Share via

Enabling Managed Identity from SPN on VMSS based AKS clusters

Chakraborty, Shubham 60 Reputation points
Nov 12, 2024, 11:50 PM

We are currently enabling Managed Identity on the AKS clusters which are SPN based for configuring Prometheus monitoring rules.

Regarding the MI enablement activity we have the below query, please help us with the solution:

  • For the AKS cluster which are currently SPN based, application team is using the SPN in their CI/CD pipeline for performing the jobs from their end. If we enable system based Managed Identity on the respective AKS cluster, will there be any impact on the application connectivity for Application team in CI/CD pipeline?
  • Will there be any downtime in CI/CD pipelines after changing from SPN to MI and where are the logs related to SPN to MI enablement stored for the AKS cluster?
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,178 questions
0 comments No comments
{count} votes

Accepted answer
  1. Akshay kumar Mandha 1,500 Reputation points Microsoft Vendor
    Nov 13, 2024, 12:27 PM

    Hi Chakraborty, Shubham,
    Welcome to the Microsoft Q&A Platform. Thank you for posting your query here.

    Based on your query, what I understand is that you are currently transitioning from SPN to MI. During this process, you want to know if there will be any downtime impact on CI/CD. Additionally, you would like to know where to check the related to specific changes logs if that is the case.

    In the official documentation doesn’t specifically mention downtime during the transition, but it’s important to ensure that everything is properly configured before making the switch. This includes setting up the necessary permissions and roles for the Managed Identity. As long as the CI/CD pipeline is updated to authenticate using Managed Identity, and all required roles are in place, the transition should cause minimal disruption. To minimize risks, it's a good idea to test the Managed Identity authentication in a staging environment before applying the change in production. This will help ensure the pipeline can authenticate and interact with Azure resources without issues.

    Regarding the log while the documentation doesn’t explicitly mention logs for this specific changeover related to SPN to MI, you can use Azure Activity Logs and Azure Monitor to track identity related activities and any access issues during the process. Azure Activity Logs will provide insights into role assignments and other identity-related actions, while Azure Monitor can help track metrics and logs related to the usage of Managed Identity within the AKS cluster.

    Please refer below document for more information. If you are already familiar with it, that's great.
    Use a managed identity in Azure Kubernetes Service (AKS)

    If you need any additional information, please let us know by tagging me in a comment, and we will be happy to help as needed

    If you found this information helpful, please click an accepting the answer and "Upvote" on my post for other community members referenceUser's image


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.