OpenShift Managed Identities support

Managed Identities support in ARO are required by customers to avoid managing Service Principals.

@sakthi-vetrivel @kagowda

May 04 '21 14:05 ezYakaEagle442

@rahulm23 could you add an update on this please ?

Dec 02 '21 12:12 ezYakaEagle442

FYI AWS ROSA uses STS tokens

Dec 10 '21 17:12 ezYakaEagle442

An update on this would be appreciated

Apr 24 '22 04:04 stephensabeygov

@sakthi-vetrivel Using Azure KeyVault with Red-hot OpenShift and then using Service Principal to connect to KeyVault and storing the secret in K8 Secrets is another level of indirection which is not security. Can you advise if RedHat will support managed identities as it is technically possible or not? if not technically possible let your customers know so we can determine better options

Apr 24 '22 20:04 Rajan-Gupta1

Will this backlog item be updated to indicate support for "Azure Workload Identity"? (https://github.com/Azure/azure-workload-identity)

Apr 27 '22 16:04 stephensabeygov

Looks like ARO does not support Managed Identities yet. Any update on this please?

Aug 04 '22 13:08 nagpradis

So, it's been about a year and a half since this was added to the roadmap (more specifically: was created and had a tag attached). Can we get an update, please? As @Rajan-Gupta1 notes, current workarounds are not fully secure. And AKS supports MIs...

Sep 07 '22 00:09 trdrake-tw

Will this backlog item be updated to indicate support for "Azure Workload Identity"? (https://github.com/Azure/azure-workload-identity) see https://github.com/Azure/OpenShift/issues/249

Sep 08 '22 14:09 trdrake-tw

Thanks for the link to #249 - I had not realized that it was created and is actually In Progress! That is great news, but shouldn't this issue be closed now with an indication that support for Managed Identities will be added through Azure Workload Identity?

Sep 14 '22 21:09 stephensabeygov

Personally, I would agree ;)

Sep 14 '22 21:09 trdrake-tw

May I know any progress on this?

May 29 '23 08:05 mtangtir

May i know the progress

Sep 20 '23 10:09 AnandKatta

This feature is in development with the development of 4.14 @0kashi would you mind adding some details on the feature and goals that we driving towards?

Sep 20 '23 11:09 jboutaud

Please provide some reference links for the implementation

Sep 20 '23 13:09 AnandKatta

Implementation documents are currently unavailable as the feature is not yet available. Nevertheless, Azure Red Hat OpenShift intends to employ workload identities within the cluster while also extending this capability to customer workloads. This new architecture won't rely on Service Principals. Instead, core cluster operators will utilize user-assigned managed identities and workload identity federation to acquire short-term credentials. To support customer workloads, we expect the process to be to create a managed identity with a federated identity credential in the cluster's tenant, which includes the OIDC issuerURL, and set the annotation on the workload's service account.

We anticipate offering a preview of this functionality in early 2024.

It's important to note that this change will not impact existing clusters, and the ability to create Service Principal-based clusters will remain unchanged. This feature just introduces the option to create additional clusters using managed identities instead of Service Principals.

*Please be aware that timelines and forward-looking statements are subject to change.

Sep 20 '23 20:09 0kashi

@0kashi Is this feature available for preview? Mainly I want to disable the Allow storage account key access used by both the storage accounts created by ARO. Is this the right functionality for it or there is already a way to disable access via shared key access?

Apr 23 '24 19:04 mqasimsarfraz

@mqasimsarfraz - This feature is undergoing active development and is not currently available as preview.

May 04 '24 00:05 0kashi