-
I have been looking into managed identity and AKS cluster and this is my understanding:
Now my question is, let's say I have two different pods. One pods want to access keyvault and the other pods wants to access Azure DNS. The only way of making this work is modifying the user managed identity to give access to both the resources. But now it seems both the pods can access both the resources. Now my question:
(Sorry for the cross post, I wasn't aware of the Q/A available here in github and posted the same question to StackOverflow) |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
Yes, that's correct. If you have
In your use-case, you can create two new user-assigned identities (grant the first one access to keyvault and the second one to Azure DNS) and use aad-pod-identity to assign those identities to your pods. NMI will perform validations to make sure only the correct pod can access the correct identity. |
Beta Was this translation helpful? Give feedback.
Yes, that's correct. If you have
--enable-managed-identity
enabled when you create an AKS cluster, it will create one for you. That user-assigned identity is for cluster-wide operations.In your use-case, you can create two new user-assigned identities (grant the first one access to keyvault and the second one to Azure DNS) and use aad-pod-identity to assign those identities to your pods. NMI will perform validations to make sure only the correct pod can access the correct identity.