Welcome

As per official documentation “Azure AD Workload Identity for Kubernetes integrates with the capabilities native to Kubernetes to federate with external identity providers”. In other words, workload identity for Kubernetes is about establishing a trust relationship between some service accounts, whose tokens are issued by the Kubernetes cluster identity provider, and service principals in Microsoft Entra ID (a.k.a. Azure AD). After a one-time setup of the cluster, all you need to do is to establish some “federated credentials” on the Entra ID side by configuring an app to trust an external identity provider....

The source code you find in this repository is evaluating healthiness of the system based on the exceptions raised by the SubscriptionClient of Azure Service Bus C# SDK. These exceptions can be transient, therefore retryable, or not. For the C# SDK, the default RetryExponential policy, inherits from the abstract class RetryPolicy. If an exception is transient, it will be retried following the defined policy, otherwise it will be immediately thrown....

Virtual Network service endpoints allow you to secure some critical Azure services to only specific virtual networks. There is a limitation, though: you can’t use endpoints for traffic from your premises to Azure services. Right now, if you want to allow traffic from on-premises, you must also allow public IP addresses from your on-premises. In this article you will find out how to allow your communications to securely go through your VPN by using Envoy as a proxy....

When you use Microsoft-hosted Linux agents, you can create Linux container images for the x64 architecture only (no ARM, no x86). In order to create IoT Edge modules for other architectures (i.e. ARM), you can use a machine emulator such as QEMU. Here there is how. First of all, let’s create a Azure DevOps Pipeline based on the following YAML schema: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 trigger: - master pool: vmImage: 'ubuntu-latest' steps: #Exporting the module version from module....

What if you just want to call an Azure Function from a Edge Module? How to authenticate this call and make sure that it is coming from a specific module/device? Imagine a scenario in which you need to trigger a firmware update to your Edge Device. To accomplish this, if you want to have private access to your firmware repository, you may send a temporary, short-term expiring, storage resource url to your IoT Edge device, via a change in Desired Properties of your module twin....

If you want to retrieve desired properties or report any change to a Device Twin and you have a Edge device auto-provisioned with TPM, you will need to properly instantiate a DeviceClient: this blog post is for you! To date (12 february 2019) there is not a documented way to create, in a IoT Edge module, a DeviceClient to access twin properties. If you have a Edge device DPS enrolled with TPM attestation, these are the steps to securely access your TPM and properly create a DeviceClient:...

Let’s assume we have an existing project, with its own git repository and some very complex build and release definitions. Let’s assume that you want to create a service able to recreate the exact copy of this structure; it is not unlikely that you could have to deal with git repository conflict, custom extensions not being loaded or service endpoints not existing in the new project. How to deal with these issues and properly achieve our goal?...

Mounting Azure File Shares on AKS using the Azure Files volume type doesn’t enable support for symlinks. You can fix this with a very simple tweak. Based on the discoveries of the great Lawrence Gripper, I recently discovered that a CIFS mount in Ubuntu is not enabling by default the support for symlinks. Therefore, in order to mount an share with the symlink support you have to create a PersistentVolume like this:...

Any organization should plan to rotate keys. The bad news is that no one is doing that, the good news is that it is really simple to securely refresh storage keys and use temporary shared access signatures in a Kubernetes cluster using Key Vault and Azure Functions. There are a lot of security benefits in key rotation. Imagine that your master key has been compromised or imagine that an unauthorized employee had access to that key....

The API Server is one of the fundamental component of a Kubernetes cluster. All operations and communications between components, and external user commands are REST API calls that the API Server handles. Let’s try to understand how to authenticate and authorize the Kubernetes API with Azure Active Directory and Kubernetes RBAC. The aim of this post is to explain you how to: Deploy an AAD integrated Kubernetes Cluster Create a Secret and ServiceAccount, Role and RoleBinding in order to access only that secret Run a Node....