Kubelet Identity:

    

    This document provides a guide on configuring Azure Kubernetes Service (AKS) to access Azure File Shares using a Managed Identity. This ensures secure mounting of Azure Files without hardcoding storage account keys.


1. Managed Identity Role Assignment


  1. When an AKS cluster is created, a user-managed identity is also created. 
  2. The identity follows the naming convention: <cluster-name>_agentpool 
  3. This identity is attached to the Node Pools (VMSS). To enable file share access, assign the following role to the managed identity:


Role
Scope
Storage Account Key Operator Service Role
This Storage Account


Example screenshot of role assignment:



2. Persistent Volume (PV) Manifest


    The following YAML manifest creates a Persistent Volume (PV) connected to an Azure File Share. Update storageAccount shareName, and  folderName as per your environment.

apiVersion: v1
kind: PersistentVolume
metadata:
  name: mipv
spec:
  capacity:
    storage: 5Gi
  accessModes:
    - ReadWriteMany
  persistentVolumeReclaimPolicy: Retain
  storageClassName: azurefile-csi
  csi:
    driver: file.csi.azure.com
    readOnly: false
    volumeHandle: fhcidatagapsstorage
    volumeAttributes:
      resourceGroup: fh-rg-central-india   # Optional: required if storage account is in a different RG
      storageAccount: fhcidatagapsstorage # Storage account name
      shareName: mitest                   # File share name in the storage account
      folderName: applicationdata         # Folder in the file share
  mountOptions:
    - dir_mode=0777
    - file_mode=0777
    - uid=0
    - gid=0
    - mfsymlinks
    - cache=strict
    - nosharesock
    - nobrl


3. Persistent Volume Claim (PVC) Manifest


The following YAML manifest creates a Persistent Volume Claim (PVC) bound to the above PV.


apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mipvc
  namespace: qa
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  volumeName: mipv
  storageClassName: azurefile-csi



Workload Identity:


    This document explains how to configure Persistent Volume (PV) and Persistent Volume Claim (PVC) in Azure Kubernetes Service (AKS) to access Azure Files using Workload Identity. It covers the required role assignment, service account setup, federated identity credential, and Kubernetes resource configuration. 

Reference: Azurefile CSI Driver Workload Identity

1. Prerequisites

  • An existing AKS cluster with Workload Identity and OIDC Issuer enabled.
  • User Assigned Managed Identity (UAMI) created in Azure.
  • An Azure Storage Account with an existing File Share.

  • Azure CLI installed and configured.

2. Role Assignment

    To allow AKS pods to access Azure Storage, assign the following role to the managed identity used by your AKS cluster:


Role
Scope
Storage Account Key Operator Service Role
This Storage Account


Example screenshot of role assignment:



3. Service Account Creation 


    Create a Kubernetes service account that will be bound to the workload identity:


apiVersion: v1
kind: ServiceAccount
metadata:
  name: workload-identity-sa
  namespace: sample-namespace
  annotations:
    azure.workload.identity/client-id: <UAMI_CLIENT_ID>


4. Federated Identity Credential


    Create the federated identity credential between the managed identity, service account issuer, and subject using the az identity federated-credential create command.  


export FEDERATED_IDENTITY_NAME=<federated-identity-name>
export RESOURCE_GROUP=<resource-group-name>
export CLUSTER_NAME=<aks-cluster-name>
export UAMI=<user-assigned-managed-identity-name>
export SERVICE_ACCOUNT_NAMESPACE=sample-namespace
export SERVICE_ACCOUNT_NAME=workload-identity-sa

export AKS_OIDC_ISSUER="$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "oidcIssuerProfile.issuerUrl" -o tsv)"

az identity federated-credential create --name $FEDERATED_IDENTITY_NAME \
  --identity-name $UAMI \
  --resource-group $RESOURCE_GROUP \
  --issuer $AKS_OIDC_ISSUER \
  --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}


Example command:  


az identity federated-credential create \
  --name sample-federated-identity \
  --identity-name sample-uami \
  --resource-group sample-rg \
  --issuer "https://<region>.oic.prod-aks.azure.com/<aks-tenant-id>/<aks-oidc-id>/" \
  --subject system:serviceaccount:sample-namespace:workload-identity-sa \
  --audience api://AzureADTokenExchange


Note:

  • qa is the namespace.

  • workload-identity-sa is the Kubernetes service account.

  • You can get the AKS_OIDC_ISSUER from the Azure Portal as shown in the screenshot below.




5. Get the Managed Identity Client ID:


    Retrieve the client ID of the UAMI: 


az identity show --name sample-uami --resource-group sample-rg --query clientId -o tsv


6. Persistent Volume (PV) Manifest:


    Define the Persistent Volume that uses Azure Files with Workload Identity authentication: 


apiVersion: v1
kind: PersistentVolume
metadata:
  name: sample-pv
spec:
  accessModes:
    - ReadWriteMany
  capacity:
    storage: 5Gi
  persistentVolumeReclaimPolicy: Retain
  storageClassName: azurefile-csi
  csi:
    driver: file.csi.azure.com
    readOnly: false
    volumeHandle: sample-storageaccount
    volumeAttributes:
      resourceGroup: sample-rg                   # Optional if in same RG
      storageAccount: samplestorageaccount       # Storage account name
      shareName: sampleshare                     # File share name
      folderName: applicationdata                # Folder inside file share
      clientID: <UAMI_CLIENT_ID>                 # Managed Identity Client ID
  mountOptions:
    - dir_mode=0777
    - file_mode=0777
    - uid=0
    - gid=0
    - mfsymlinks
    - cache=strict
    - nosharesock
    - nobrl


7. Persistent Volume Claim (PVC) Manifest


    Create the PVC that binds to the PV: 


apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: sample-pvc
  namespace: sample-namespace
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  volumeName: sample-pv
  storageClassName: azurefile-csi


8. Use the Service Account in Pods


    Reference the same Service Account (workload-identity-sa) in your Pod spec so that the pod inherits the federated identity:


apiVersion: v1
kind: Pod
metadata:
  name: sample-pod
  namespace: sample-namespace
spec:
  serviceAccountName: workload-identity-sa
  containers:
  - name: app
    image: mcr.microsoft.com/oss/nginx/nginx:1.21.6
    volumeMounts:
    - mountPath: "/mnt/azure"
      name: volume
  volumes:
  - name: volume
    persistentVolumeClaim:
      claimName: sample-pvc


9. Conclusion 

    

    With this setup:

  • The service account in AKS is bound to a managed identity using Workload Identity.

  • The PV and PVC reference the storage account and authenticate without secrets.

  • Pods can securely access the Azure File share through the mounted PVC.