2

I'm trying to use pod identity in conjunction with KEDA to access some Azure resources, Azure Service Bus & Keyvaults to be precise.

I noticed the aadpodbinding should be set when deploying the operator according to these instructions. I am probably misinterpreting the instructions because the way I read it is that I need to have a single aadpodbinding ie. have some sort of cluster-wide "keda-identity"?

I wonder how I could utilize pod identity in my scenario: I want to have a separate identity for every solution running in my AKS cluster. These identities will provide the solutions with access to Azure resources and then I want to use those identities to provide the authentication as well for KEDA. I do not want a shared identity to access multiple resources on my subscription.

Surely this is possible and I am misinterpreting the instructions somehow (not being a native English speaker)?

Kim Lindqvist
  • 363
  • 4
  • 15
  • 1
    Check the documentation of pod identity (https://github.com/Azure/aad-pod-identity). you can create multiple `AzureIdentity` and related `AzureIdentityBinding`. Then `aadpodbinding` label need to match the selector of the `AzureIdentityBinding`. – Thomas Jun 30 '20 at 23:16
  • Thanks Tomas. I understand this part but is there a way to pass multiple different ```aadpodbinding``` to be used by the KEDA operator for better resource isolation between solutions? – Kim Lindqvist Jul 01 '20 at 07:15
  • Or if not, do you know how I could syntactically add multiple ```aadpodbinding``` to the deployment? I understand this latter question is more of a pod identity and doesn't have anything to do with KEDA. – Kim Lindqvist Jul 01 '20 at 07:24
  • Following the pod identity documentation (https://github.com/Azure/aad-pod-identity#3-deploy-azureidentity) you should be able to map as many managed identities/service principal as you'd like. – Thomas Jul 01 '20 at 08:36
  • Hmm I'm probably a bit slow here but I guess it is then so that I am interpreting this wrong: "Azure AD Pod Identity will give access to containers with a defined label for aadpodidbinding. You can set this label on the KEDA operator deployment. This can be done for you during deployment with Helm with --set aadPodIdentity={your-label-name}." The way I understand it is that the operator will be bound to a single label. I will have multiple, each solution will have a different one. I would like to avoid having a keda-identity that is bound to every single solution. – Kim Lindqvist Jul 01 '20 at 11:13
  • Also, I understand that you can have n identities and bindings, but how would I syntactically add multiple to the deployment: metadata: name: demo labels: aadpodidbinding: $IDENTITY_NAME aadpodidbinding: $ANOTHER_IDENTITY For example doing the above I still only get 1 binding for the deployment. – Kim Lindqvist Jul 01 '20 at 11:15
  • sorry i m not familiar with keda, could you create an identity just for keda ? – Thomas Jul 01 '20 at 19:42

1 Answers1

0

You can add pod identity binding using the command:

helm install keda kedacore/keda --set podIdentity.activeDirectory.identity=app-autoscaler --namespace keda

But this didnt make my day to successfully scale the KEDA scaler using pod identity trigger auth

tried opening a new query here to try to get it scaled using pod identity trigger

iarunpaul
  • 117
  • 2
  • 13