Skip to main content
Plerion Collector Manager needs access to private registries to scan the private images deployed in the Kubernetes cluster.

AWS Elastic Container Registry (ECR)

1. Create an IAM OIDC identity provider for your cluster.

eksctl utils associate-iam-oidc-provider \
--cluster <your-cluster> \
--approve

2. Override the existing plerion-collector-manager service account and attach the IAM policy to grant it permission to pull images from the ECR.

export CLUSTER_NAME="<your cluster name>"

eksctl create iamserviceaccount \
  --name plerion-collector-manager \
  --namespace plerion-system \
  --cluster "${CLUSTER_NAME}" \
  --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \
  --approve \
  --override-existing-serviceaccounts
Please note that this command requires access to both AWS IAM and the Kubernetes cluster
  • AWS Access: The user executing the eksctl command must have sufficient IAM permissions to create and manage IAM roles, as well as to attach policies like AmazonEC2ContainerRegistryReadOnly.
  • Kubernetes Access: The same user must also have the necessary Kubernetes permissions (e.g., via kubectl) to manage service accounts within the specified Kubernetes namespace.

Azure Container Registry (ACR)

1. Prerequisites

Please ensure the following prerequisites are met before using the operator:
  • The official steps for setting up Workload Identity on AKS can be found here.
  • Managed clusters or self-managed clusters installed, see documentation
  • Mutating admission webhook installed, see documentation
  • plerion-collector-manager Upgraded to latest version (v1.1.7 or newer), see Upgrade/Rollback.

2. Export the required variables in environment

export RESOURCE_GROUP="<your resource group>" # replace it with your resource group name
export LOCATION="australiaeast" # replace it with the location of your cluster
export CLUSTER_NAME="<your cluster name>"
export SERVICE_ACCOUNT_NAMESPACE="default" # replace with your own value
export SERVICE_ACCOUNT_NAME="<service account name>" # replace with your own value
export AZURE_SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
export AZURE_TENANT_ID="$(az account show --query tenantId --output tsv)"
export USER_ASSIGNED_IDENTITY_NAME="<your identity name>" # replace with your own value
export FEDERATED_IDENTITY_CREDENTIAL_NAME="<your own name>" # replace it with your own name
export ACR_NAME="<your acr name>" # replace it with your acr name

3. Retrieve OIDC issuer url

See azure documentation for retrieving OIDC issue url. For AKS cluster use following command. 
export AKS_OIDC_ISSUER=$(az aks show --name "${CLUSTER_NAME}" --resource-group "${RESOURCE_GROUP}" --query "oidcIssuerProfile.issuerUrl" --output tsv)

4. Create managed identity.

az identity create \
  --name "${USER_ASSIGNED_IDENTITY_NAME}" \
  --resource-group "${RESOURCE_GROUP}" \
  --location "${LOCATION}" \
  --subscription "${AZURE_SUBSCRIPTION_ID}"

5. Assign AcrPull IAM permissions to managed identity.

export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RESOURCE_GROUP}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' --output tsv)"
export ACR_ID=$(az acr show --name ${ACR_NAME} --query id -o tsv)

az role assignment create --assignee ${USER_ASSIGNED_CLIENT_ID} --role 'AcrPull' --scope ${ACR_ID}

6. Create a Kubernetes service account.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: "${USER_ASSIGNED_CLIENT_ID}"
    azure.workload.identity/tenant-id: "${AZURE_TENANT_ID}"
  name: "${SERVICE_ACCOUNT_NAME}"
  namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
EOF

7. Create federated identity.

az identity federated-credential create \
 --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
 --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \
 --resource-group "${AZURE_RESOURCE_GROUP}" \
 --issuer "${AKS_OIDC_ISSUER}" \
 --subject system:serviceaccount:"${SERVICE_ACCOUNT_NAMESPACE}":"${SERVICE_ACCOUNT_NAME}" \
 --audience api://AzureADTokenExchange

8. Update plerion-collector-manager ServiceAccount to include workload identity annotations.

helm upgrade plerion-collector-manager plerion/collector-manager --reuse-values \
  --namespace plerion-system \
  --set serviceAccount.annotations.'azure\.workload\.identity/client-id'=$USER_ASSIGNED_CLIENT_ID \
  --set serviceAccount.annotations.'azure\.workload\.identity/tenant-id'=$AZURE_TENANT_ID # Optional

9. Update plerion-collector-manager to use azWorkloadIdentity

helm upgrade plerion-collector-manager plerion/collector-manager --reuse-values \
  --namespace plerion-system \
  --set collector.azWorkloadIdentity=true

10. Update service account for plerion-collector-manager.

kubectl set serviceaccount deployment plerion-collector-manager $SERVICE_ACCOUNT_NAME