We have discuss setting up workload identity in AKS to be used with application containers we deploy to AKS in the post "Setting Up Azure Workload Identity for Containers in Azure Kubernetes Services (AKS) Using Terra- Improved Security for Contianers in AKS". Kubernetes Event Drivern Autoscaling (KEDA) is the mechanism we need to use when we want to scale our deployments, or specially kubernetes jobs (A pod that runs for completion). In this post let's look at how to setup KEDA with workload identity, so that we can use KEDA in a later posts to run a Kubernets job, autoscaled based on the messages received to a storage queue or Azure service bus.
To get KEDA setup on AKS we can use helm. We have discussed setting up helm in WSL in the post here. As the first step we need to setup federated identity credential with the user assigned identity used for AKS, which we have discussed in detail in "Setting Up Azure Workload Identity for Containers in Azure Kubernetes Services (AKS) Using Terra- Improved Security for Contianers in AKS". Note that the namespace we are using for Keda is keda and the service account we are going to setup later is named as keda-operator.
# Federated identity credential for AKS user assigned id - used with workload identity service account for KEDA resource "azurerm_federated_identity_credential" "keda" { name = "${var.prefix}-${var.project}-${var.environment_name}-aks-keda-fic-${var.deployment_name}" resource_group_name = var.rg_name audience = ["api://AzureADTokenExchange"] issuer = azurerm_kubernetes_cluster.aks_cluster.oidc_issuer_url # Open id connect issue url from AKS parent_id = var.user_assigned_identity # user assigned identity id (Azure resource id) subject = "system:serviceaccount:keda:keda-operator" # system:serviceaccount:aksapplicationnamespace:workloadidentityserviceaccountname (to be created after AKS cluster is setup) depends_on = [ azurerm_kubernetes_cluster.aks_cluster ] lifecycle { ignore_changes = [] } }
Terraform will setup federated identity credential as shown below.
Next we need to setup namespace keda once the cluster is up and running. We can use kubectl to apply below yaml to get the namespace keda created.
We need to setup the service account as well using below yaml. Replace ${sys_aks_uai_client_id}$ in the yaml to the client id of the user assigned identity used for AKS. Replace ${tenantid}$ with the Azure tenant id.
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: ${sys_aks_uai_client_id}$ # ${sys_aks_uai_client_id}$
azure.workload.identity/tenant-id: ${tenantid}$ # "${tenantid}$"
name: keda-operator # Referred by AKS user assigned identity federated credential
namespace: keda
We can get the user assigned identity from terraform using output variables as shown below.
Then we can use below .sh file in WSL to run helm install for KEDA. Again replace ${sys_aks_uai_client_id}$ and ${tenantid}$ in the .sh file.
As you can see in above we are setting up Keda in keda namespace. We are requesting to use the service account we have created previously, instead of creating a new one as the service account we have created correctly setup with the user assigned identity of AKS as workload identity.
With this our intial setup requirement for KEDA is completed and we can see below deployments running in keda namespace.
The keda-oprator and keda-oprator-metrics-apiserver containers will have folowing shown environment variables injected, so that the scaling with Aure service bus queue or Azure storage queue can be done with KEDA autorizing with Azure workload identity for AKS.
For service bus it should be as below.
No comments:
Post a Comment