Support for managed identities and workload identities is now Generally Available (GA) for Microsoft Azure Red Hat OpenShift clusters. As a fully managed offering, Azure Red Hat OpenShift is a trusted, comprehensive and consistent application platform for building, deploying, and managing your applications at scale. It’s jointly operated and engineered by both Red Hat and Microsoft, providing an integrated support experience and allows organizations to focus on building and deploying applications, not managing the underlying infrastructure.
This is a significant milestone that provides an enhanced security posture for how your Azure Red Hat OpenShift clusters access other Azure resources. This enables you to eliminate the complexity of managing service principal credentials and embrace a more streamlined and secure authentication process.
Why use managed identities?
As discussed in our previous blog, managed identities significantly enhance security by replacing long-term credentials, such as client secrets, with short-lived tokens. This approach minimizes the risk associated with compromise due to a token's brief lifespan and narrowly defined permissions. A further benefit is the reduction in operational overhead, as they eliminate the need for manual management and rotation of secrets, keys, and certificates.
How to use managed identities
To use managed identities for an Azure Red Hat OpenShift cluster, you must create user-assigned managed identities for each Azure Red Hat OpenShift component and provide the proper role assignments over the required resources. Azure Red Hat OpenShift uses multiple user-assigned managed identities, each mapped to a particular operator or component. These identities are associated with a specific built-in role, with each role assignment scoped following the principles of least privilege. Once that is complete, you can use those in the creation of the cluster.
With the GA release, you can provision managed identity Azure Red Hat OpenShift clusters using Azure Resource Manager (ARM), Bicep, or the current command-line interface (CLI) extension. We will soon enable this capability natively in the Azure CLI and through the Azure portal. For a complete guide, read Understand managed identities in Azure Red Hat OpenShift.
Using identities for your applications
In this context we refer to it as “workload identities.” As per the Microsoft Azure documentation for What are workload identities?, it is described as “something you need for your software entity to authenticate with some system.” For an Azure Red Hat OpenShift cluster, you can use a user-assigned managed identity to enable your applications to access other Azure services.
For example, you can give a specific application read-only access to a single Key Vault or storage account, without sharing secrets or long-term credentials.
To implement this for your applications, the general workflow is:
- Create a user-assigned managed identity
- Perform a role assignment over the desired Azure resource
- Create a Kubernetes service account and set correct annotations
- Create a federated credential
- Deploy your application, ensuring that the proper label and service account are set
Read Deploy and configure an application using workload identity on an Azure Red Hat OpenShift managed identity cluster for more details.
What happens to managed identity clusters that were created during preview?
The good news is that no action is required for existing managed identity clusters. Any clusters that were created during the preview period will automatically transition to GA status and are now fully supported for production use. There are no changes, migration, or redeployment required.
Note that clusters currently utilizing a service principal are not impacted, and migration to a managed identity-based cluster is not supported.
Getting started
Review the product documentation starting with Understand managed identities in Azure Red Hat OpenShift, which explains the concepts, components, and considerations required to successfully deploy a cluster. While the CLI and portal experiences are being finalized, clusters can be created using ARM, Bicep, or the existing CLI extension. Clusters created using the extension are fully supported as GA.
Conclusion
Managed identity and workload identity features for Azure Red Hat OpenShift are now generally available, making it simpler and more secure to connect your clusters to Azure services. Instead of managing service principal secrets, you get short-lived tokens, which means less work for you and better security. Workload identity even lets your applications get secure, fine-tuned access to Azure resources. You can jump in and start using it for new clusters right away by using ARM, Bicep, or the CLI extension, and anyone with existing managed identity preview clusters will be automatically covered under GA support. To learn more about Azure Red Hat OpenShift, check out these resources:
