Skip to content

feat: KSA support with AKS identity bindings #9687

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Dec 3, 2025
Merged

feat: KSA support with AKS identity bindings #9687

merged 1 commit into from
Dec 3, 2025
+1,028 −27

Conversation

@qweeah
Copy link
Contributor

@qweeah qweeah commented Nov 27, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

This PR adds support for Kubernetes Service Account (KSA) based authentication with identity bindings for the ACR credential provider. This enables secret-less ACR image pull via the Kubernetes API server's identity bindings endpoint for token exchange.

Key Changes:

  1. Configuration Enhancement:

    • Implemented comprehensive configuration parsing and validation in new cmd/acr-credential-provider/pkg/config package
    • Added CLI flags: --ib-sni-name, --ib-default-client-id, --ib-default-tenant-id, --ib-apiserver-ip

  2. Validation Logic:

    • Protocol prefix validation: Rejects https:// or http:// prefixes in SNI name
    • IP address format validation using net.ParseIP
    • Mutual dependency enforcement between SNI name and API server IP
    • Validates client/tenant ID requires SNI name to be set

  3. Identity Bindings Token Credential:

    • Implemented custom HTTP transport with SNI-based routing to configurable API server IP
    • Implemented OAuth2 client credentials flow with service account token exchange
    • Refactored to store token, client ID, and tenant ID directly in credential struct for improved performance

  4. Comprehensive Testing:

    • Added unit tests for configuration parsing (cmd/acr-credential-provider/pkg/config/identity_bindings_config_test.go) with 100% coverage
    • Added unit tests for identity bindings credentials (pkg/credentialprovider/identity_bindings_credentials_test.go)

  5. Code Organization:

    • Refactored configuration parsing from main.go to dedicated config package
    • Improved separation of concerns between CLI, configuration, and credential logic
    • Early resolution of client and tenant IDs from annotations or defaults during credential creation

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

  • API Server IP Configuration: The implementation uses a configurable API server IP (instead of hardcoded constant) to allow flexibility for different cluster configurations, though most AKS clusters use 10.0.0.1 as the cluster-internal API server address.

  • SNI-Based Routing: The custom dialer always resolves the SNI hostname to the configured API server IP, ensuring the TLS connection uses SNI for certificate validation while connecting to the correct cluster endpoint.

  • CA Certificate Rotation: The transport implementation detects CA certificate changes by comparing file content and rebuilds the transport with updated CA pool when rotation is detected.

  • Validation Strategy: The configuration validation enforces mutual dependencies (SNI name ↔ API server IP) to prevent misconfiguration. Protocol prefixes are rejected during parsing rather than being stripped.

  • Test Approach: The test suite uses httptest.NewUnstartedServer with self-signed certificates to test the full mTLS flow including custom dialer, TLS configuration, and token exchange logic.

  • Tenant ID for Future SDK Compatibility: The --ib-default-tenant-id parameter is included from day one to ensure smooth transition if the ACR credential provider switches to using the official Azure SDK in the future.

Does this PR introduce a user-facing change?

ACR credential provider now supports Kubernetes Service Account (KSA) based authentication with identity bindings. Configure via flags: --ib-sni-name, --ib-apiserver-ip, --ib-default-client-id, and --ib-default-tenant-id.

@k8s-ci-robot k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Nov 27, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 27, 2025

Hi @qweeah. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Nov 27, 2025
@github-actions github-actions bot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Nov 27, 2025
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 27, 2025
norshtein
norshtein reviewed Nov 27, 2025
View reviewed changes
clnv
clnv reviewed Nov 27, 2025
View reviewed changes
@qweeah qweeah force-pushed the qweeah/ksa-ib branch 4 times, most recently from a9fd321 to cfdc927 Compare November 28, 2025 06:12
norshtein
norshtein approved these changes Nov 28, 2025
View reviewed changes
Copy link

@norshtein norshtein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Dec 1, 2025
mainred
mainred reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

@mainred mainred left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not familiar with identity binding, but left some comments and hope they help.,

@nilo19
Copy link
Contributor

nilo19 commented Dec 1, 2025

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Dec 1, 2025
@nilo19 nilo19 requested a review from Copilot December 1, 2025 05:10
Copilot finished reviewing on behalf of nilo19 December 1, 2025 05:14
Copilot AI reviewed Dec 1, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for Kubernetes Service Account (KSA) based authentication with identity bindings for the ACR credential provider, enabling secret-less ACR image pull via the Kubernetes API server's identity bindings endpoint for token exchange.

