the pod's identity mapping.
-1. Microsoft Entra ID provides access to the NMI server, which is returned to the pod.
+2. The Azure Resource Provider checks for Azure identity mappings in the AKS cluster.
+3. The NMI server requests an access token from Microsoft Entra ID based on the pod's identity mapping.
+4. Microsoft Entra ID provides access to the NMI server, which is returned to the pod.
     * This access token can be used by the pod to then request access to resources in Azure.
 
 In the following example, a developer creates a pod that uses a managed identity to request access to Azure SQL Database:
