How to use the ack-pod-identity-webhook component - Container Service for Kubernetes

The ack-pod-identity-webhook component simplifies the use of the RAM Roles for Service Accounts (RRSA) feature of Alibaba Cloud Container Service for Kubernetes (ACK). The component automatically injects the required OpenID Connect (OIDC) token mounts and environment variable configurations into your application pods. This eliminates the need for tedious manual configuration. This topic describes the ack-pod-identity-webhook component, provides usage instructions, and includes its change log.

Introduction

The following figure shows the architecture of the ack-pod-identity-webhook component.

架构图

Example

The application deployed in this example uses the RRSA feature to assume a specified role and retrieve a list of clusters that belong to the current account. The following information is used in this example.

Namespace: rrsa-demo
Service account: demo-sa
RAM role: ack-pod-identity-webhook-demo

After you add the pod-identity.alibabacloud.com/injection: 'on' label to the namespace where the pod resides, the ack-pod-identity-webhook component automatically injects the relevant configuration items into the pod based on the annotations of the service account that the pod uses. The procedure is as follows.

Enable the RRSA feature for your cluster. For more information, see Enable the RRSA feature.
After you enable the RRSA feature, obtain the URL and ARN of the OIDC IdP in the cluster.
Install the ack-pod-identity-webhook component.
1. On the Clusters page, find the cluster you want and click its name. In the left-side pane, choose Operations > Add-ons.
2. On the Add-ons page, click the Security tab, find the ack-pod-identity-webhook component, and then click Install in the lower-right corner of the component card.
3. In the dialog box that appears, confirm the component information and click OK.

Create a RAM role named ack-pod-identity-webhook-demo. The following table describes the main parameters. For more information, see Create a RAM role for an OIDC IdP.

Configuration item	Description
Identity Provider Type	OIDC
Identity Provider	ack-rrsa-<cluster_id>. <cluster_id> is the ID of your cluster.
Condition	oidc:iss: Keep the default value. oidc:aud: Keep the default value. oidc:sub: Manually add this condition. Key: Select oidc:sub. Operator: Select StringEquals. Value: system:serviceaccount:<namespace>:<serviceAccountName>. <namespace> is the namespace where the application resides. <serviceAccountName> is the name of the service account. Based on the information of the test application, enter `system:serviceaccount:rrsa-demo:demo-sa`.

Grant the AliyunCSReadOnlyAccess system policy to the role that you created in the previous step. This policy provides the required permissions for the test application. For more information, see Grant permissions to a RAM role.

Deploy the test application.

Create a demo.yaml file that contains the following content.

In the following YAML example, the pod-identity.alibabacloud.com/injection: 'on' label is added to the namespace and the pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo annotation is added to the service account to enable the automatic configuration injection feature of the ack-pod-identity-webhook component. For more information about the RRSA demo implementation, see the code.

---
apiVersion: v1
kind: Namespace
metadata:
  name: rrsa-demo
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo-sa
  namespace: rrsa-demo
  annotations:
    pod-identity.alibabacloud.com/role-name: ack-pod-identity-webhook-demo

---
apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  serviceAccountName: demo-sa
  containers:
    - image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
      imagePullPolicy: "Always"
      args:
        - rrsa
        - demo
      name: demo
  restartPolicy: OnFailure

Run the following command to deploy the test application.
```
kubectl apply -f demo.yaml
```

Run the following command to view the test application pod and confirm that the ack-pod-identity-webhook component has automatically injected the required configurations.

kubectl -n rrsa-demo get pod demo -o yaml

Click to view the expected output

apiVersion: v1
kind: Pod
metadata:
  name: demo
  namespace: rrsa-demo
spec:
  containers:
  - args:
    - rrsa
    - demo
    env:
    - name: ALIBABA_CLOUD_ROLE_ARN
      value: acs:ram::1***:role/ack-pod-identity-webhook-demo
    - name: ALIBABA_CLOUD_OIDC_PROVIDER_ARN
      value: acs:ram::1***:oidc-provider/ack-rrsa-c***
    - name: ALIBABA_CLOUD_OIDC_TOKEN_FILE
      value: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens/token
    image: registry.cn-hangzhou.aliyuncs.com/acs/ack-ram-tool:1.0.0
    imagePullPolicy: Always
    name: demo
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-4bwdg
      readOnly: true
    - mountPath: /var/run/secrets/ack.alibabacloud.com/rrsa-tokens
      name: rrsa-oidc-token
      readOnly: true
  restartPolicy: OnFailure
  serviceAccount: demo-sa
  serviceAccountName: demo-sa
  volumes:
  - name: kube-api-access-4bwdg
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
  - name: rrsa-oidc-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: sts.aliyuncs.com
          expirationSeconds: 3600
          path: token

