using Pod identity in Azure AKS to authenticate to Azure DB; a step towards Zero Trust network

-

A common and on-going challenge for teams is how to manage their sensitive credentials like DB connection strings, Storage Keys and etc... And the market is not in short of tools that can help to store and retrieve these secrets. tools like AWS Secret Manager, HashiCorp KeyVault, Azure Key Vault.

But even with this nice tools governing these systems and putting best practices around how developers and app retrieve these credentials and rotating them on a regular basis is a challenge that has no silver bullet for it. Managed Identity comes handy to eliminate the needs for developers to manage/rotate credentials any longer.     

The current situation at my client: In the current team I am working the application relies heavily on SQL Server that is hosted in Azure SQ. Both Developers in their local environment as well as the App running in Azure AKS are accessing SQL DB via the conventional Connection String that consist of Username and Password. we have created a new SQL user for each developer to access the DEV DB, and all of the applications are using a Shared credentials to access the Database. Managing the SQL users and protecting and rotating those shared credentials has felt like a task that nobody enjoyed dealing with.

To give you a bit of perspective this is how the current connection string looks like for one of our DotNet Core Apps:



And below is the new Connection String format that utilises Managed Identity: 

As you can see the new Connection String does not contain any Username and Password but then it is able to connect to Azure Active Directory and retrieve a token from there using my Azure AD account and use that token to authenticate to Azure SQL. how it know which AD account it should use comes from the fact that I am logged in to Visual Studio using my AD Account and it uses the account that im currently logged in to Visual Studio by default.


But hold on, how this is going to work when we run this as a Pod in Kubernetes (AKS)? this is where Azure Pod Identity comes to picture. Azure Pod Identity uses Azure Active Directory as the Identity provider to authenticate the running Pod against different Azure Services such as Azure SQL, Azure Cosmos, Azure Storage, etc...

To get started we need to first create Identity object in the same resource group where the AKS is deployed. ( refer to MS link I shared above for the how to part of creating identity) once the identity is created we then need to assign permission to it in my use case I give READ/Write permission to the SQL DB I wanted to authenticate towards.

The last piece of puzzle is to add a new label to our Deployment file that select the identity you created. The label is aadpodidbinding and the value for it is the name of the identity you created.

Here is the sample of the deployment file I took from MS example:


My personal reflection after using Azure Identity with AKS

As I mentioned earlier managing secrets is always a major security challenge for any application and using Azure Identity to connect your Pods into other Services like SQL seem to be a considerable solution to get rid of managing and rotating Secrets and Credentials with that being said like everything else in life, Azure Identity comes with overhead. From my personal experience introducing Azure Identity introduces additional complexity into your workload and makes debugging your app harder than it already was.
Also according to Microsoft official document, Azure Identity is currently in preview. so don't rush into introducing it in to our production workload. make sure you test this enough and throughly in your non-critical environment first.

Comments

Post a Comment

Popular posts from this blog

Azure CNI vs Kubenet, What are the differences between them and which one to use?

-
Image
if you have ever deployed an AKS cluster, either through the Azure Portal or CLI, there is parameter that needs to be configured related to the networking part of AKS and that is to choose the networking model between  Azure CNI and  Kubenet. ( by default it's Kubenet as of writing this post) So what's this all about? in a nutshell this parameter is related to how Nodes and Pods gets their IP addresses assigned. It\s important to understand their difference before creating the cluster since you can\t change the networking model of your cluster once it\s deployed, and you defiantly don't want to re-create and re-configure your cluster again just because of this option. Overview of Kubenet and a few things to keep in mind This is the default options if you don't explicitly change it. With this option the cluster nodes gets their IP addresses from the VNET which your AKS is deployed to. This is not a big deal since the same thing happens if you go with the second option, ...
Read more

AWS EKS vs Azure AKS - my thoughts and reflection after using both in Production

-
Image
I am lucky enough to work both with Azure AKS, and AWS EKS(EC2), and I decided to dedicate a post on my blog about the two. I have also to admit that this is the most opinionated post I have written so far. I tried to put more emphasises on their differences than to write about their similarities. Here are the three areas I comparing them:  AKS vs EKS from Cluster Management Standpoint,  AKS vs EKS from Networking Standpoint,  AKS vs EKS from Scalability Standpoint AKS vs EKS from Cluster Management Standpoint  Both AKS and EKS mange the master node (AKA Data plane) for you completely, and there isn't much difference I notice in that area between the two. However, Azure does not charge you anything for the Master node it manage and you only pay for the worker nodes, however, EKS charge you a fix price monthly for that Master node (around USD 70 dollar depending on the region) One feature I like in EKS is called Managed Node Groups . This feature automate and off...
Read more

Architecting Kubernetes for High Availability, Fault Tolerance and Business Continuity

-
Image
Kubernetes can take care of many things, and can solve many problems except the ones it doesn't know about such as region failure and  human errors. In this post I want to compare and contrast the differences between Single Cluster setup spread across multi Availability Zones that is very common vs Multi Cluster Setup Spread across different Region . Hopefully by then end of this post you have some clue about when to use which setup no matter which cloud provider you are using; be it AWS, Azure, or GCP. Single Cluster Setup: In this Setup the Kubernetes nodes and their storages are distributed across multiple Availability Zones (AZ). This model ensures the nodes are physically separated from each other and the outage in one of the AZ will not cause the entire cluster to go out of service. At the same time the communication between each node is via private connection and does not route over internet no matter which cloud provider you use. I took the following image wh...
Read more