-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' of ssh://github.com/otterize/docs into bglynn/aws…
…-visibility
- Loading branch information
Showing
55 changed files
with
3,788 additions
and
2,228 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{ | ||
"label": "Azure IAM", | ||
"position": 2, | ||
"collapsed": true, | ||
"customProps": { | ||
"image": "/img/icons/azure.png" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,62 @@ | ||
--- | ||
sidebar_position: 1 | ||
title: Azure IAM | Overview | ||
hide_table_of_contents: true | ||
hide_title: true | ||
--- | ||
|
||
import DocsLinkCard from "@site/src/components/LinkCard"; | ||
|
||
export const tutorials = [ | ||
{ | ||
title: 'Automate Azure IAM for AKS', | ||
description: 'Create just-in-time Azure workload identities & role assignments that are kept in sync with your workloads', | ||
url: '/features/azure-iam/tutorials/azure-iam-aks' | ||
}, | ||
]; | ||
|
||
|
||
# Azure IAM | ||
|
||
Otterize can create just-in-time Azure IAM workload identities & role assignments for your workloads running on AKS Kubernetes clusters, greatly simplifying the lifecycle of managing Azure IAM identities and roles. | ||
|
||
### Tutorials | ||
|
||
To learn how to use the Intents Operator and Credentials Operator to manage just-in-time Azure IAM access, check out the tutorial. | ||
<DocsLinkCard items={tutorials} colSize={"sm"}/> | ||
|
||
|
||
### How does Otterize work with Azure IAM? | ||
|
||
1. First, the AKS cluster must have [Otterize installed](/overview/installation), as well as the Otterize Azure integration configured. | ||
2. To have a workload identity created for a pod, label the pod with `credentials-operator.otterize.com/create-azure-workload-identity: "true"` | ||
3. The credentials operator will create an Azure workload identity and federated identity credential bound to the pod's ServiceAccount. The ServiceAccount will be annotated automatically. | ||
4. At this point, the pod is able to assume the identity, but it does not have the permissions to perform any actions. | ||
We will need to create a ClientIntents YAML for the access the service requires and apply it to our cluster. | ||
Below is an example of a ClientIntents file for accessing an Azure Storage Blobs bucket. | ||
View the [reference](/features/azure-iam/reference) to learn more about the Azure IAM ClientIntents syntax. | ||
5. Once the intent is applied, the intents operator will create a new role assignment, which will be attached to the workload identity with the appropriate access. | ||
6. Done! | ||
|
||
```yaml | ||
apiVersion: k8s.otterize.com/v1alpha3 | ||
kind: ClientIntents | ||
metadata: | ||
name: client | ||
namespace: otterize-tutorial-azure-iam | ||
spec: | ||
service: | ||
name: client | ||
calls: | ||
- name: "/providers/Microsoft.Storage/storageAccounts/otterizetutorialazureiam/blobServices/default/containers/test" | ||
type: azure | ||
azureRoles: | ||
- "Storage Blob Data Contributor" | ||
``` | ||
|
||
### Automatically generating ClientIntents for Azure IAM | ||
|
||
Figuring out which access you need for Azure can be a painful, trial and error process, and something you _must_ do if you're tightening production access. | ||
|
||
Otterize is getting ready to release support for using existing traffic to generate least-privilege Azure IAM policies. Keen to try this out as part of early access? Sign up to the [Early Access Beta Program](https://otterize.com/EarlyAccessBetaProgram) and we'll be in touch! | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
--- | ||
sidebar_position: 3 | ||
title: Reference | ||
--- | ||
|
||
### ClientIntents example (YAML) | ||
|
||
```yaml | ||
apiVersion: k8s.otterize.com/v1alpha3 | ||
kind: ClientIntents | ||
metadata: | ||
# The name of the pod that will be granted access | ||
name: client | ||
spec: | ||
service: | ||
name: client | ||
calls: | ||
# The Azure resource ID that references the resource(s) for the authorization. Subscription & resource group are automatically appended. | ||
- name: "/providers/Microsoft.Storage/storageAccounts/otterizeazureiamtutorial/blobServices/default/containers/otterizeazureiamtutorialcontainer" | ||
type: azure | ||
# one or more Azure roles that will be provided to the specified resources | ||
azureRoles: | ||
- "Storage Blob Data Contributor" | ||
``` | ||
|
||
### Annotations | ||
|
||
| Key | Description | Default | | ||
|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| | ||
| `credentials-operator.otterize.com/create-azure-workload-identity` | When set to **true**, the credential operator will create an Azure workload identity the associated pod | `false` | | ||
|
||
|
||
### Helm Chart options | ||
|
||
| Key | Description | Default | | ||
|------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------| | ||
| `global.azure.enabled` | Enable or disable Azure integration | `false` | | ||
| `azure.userAssignedIdentityID` | ID of the user assigned identity used by the operator to access Azure. | `(none)` | | ||
| `azure.subscriptionID` | ID of the Azure subscription in which the AKS cluster is deployed. | `(none)` | | ||
| `azure.resoureceGroup` | Name of the Azure resource group in which the AKS cluster is deployed. | `(none)` | | ||
| `azure.aksClusterName` | Name of the AKS cluster in which the operator is deployed. | `(none)` | | ||
|
||
View the [Helm chart reference](/reference/configuration/otterize-chart) for all other options |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
{ | ||
"label": "Tutorials", | ||
"position": 2, | ||
"collapsed": false | ||
} |
Oops, something went wrong.