Allow projected volumes / Allow certain volumes - Support Azure Workload Identity #1078
Description
Describe the solution you'd like
I would like to be able to use the operator in AKS with workload identity enabled. This requires that additional volumes can be added on the fly to the pod definition.
I think this is a special case of #586.
Background
I am running an AKS cluster with workload identity enabled. This allows pods to use an annotated service account that can be used to access protected Azure resources.
The pod get s this label: azure.workload.identity/use: "true"
The service-account get's this annotation: azure.workload.identity/client-id: "<USER_ASSIGNED_CLIENT_ID
This requires that the pod gets a new volume, which looks like this:
- name: azure-identity-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
audience: api://AzureADTokenExchange
expirationSeconds: 3600
path: azure-identity-token
Due to some checks, the pod is being restarted as the operator determines that the volumes are different.
This hinders me to use Azure Workload Identity as authentication method e.g. in the azure-vm-agents plugin.
Describe alternatives you've considered
I would like to either
- have an exception like the hotfix for K8S 1.21, which ignores
kube-api-access-<random-suffix>as volume name, or - the possibility to configure which volumes should be ignored by a list of patterns which are ignored.
Additional context
Microsoft Entra Workload ID uses Service Account Token Volume Projection (that is, a service account), to enable pods to use a Kubernetes identity. A Kubernetes token is issued and OIDC federation enables Kubernetes applications to access Azure resources securely with Microsoft Entra ID, based on annotated service accounts.