I'm trying to create an ARM template to provision an Azure Kubernetes Service cluster with Azure workload identity pre-configure, similar to the result that the cmdlet below would produce:
az aks create -g ${RESOURCE_GROUP} -n ${CLUSTER_NAME} --enable-oidc-issuer --enable-workload-identity
I managed to enable OIDC issuer and workload identity in my ARM template:
{
"apiVersion": "2019-06-01",
"dependsOn": [],
"type": "Microsoft.ContainerService/managedClusters",
"location": "[parameters('location')]",
"name": "[parameters('resourceName')]",
"properties": {
[...]
"oidcIssuerProfile": {
"enabled": true
},
"workloadIdentity": {
"enabled": true
},
"securityProfile": {
"workloadIdentity": {
"enabled": true
}
},
[...],
}
}
But, after the script has executed, I can't see the azure-wi-webhook-controller-manager pods running under the kube-system namespace - It seems that the arm template does not install this component, that is required for Azure Workload Identity to work.
Is there a way I can install it through ARM?
Thanks a lot
The problem with your ARM template is the API version, workloadIdentity was not added until 2023-01-02-preview. You're using 2019-06-01. See https://learn.microsoft.com/en-us/azure/templates/microsoft.containerservice/change-log/managedclusters#2023-01-02-preview
For a reference, the AKS Construction bicep implements workload identity and most other AKS features.