The expected output indicates that the ack-pod-identity-webhook component has automatically injected the following configurations into the pod.

Category	Configuration item name	Configuration item description
Environment variable	ALIBABA_CLOUD_ROLE_ARN	The ARN of the RAM role to assume.
	ALIBABA_CLOUD_OIDC_PROVIDER_ARN	The ARN of the OIDC IdP.
	ALIBABA_CLOUD_OIDC_TOKEN_FILE	The file path that contains the OIDC token.
VolumeMount	rrsa-oidc-token	The configuration for mounting the OIDC token.
Volume	rrsa-oidc-token	The configuration for mounting the OIDC token.

Run the following command to view the logs of the test application.

kubectl -n rrsa-demo logs demo

Expected output:

cluster id: cf***, cluster name: foo*
cluster id: c8***, cluster name: bar*
cluster id: c4***, cluster name: foob*

Custom configurations

The ack-pod-identity-webhook component supports custom configurations for namespaces, service accounts, and pods.

Namespace configuration

Parameter

Type

Description

Code example

pod-identity.alibabacloud.com/injection

Label

Specifies whether to enable automatic configuration injection for pods in this namespace.

If the value is on, namespace-level automatic configuration injection is enabled.
If this label is not configured or is set to another value, namespace-level automatic configuration injection is disabled.

apiVersion: v1
kind: Namespace
metadata:
  name: test
  labels:
    pod-identity.alibabacloud.com/injection: 'on'

Service account configuration

Parameter	Type	Description	Code example
pod-identity.alibabacloud.com/role-name	Annotation	The name of the RAM role that is associated with the service account. If this configuration item is not configured or its value is not a valid RAM role name, configurations are not automatically injected into pods that use this service account.	`apiVersion: v1 kind: ServiceAccount metadata: name: test-sa namespace: test annotations: pod-identity.alibabacloud.com/role-name: test-role`
pod-identity.alibabacloud.com/service-account-token-expiration	Annotation	Specifies the validity period of the OIDC token that is mounted to the pod that uses the service account. Valid values: 600 to 43200. Unit: seconds. The default value is 3600. If you specify an invalid value, the default value is used.	`apiVersion: v1 kind: ServiceAccount metadata: name: test-sa namespace: test annotations: pod-identity.alibabacloud.com/service-account-token-expiration: '3600'`
pod-identity.alibabacloud.com/inject-sts-endpoint	Annotation	Specifies whether to inject the `ALIBABA_CLOUD_STS_ENDPOINT` environment variable into pods that use this service account. If the value is `on`, the environment variable is injected. If this annotation is not configured or is set to another value, the environment variable is not injected. Note This parameter is supported only in version 0.3.0 and later.	`apiVersion: v1 kind: ServiceAccount metadata: name: test-sa namespace: test annotations: pod-identity.alibabacloud.com/inject-sts-endpoint: 'on'`

