Support for managed identities and workload identities is now Generally Available (GA) for Microsoft Azure Red Hat OpenShift clusters. As a fully managed offering, Azure Red Hat OpenShift is a trusted, comprehensive and consistent application platform for building, deploying, and managing your applications at scale. It’s jointly operated and engineered by both Red Hat and Microsoft, providing an integrated support experience and allows organizations to focus on building and deploying applications, not managing the underlying infrastructure.
This is a significant milestone that provides an enhanced security posture for how your Azure Red Hat OpenShift clusters access other Azure resources. This enables you to eliminate the complexity of managing service principal credentials and embrace a more streamlined and secure authentication process.
Why use managed identities?
As discussed in our previous blog, managed identities significantly enhance security by replacing long-term credentials, such as client secrets, with short-lived tokens. This approach minimizes the risk associated with compromise due to a token's brief lifespan and narrowly defined permissions. A further benefit is the reduction in operational overhead, as they eliminate the need for manual management and rotation of secrets, keys, and certificates.
How to use managed identities
To use managed identities for an Azure Red Hat OpenShift cluster, you must create user-assigned managed identities for each Azure Red Hat OpenShift component and provide the proper role assignments over the required resources. Azure Red Hat OpenShift uses multiple user-assigned managed identities, each mapped to a particular operator or component. These identities are associated with a specific built-in role, with each role assignment scoped following the principles of least privilege. Once that is complete, you can use those in the creation of the cluster.
With the GA release, you can provision managed identity Azure Red Hat OpenShift clusters using Azure Resource Manager (ARM), Bicep, or the current command-line interface (CLI) extension. We will soon enable this capability natively in the Azure CLI and through the Azure portal. For a complete guide, read Understand managed identities in Azure Red Hat OpenShift.
Using identities for your applications
In this context we refer to it as “workload identities.” As per the Microsoft Azure documentation for What are workload identities?, it is described as “something you need for your software entity to authenticate with some system.” For an Azure Red Hat OpenShift cluster, you can use a user-assigned managed identity to enable your applications to access other Azure services.
For example, you can give a specific application read-only access to a single Key Vault or storage account, without sharing secrets or long-term credentials.
To implement this for your applications, the general workflow is:
- Create a user-assigned managed identity
- Perform a role assignment over the desired Azure resource
- Create a Kubernetes service account and set correct annotations
- Create a federated credential
- Deploy your application, ensuring that the proper label and service account are set
Read Deploy and configure an application using workload identity on an Azure Red Hat OpenShift managed identity cluster for more details.
What happens to managed identity clusters that were created during preview?
The good news is that no action is required for existing managed identity clusters. Any clusters that were created during the preview period will automatically transition to GA status and are now fully supported for production use. There are no changes, migration, or redeployment required.
Note that clusters currently utilizing a service principal are not impacted, and migration to a managed identity-based cluster is not supported.
Getting started
Review the product documentation starting with Understand managed identities in Azure Red Hat OpenShift, which explains the concepts, components, and considerations required to successfully deploy a cluster. While the CLI and portal experiences are being finalized, clusters can be created using ARM, Bicep, or the existing CLI extension. Clusters created using the extension are fully supported as GA.
Conclusion
Managed identity and workload identity features for Azure Red Hat OpenShift are now generally available, making it simpler and more secure to connect your clusters to Azure services. Instead of managing service principal secrets, you get short-lived tokens, which means less work for you and better security. Workload identity even lets your applications get secure, fine-tuned access to Azure resources. You can jump in and start using it for new clusters right away by using ARM, Bicep, or the CLI extension, and anyone with existing managed identity preview clusters will be automatically covered under GA support. To learn more about Azure Red Hat OpenShift, check out these resources:
Prova prodotto
Red Hat OpenShift Container Platform | Versione di prova del prodotto
Sull'autore
Altri risultati simili a questo
FedRAMP High Authorized Red Hat OpenShift Service on AWS GovCloud
Red Hat OpenShift Service on AWS supports Capacity Reservations and Capacity Blocks for Machine Learning
SREs on a plane | Technically Speaking
Ricerca per canale
Automazione
Novità sull'automazione IT di tecnologie, team e ambienti
Intelligenza artificiale
Aggiornamenti sulle piattaforme che consentono alle aziende di eseguire carichi di lavoro IA ovunque
Hybrid cloud open source
Scopri come affrontare il futuro in modo più agile grazie al cloud ibrido
Sicurezza
Le ultime novità sulle nostre soluzioni per ridurre i rischi nelle tecnologie e negli ambienti
Edge computing
Aggiornamenti sulle piattaforme che semplificano l'operatività edge
Infrastruttura
Le ultime novità sulla piattaforma Linux aziendale leader a livello mondiale
Applicazioni
Approfondimenti sulle nostre soluzioni alle sfide applicative più difficili
Virtualizzazione
Il futuro della virtualizzazione negli ambienti aziendali per i carichi di lavoro on premise o nel cloud
