This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 76%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Hi All,
Please let me know if my below design works fine
I have a .net Core Rest service running in Azure kubernetes,this .net service need to access the Azure keyVault (protected with Azure Active directory ) to get access the Key and Secrets.
I have assigned the System assigned Service principle to my Kubernetes Service cluster, for this service principle i will provide read access to Azure key vault.
is this design works?
Hi
If we enable the Managed Identity to AKS then all the pods running in that node gets the same identity or different identity?
@Amar-Azure-Practice Yes ideally the pods running in the node to which you have provided Managed Identity to AKS get the same identity since the identity is given at AKS level.
Hope it help!!!
Thanks
@Amar-Azure-Practice Apologies for the delay in response and all the inconvienience caused because of the issue.
Use of managed identity for Azure resources lets a pod authenticate itself against Azure services that support it, such as Storage or SQL. The pod is assigned an Azure Identity that lets them authenticate to Azure Active Directory and receive a digital token. This digital token can be presented to other Azure services that check if the pod is authorized to access the service and perform the required actions. This approach means that no secrets are required for database connection strings.Hence assigning System assigned Managed Identity is a good approach.
With a managed identity, your application code doesn't need to include credentials to access a service, such as Azure Storage. As each pod authenticates with its own identity, so you can audit and review access. If your application connects with other Azure services, use managed identities to limit credential reuse and risk of exposure.
You can refer to this article for detailed approach on best security practices with AKS.
As mentioned in this article "If you're using a service principal, grant permissions for it to access your key vault and retrieve secrets. Assign the Reader role, and grant the service principal permissions to get secrets from your key vault" which as mentioned in the query has been already done and should be sufficient enough for integration part.
Hope it helps!!!
Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics
Hi
Thanks for your detail Explanation on this.
When we are creating the PODs we can assign the user by specifing the 'RunAsUser' in configuration file.
i have seen the example you mentioned in the https://learn.microsoft.com/en-us/azure/aks/developer-best-practices-pod-security
fsGroup: 2000
containers:
- name: security-context-demo
image: nginx:1.15.5
securityContext:
runAsUser: 1000
allowPrivilegeEscalation: false
capabilities:
add: ["NET_ADMIN", "SYS_TIME"]
in the above configuration please explain fsgroup:2000 (What is this number) and runAsUser: 1000 (What is this number) where can we find this number.
@Amar-Azure-Practice You can refer to this article to understand about the mentioned values.
Hope it helps !!!
Please 'Accept as answer' if above details helped, so that it can help others in the community looking for help on similar topics