Consider support using the default kubelet managed identity, this allows us use msi-acrpull to workaround some kubelet bugs.

xref: https://azure.github.io/azure-workload-identity/docs/

Use workload identity federation with the managed identity for image pull.

Using a CRD instead of annotations on a secret gives has these benefits:

Using a CRD instead of annotations on pull secrets is more straight forward for users, more easily extensible and allows us to watch only the resources we care about.

Should convert into an interface to improve unit test coverage.

something along the line of:

• create AKS cluster
• create MSI
• assign MSI to the VM/VMSS
• make all
• make docker-build
• make docker-push
• make deploy
• kubectl apply -f acrpullbinding_sample.yaml
• kubectl get secret test-msi-acrpull-secret -oyaml
• kubectl get serviceaccount default -oyaml

Need automatically associate the image pull secret with the default service account in namespace. That way a deployment using the ACR would "just works" in the namespace, by default.

According to metadata endpoint doc: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service#error-and-debugging

The endpoint QPS limit is only 5 per second. When reconciling a large set of AcrPullBindings we may hit the limit pretty easily. We can cache the token for a relative short period (even though it by default valid for 8 hours), just to avoid throttling.

Update README with usage and design to explain how this project works.

NotFound is very normal during AcrPullBinding deletion

The error log will confuse people

because it looks ugly while there might not be anything wrong:

We should distinguish NotFound error and other unexpected errors.

So log.Info for NotFound but log.Error for other errors.

My understanding is that AAD pod identity can resolve any MSI that is in an RG for which the cluster identity has the identity operator role. See https://azure.github.io/aad-pod-identity/docs/getting-started/role-assignment/

az role assignment create --role "Managed Identity Operator" --assignee <ID> --scope /subscriptions/<SubscriptionID>/resourcegroups/<IdentityResourceGroup>

Does msi-acrpull also work this way? The readme appears to note that the MSI needs to be explicitly added to the nodepool VMSS.

Thinking about this some more, the nodepool approach has the advantage of limiting the access scope of the MSI to the nodepool. Maybe the best of both worlds would be if the nodepool MSI could optionally resolve MSIs that are in RG for which it has Managed Identity Operator role

:-)

We are using msi-acr-pull in our system and We are keeping Acrpullbinding config in the same chart where we are installing the msi-acr-pull deployment.
Everything works fine on helm chart installation -> helm install azure-msi-acr-pull .
All the AcrPullbindings are created and imagePullSecrets are also getting mounted in the Service accounts

The problem comes on uninstalling this helm chart
ACR pull bindings are marked as deleted(checked deletedTimestamp in yaml file ) but are not actually deleted due to finalizers.
My theory is that this is happening because msi-acr-pull deployment is getting deleted before ACRPullbindings.

Overall my chart structure looks something like this -
azure-msi-acrpull-config.yml is the file which is creating AcrPullBinding.

helm version which we are using is -
version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"clean", GoVersion:"go1.16.5"}

Steps to replicate ->
cd chart-name
helm install chart-name .
kubectl get acrpullbinding
---Notice here that acrpullbinding is successfully created
helm uninstall chart-name
kubectl get acrpullbinding
---Notice here that acrpullbinding still exist, but rest of the things are deleted.
kubectl get acrpullbinding acr-pull-binding-name -o yaml
---Notice here that acrpullbinding is marked as deleted(check deletedTimestamp)
-- Now let's try to install the same chart again
helm install chart-name .
kubectl get acrpullbinding
---Notice here that acrpullbinding automatically gets DELETED on installing the chart again, but rest of the things are installed.

The secret controller today keeps reconciling the docker pull secret with new token, this is not needed and adds pressure to ACR.

We should implement some caching logic in the controller, so that we only reconcile it if:

• ACR token getting close to expire
• Client ID changed
• target ACR changed

We need to setup the testing pipeline / merge gates

In many cases resource ID is easier to do the binding. If the identity gets deleted and re-created the client ID would change, but resource ID doesn't. Samples in this PR (Azure/go-autorest#544).