Azure kubernetes - 多个托管标识？

Question

We are planning to deploy multiple applications on our single Azure kubernetes cluster, each application will have its own set of Azure resources - eg: Key vault, Storage.

I am planning to provision individual managed identities per application and provide access to the relevant resources.

I know that AZURE AAD POD identify is the way to configure the pod to make use of the managed identity to access the Azure resources.

However how do I add multiple managed identity into the Azure kubernetes cluster? and is this the right of implementing?

Answer 1

As I mentioned before, I don't think you can add multiple MSIs to the cluster, you can just use a system-assigned MSI or user-assigned MSI for it.

Reference -Use managed identities in Azure Kubernetes Service

In your case, if you want to use different service principals to authenticate(essentially MSI is also a service principal managed by Azure), you can create multiple AD Apps along with the service principals.

Reference - How to: Use the portal to create an Azure AD application and service principal that can access resources

Then in the code of every application, use ClientSecretCredential to authenticate.

ClientSecretCredential credential1 = new ClientSecretCredentialBuilder()
     .tenantId(tenantId)
     .clientId(clientId)
     .clientSecret(clientSecret)
     .build();

Then use the credential to create a client eg SecretClient .

SecretClient secretClient = new SecretClientBuilder()
    .vaultUrl("<your-key-vault-url>")
    .credential(credential1)
    .buildClient();