Key changes include:

  • New identity bindings configuration parsing and validation with CLI flags (--ib-sni-name, --ib-default-client-id, --ib-default-tenant-id, --ib-apiserver-ip)
  • Custom HTTP transport with SNI-based routing to configurable API server IP
  • OAuth2 client credentials flow implementation using service account token exchange
  • Comprehensive test coverage for configuration parsing and credential operations

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 9 comments.

Show a summary per file
File Description
pkg/credentialprovider/identity_bindings_config.go Defines the IdentityBindingsConfig struct for identity bindings configuration
pkg/credentialprovider/identity_bindings_credentials.go Implements identityBindingsTokenCredential with custom transport, SNI routing, and OAuth2 token exchange
pkg/credentialprovider/identity_bindings_credentials_test.go Comprehensive unit tests for identity bindings credential creation and token retrieval
pkg/credentialprovider/azure_credentials.go Updates NewAcrProvider to support identity bindings as the highest priority credential type
pkg/credentialprovider/azure_credentials_test.go Updates existing tests to pass empty IdentityBindingsConfig parameter
cmd/acr-credential-provider/pkg/config/identity_bindings_config.go Configuration parsing and validation logic with protocol prefix checks and mutual dependency enforcement
cmd/acr-credential-provider/pkg/config/identity_bindings_config_test.go Unit tests for configuration parsing with 100% coverage of validation scenarios
cmd/acr-credential-provider/main.go Adds CLI flags for identity bindings configuration
cmd/acr-credential-provider/plugin.go Updates ExecPlugin to pass identity bindings config to credential provider
cmd/acr-credential-provider/plugin_test.go Updates test to pass empty IdentityBindingsConfig

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review for a chance to win a $100 gift card. Take the survey.

nilo19
nilo19 reviewed Dec 1, 2025
View reviewed changes
@nilo19
Copy link
Contributor

nilo19 commented Dec 1, 2025

@qweeah please check UT, linting, etc locally.

nilo19
nilo19 reviewed Dec 2, 2025
View reviewed changes
nilo19
nilo19 reviewed Dec 2, 2025
View reviewed changes
@nilo19
Copy link
Contributor

nilo19 commented Dec 3, 2025

/retest

@nilo19
Copy link
Contributor

nilo19 commented Dec 3, 2025

Do we have unit tests to cover http proxy case?

@qweeah
Copy link
Contributor Author

qweeah commented Dec 3, 2025

Do we have unit tests to cover http proxy case?

Added nil proxy check in the unit test @nilo19

@nilo19
Copy link
Contributor

nilo19 commented Dec 3, 2025

/test pull-cloud-provider-azure-e2e-capz

@nilo19
Copy link
Contributor

nilo19 commented Dec 3, 2025

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 3, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 3, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: clnv, mainred, nilo19, norshtein, qweeah

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 3, 2025
@k8s-ci-robot k8s-ci-robot merged commit b452751 into kubernetes-sigs:master Dec 3, 2025
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nilo19 nilo19 nilo19 left review comments

Copilot code review Copilot Copilot left review comments

@mainred mainred mainred approved these changes

@cheftako cheftako Awaiting requested review from cheftako

+2 more reviewers

@clnv clnv clnv approved these changes

@norshtein norshtein norshtein approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@nilo19 nilo19

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@qweeah @k8s-ci-robot @nilo19 @mainred @clnv @norshtein