Allow Access to Managed Registries

Allow Access To Managed Registries

Plerion Collector Manager needs access to private registries to scan the private images deployed in the Kubernetes cluster.

AWS Elastic Container Registry (ECR)

1. Create an IAM OIDC identity provider for your cluster.

eksctl utils associate-iam-oidc-provider \
--cluster <your-cluster> \
--approve

2. Override the existing `plerion-collector-manager` service account and attach the IAM policy to grant it permission to pull images from the ECR.

export CLUSTER_NAME="<your cluster name>"
 
eksctl create iamserviceaccount \
  --name plerion-collector-manager \
  --namespace plerion-system \
  --cluster "${CLUSTER_NAME}" \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --approve \
  --override-existing-serviceaccounts

Please note that this command requires access to both AWS IAM and the Kubernetes cluster

AWS Access: The user executing the eksctl command must have sufficient IAM permissions to create and manage IAM roles, as well as to attach policies like AmazonEC2ContainerRegistryReadOnly.
Kubernetes Access: The same user must also have the necessary Kubernetes permissions (e.g., via kubectl) to manage service accounts within the specified Kubernetes namespace.

Azure Container Registry (ACR)

1. Prerequisites

Please ensure the following prerequisites are met before using the operator:

The official steps for setting up Workload Identity on AKS can be found here (opens in a new tab).
Managed clusters or self-managed clusters installed, see documentation (opens in a new tab)
Mutating admission webhook installed, see documentation (opens in a new tab)
plerion-collector-manager Upgraded to latest version (v1.1.7 or newer), see Upgrade/Rollback.

2. Export the required variables in environment

export RESOURCE_GROUP="<your resource group>" # replace it with your resource group name
export LOCATION="australiaeast" # replace it with the location of your cluster
export CLUSTER_NAME="<your cluster name>"
export SERVICE_ACCOUNT_NAMESPACE="default" # replace with your own value
export SERVICE_ACCOUNT_NAME="<service account name>" # replace with your own value
export AZURE_SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
export AZURE_TENANT_ID="$(az account show --query tenantId --output tsv)"
export USER_ASSIGNED_IDENTITY_NAME="<your identity name>" # replace with your own value
export FEDERATED_IDENTITY_CREDENTIAL_NAME="<your own name>" # replace it with your own name
export ACR_NAME="<your acr name>" # replace it with your acr name

3. Retrieve OIDC issuer url

See azure documentation (opens in a new tab) for retrieving OIDC issue url.

For AKS cluster use following command.

export AKS_OIDC_ISSUER=$(az aks show --name "${CLUSTER_NAME}" --resource-group "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" --output tsv)

4. Create managed identity.

az identity create \
  --name "${USER_ASSIGNED_IDENTITY_NAME}" \
  --resource-group "${RESOURCE_GROUP}" \
  --location "${LOCATION}" \
  --subscription "${AZURE_SUBSCRIPTION_ID}"

5. Assign `AcrPull` IAM permissions to managed identity.

export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' --output tsv)"
export ACR_ID=$(az acr show --name ${ACR_NAME} --query id -o tsv)
 
az role assignment create --assignee ${USER_ASSIGNED_CLIENT_ID} --role 'AcrPull' --scope ${ACR_ID}

6. Create a Kubernetes service account.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: "${USER_ASSIGNED_CLIENT_ID}"
    azure.workload.identity/tenant-id: "${AZURE_TENANT_ID}"
  name: "${SERVICE_ACCOUNT_NAME}"
  namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
EOF

7. Create federated identity.

az identity federated-credential create \
 --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
 --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \
 --resource-group "${AZURE_RESOURCE_GROUP}" \
 --issuer "${AKS_OIDC_ISSUER}" \
 --subject system:serviceaccount:"${SERVICE_ACCOUNT_NAMESPACE}":"${SERVICE_ACCOUNT_NAME}" \
 --audience api://AzureADTokenExchange

8. Update `plerion-collector-manager` ServiceAccount to include workload identity annotations.

helm upgrade plerion-collector-manager plerion/collector-manager --reuse-values \
  --namespace plerion-system \
  --set serviceAccount.annotations.'azure\.workload\.identity/client-id'=$USER_ASSIGNED_CLIENT_ID \
  --set serviceAccount.annotations.'azure\.workload\.identity/tenant-id'=$AZURE_TENANT_ID # Optional

9. Update `plerion-collector-manager` to use `azWorkloadIdentity`

helm upgrade plerion-collector-manager plerion/collector-manager --reuse-values \
  --namespace plerion-system \
  --set collector.azWorkloadIdentity=true

10. Update service account for `plerion-collector-manager`.

kubectl set serviceaccount deployment plerion-collector-manager $SERVICE_ACCOUNT_NAME

Permissions Overview Metrics