Skip to content

feat: add ImagePullIdentityProfile for identity binding-based image pull #7596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
qweeah wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat: add ImagePullIdentityProfile for identity binding-based image pull #7596

qweeah wants to merge 2 commits into from

Conversation

@qweeah
Copy link
Contributor

@qweeah qweeah commented Dec 24, 2025
edited
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:

This PR adds support for identity binding-based image pull authentication from Azure Container Registry (ACR), implementing KEP-4412 projected service account tokens for kubelet image credential providers.

Changes

Data Model

Added ImagePullIdentityProfile to SecurityProfile with fields:

  • Enabled: Enable/disable identity binding
  • DefaultClientID: Default managed identity client ID
  • DefaultTenantID: Default managed identity tenant ID
  • LocalAuthoritySNI: SNI endpoint for Identity Bindings Local Authority

Added getter methods to SecurityProfile for null-safe access.

Implementation Paths

1. Legacy CSE (Template-based)

  • pkg/agent/variables.go: Template variables for CSE scripts
  • parts/linux/cloud-init/artifacts/cse_cmd.sh: Environment variable declarations
  • parts/linux/cloud-init/artifacts/cse_config.sh: Credential provider config generation

2. AKSNodeConfig (Proto-based)

  • aks-node-controller/proto/aksnodeconfig/v1/security_profile.proto: Proto definitions
  • aks-node-controller/parser/parser.go: Environment variable generation
  • aks-node-controller/parser/helper.go: Null-safe helper functions

Both paths converge at cse_config.sh to generate /var/lib/kubelet/credential-provider-config.yaml with identity binding arguments (--ib-default-client-id, --ib-default-tenant-id, --ib-sni-name) and token attributes.

Testing

  • Unit Tests: 49 tests across 3 files (variables, datamodel, parser)
  • E2E Tests: 4 scenarios (enabled, disabled, network isolated, Azure Linux V3)

All tests validate credential provider config file contains correct identity binding configuration.

Cluster Support

  • ✅ Public cloud (Azure Commercial)
  • ✅ AKS Custom Cloud
  • ✅ Network Isolated (NI/airgap) clusters

Which issue(s) this PR fixes:

Fixes #

Requirements:

  • uses conventional commit messages
  • includes documentation
  • adds unit tests
  • adds e2e tests
  • tested upgrade from previous version
  • commits are GPG signed and Github marks them as verified

Special notes for your reviewer:

Dual implementation approach (legacy CSE + modern AKSNodeConfig) for backward compatibility. Both paths fully tested and generate identical credential provider configuration.

Release note:

AgentBaker now supports identity binding-based image pull authentication from Azure Container Registry (ACR) via ImagePullIdentityProfile in SecurityProfile, using projected service account tokens (KEP-4412) for authentication.

@qweeah qweeah changed the title feat: Add ImagePullIdentityProfile to SecurityProfile for identity binding-based image pull feat: add ImagePullIdentityProfile for identity binding-based image pull Dec 24, 2025
@qweeah qweeah marked this pull request as ready for review December 29, 2025 00:35
@norshtein
Copy link
Member

norshtein commented Dec 29, 2025

This PR's logic LGTM. But I don't quiet understand what is step 2 "RP integration and configuration flow". Agentbaker won't rely on anything from AKS RP, I think you could make all changes in the same PR and add E2E for it? Here is an example PR: #7059 .

@github-actions
Copy link
Contributor

github-actions bot commented Dec 29, 2025
edited
Loading

The latest Buf updates on your PR. Results from workflow Buf CI / buf (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed✅ passed✅ passed✅ passedDec 29, 2025, 9:37 AM

@qweeah
feat: support ib-based image pull
6fd2789 
Signed-off-by: Billy Zha <jinzha1@microsoft.com>
@qweeah
test: data
38f22bb 
Signed-off-by: Billy Zha <jinzha1@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juan-lee juan-lee Awaiting requested review from juan-lee juan-lee is a code owner

@cameronmeissner cameronmeissner Awaiting requested review from cameronmeissner cameronmeissner is a code owner

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@Devinwong Devinwong Awaiting requested review from Devinwong Devinwong is a code owner

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997 junjiezhang1997 is a code owner

@djsly djsly Awaiting requested review from djsly djsly is a code owner

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@awesomenix awesomenix Awaiting requested review from awesomenix awesomenix is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@qweeah @norshtein