Workload Identity is an open-source project that enables Federated Identity in Kubernetes clusters. It is the next evolution of a public preview feature in Azure Kubernetes Service (AKS), that is built on the now deprecated pod identity project. Azure AD Workload Identity, is simpler to use and replaces pod identity. Azure AD Workload Identity on AKS is now generally available so customers can run production workloads using Workload Identity on both Windows and Linux and migrate applications using Pod Identity over to Workload Identity.
Azure AD Workload Identity leverages Service Account Token Volume Projection giving pods the ability to use a Kubernetes identity (service account), to which a Kubernetes token is issued and OIDC federation which enables Kubernetes applications to access Azure cloud resources securely with Azure Active Directory based on annotated service accounts.
Since the open-source pod identity project is now deprecated, AKS will continue to support the AKS pod identity through 2023. To ease the transition, customers can run Pod Identity and Workload Identity in parallel on an existing AKS cluster. Please note that during the Public Preview we enabled the sidecar to give customers time to update their SDKs, but this is not a supported configuration for General Availability. We recommend that customers update applications to a list of supported SDKs that will allow applications to talk to the AAD endpoint.
Microsoft