Pod configuration

Parameter	Type	Description	Code example
pod-identity.alibabacloud.com/injection	Label	Specifies whether to enable automatic configuration injection for this pod. If the value is `on`, automatic configuration injection is enabled. If this label is not configured or is set to another value, the namespace configuration determines whether to enable automatic configuration injection. Note This parameter is supported only in version 0.2.0 and later.	`apiVersion: v1 kind: Pod metadata: name: test labels: pod-identity.alibabacloud.com/injection: 'on'`
pod-identity.alibabacloud.com/service-account-token-expiration	Annotation	Specifies the validity period of the OIDC token that is mounted to the pod. Valid values: 600 to 43200. Unit: seconds. The default value is 3600. If you specify an invalid value, the default value is used. Note If this configuration item exists on both the service account and the pod, the configuration on the service account is ignored.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/service-account-token-expiration: '3600'`
pod-identity.alibabacloud.com/only-containers	Annotation	Restricts automatic configuration injection to only containers with specific names in the pod. Use commas (,) to separate multiple container names. If this configuration item is not configured, configurations are automatically injected into all containers in the pod.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/only-containers: 'controller,test'`
pod-identity.alibabacloud.com/skip-containers	Annotation	Configures not to automatically inject configurations into containers with specific names. Use commas (,) to separate multiple container names. Note If a container name exists in both the `pod-identity.alibabacloud.com/only-containers` and `pod-identity.alibabacloud.com/skip-containers` configurations, the configuration in `pod-identity.alibabacloud.com/only-containers` is ignored.	`apiVersion: v1 kind: Pod metadata: name: test-pod namespace: test annotations: pod-identity.alibabacloud.com/skip-containers: 'controller,test'`

RRSA SDK reference

Alibaba Cloud SDK V2.0 supports OIDC token authentication of RRSA. By default, all cloud service SDKs that support STS token authentication and are developed based on Alibaba Cloud SDK V2.0 support RRSA OIDC token authentication. The following table describes the supported SDK versions and demos.

Programming language	Supported SDK version	Demo
Go	Alibaba Cloud Credentials for Go 1.2.6 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Go
Java	Alibaba Cloud Credentials for Java 0.2.10 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Java
Python 3	Alibaba Cloud Credentials for Python 0.3.1 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Python 3
Node.js and TypeScript	Alibaba Cloud Credentials for TypeScript/Node.js 2.2.6 and later. For more information, see Method 6: Use the RAM role of an OIDC IdP.	Demos of SDK for Node.js and SDK for TypeScript

Change log

September 2025

Version	Image URL	Changes	Modification Time	Impact
0.3.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:0.3.1	Upgraded the Golang version used by the component to 1.24.6 to improve component stability.	September 8, 2025	If an exception occurs during the component upgrade, pods may fail to be created. We recommend that you perform the upgrade during off-peak hours.

June 2025

Version	Image URL	Changes	Release date	Impact
0.3.0	registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.3.0.0-g433f84b-aliyun	Added support for injecting the `ALIBABA_CLOUD_STS_ENDPOINT` environment variable into pods using the `pod-identity.alibabacloud.com/inject-sts-endpoint` annotation for the service account. For more information, see Service account configuration.	June 6, 2025	If an exception occurs during the component upgrade, pods may fail to be created. We recommend that you perform the upgrade during off-peak hours.

March 2025

Version	Image URL	Changes	Release date	Impact
0.2.1	registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.2.1.0-g52e519c-aliyun	Upgraded the Golang version used by the component to 1.23.7 to improve component stability.	March 18, 2025	If an exception occurs during the component upgrade, pods may fail to be created. We recommend that you perform the upgrade during off-peak hours.

December 2024

Version	Image URL	Changes	Modified Time	Impact
0.2.0	registry-cn-hangzhou.ack.aliyuncs.com/acs/ack-pod-identity-webhook:v0.2.0.11-g2f0c2e7-aliyun	Added support for enabling configuration injection by adding the `pod-identity.alibabacloud.com/injection: 'on'` label to pods. Optimized the support for Kubernetes 1.32 clusters.	December 19, 2024	If an exception occurs during the component upgrade, pods may fail to be created. We recommend that you perform the upgrade during off-peak hours.

June 2023

Version	Image URL	Changes	Release date	Impact
0.1.1	registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.1.0-gbddcb74-aliyun	Improved the compatibility of the component with ACK Serverless clusters.	June 7, 2023	If an exception occurs during the component upgrade, pods may fail to be created. We recommend that you perform the upgrade during off-peak hours.

February 2023

Version	Image URL	Changes	Modified	Impact
0.1.0	registry.cn-hangzhou.aliyuncs.com/acs/ack-pod-identity-webhook:v0.1.0.9-g26b8fde-aliyun	Implemented the feature of automatically mounting OIDC tokens and configuring environment variables for application pods.	February 1, 2023	First version.

References

Use RRSA to configure RAM permissions for a ServiceAccount to implement pod permission isolation