Upgrade Azure AD Pod Identity package to 1.6.2, per Microsoft's email…

… recommendation. https://github.com/Azure/aad-pod-identity/blob/master/CHANGELOG-1.6.md#v162

azure/aks-aad-pod-identity/aad-pod-id-mic-binding.tf

@@ -1,14 +1,16 @@
 resource "kubernetes_cluster_role_binding" "aad-pod-id-mic-binding" {
   metadata {
     name = "aad-pod-id-mic-binding"
+
     labels = {
-        k8s-app = "aad-pod-id-mic-binding"
-    }    
+      k8s-app = "aad-pod-id-mic-binding"
+    }
   }
+
   role_ref {
     api_group = "rbac.authorization.k8s.io"
     kind      = "ClusterRole"
-    name      = kubernetes_cluster_role.aad-pod-id-mic-role.metadata.0.name
+    name      = "aad-pod-id-mic-role"
   }
 
   subject {

azure/aks-aad-pod-identity/aad-pod-id-mic-role.tf

@@ -12,7 +12,7 @@ resource "kubernetes_cluster_role" "aad-pod-id-mic-role" {
   rule {
     api_groups = [""]
     resources  = ["pods", "nodes"]
-    verbs      = [ "list", "watch" ]
+    verbs      = ["list", "watch"]
   }
 
   rule {
@@ -21,25 +21,37 @@ resource "kubernetes_cluster_role" "aad-pod-id-mic-role" {
     verbs      = ["create", "patch"]
   }
 
+  rule {
+    api_groups = [""]
+    resources  = ["configmaps"]
+    verbs      = ["get", "create", "update"]
+  }
+
   rule {
     api_groups = [""]
     resources  = ["endpoints"]
-    verbs      = ["create", "get","update"]
+    verbs      = ["create", "get", "update"]
   }
 
   rule {
     api_groups = ["aadpodidentity.k8s.io"]
     resources  = ["azureidentitybindings", "azureidentities"]
-    verbs      = ["get", "list", "watch", "post"]
+    verbs      = ["get", "list", "watch", "post", "update"]
   }
 
   rule {
     api_groups = ["aadpodidentity.k8s.io"]
     resources  = ["azureassignedidentities"]
     verbs      = ["*"]
-  }  
+  }
+
+  rule {
+    api_groups = ["aadpodidentity.k8s.io"]
+    resources  = ["azurepodidentityexceptions"]
+    verbs      = ["list", "update"]
+  }
 
   depends_on = [
     helm_release.aad-pod-identity-crds
   ]
-}
+}

azure/aks-aad-pod-identity/aad-pod-id-nmi-role.tf

@@ -36,4 +36,4 @@ resource "kubernetes_cluster_role" "aad-pod-id-nmi-role" {
   depends_on = [
     helm_release.aad-pod-identity-crds
   ]
-}
+}

azure/aks-aad-pod-identity/charts/aad-pod-id-rbac/templates/crds/aad-pod-identity-rbac.yml

@@ -1,3 +1,8 @@
+#It's recommended to pull a new version of this yaml file from Microsoft's repository when an update is done.
+#This file should be available here: https://github.com/Azure/aad-pod-identity/blob/master/deploy/infra/deployment-rbac.yaml
+#HOWEVER, what's represented here are really only the CustomResourceDefinitions that we couldn't transform to native terraform code.
+#So, if you have new sections being added below, look for them elsewhere in this module, and update the native terraform code there.
+#For assistance converting yml to terraform, use the k2tf.exe tool.  (Hint, remove CustomResourceDefinitions)
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
 metadata:

azure/aks-aad-pod-identity/mic-deployment.tf

@@ -2,6 +2,7 @@ resource "kubernetes_deployment" "mic" {
   metadata {
     name      = "mic"
     namespace = "default"
+
     labels = {
       component = "mic"
       k8s-app   = "aad-pod-id"
@@ -10,6 +11,7 @@ resource "kubernetes_deployment" "mic" {
 
   spec {
     replicas = 2
+
     selector {
       match_labels = {
         component = "mic"
@@ -25,23 +27,35 @@ resource "kubernetes_deployment" "mic" {
         }
       }
 
-
       spec {
         service_account_name = kubernetes_service_account.aad-pod-id-mic-service-account.metadata.0.name
         automount_service_account_token = true
+
         container {
-          name              = "mic"
-          image             = "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.5.5"
+          name  = "mic"
+          image = "mcr.microsoft.com/k8s/aad-pod-identity/mic:1.6.2"
           image_pull_policy = "Always"
-          args = [
+          args  = [
             "--cloudconfig=/etc/kubernetes/azure.json",
             "--logtostderr"
           ]
+
+          env {
+            name = "MIC_POD_NAMESPACE"
+
+            value_from {
+              field_ref {
+                field_path = "metadata.namespace"
+              }
+            }
+          }
+
           resources {
             limits {
               cpu    = "200m"
-              memory = "512Mi"
+              memory = "1Gi"
             }
+
             requests {
               cpu    = "100m"
               memory = "256Mi"
@@ -51,7 +65,7 @@ resource "kubernetes_deployment" "mic" {
           liveness_probe {
             http_get {
               path = "/healthz"
-              port = 8080
+              port = "8080"
             }
 
             initial_delay_seconds = 10
@@ -64,17 +78,19 @@ resource "kubernetes_deployment" "mic" {
             read_only  = true
           }
         }
+
         volume {
           name = "k8s-azure-file"
+
           host_path {
             path = "/etc/kubernetes/azure.json"
           }
         }
 
         node_selector = {
-          "beta.kubernetes.io/os" = "linux"
+          "kubernetes.io/os" = "linux"
         }
       }
     }
   }
-}
+}

azure/aks-aad-pod-identity/nmi-daemonset.tf

@@ -10,9 +10,6 @@ resource "kubernetes_daemonset" "nmi" {
   }
 
   spec {
-    strategy {
-      type = "RollingUpdate"
-    }
     selector {
       match_labels = {
         component = "nmi"
@@ -30,34 +27,35 @@ resource "kubernetes_daemonset" "nmi" {
 
       spec {
         service_account_name = kubernetes_service_account.aad-pod-id-nmi-service-account.metadata.0.name
-        host_network         = "true"
+        automount_service_account_token  = true
+        host_network         = true
         volume {
           name = "iptableslock"
           host_path {
             path = "/run/xtables.lock"
             type = "FileOrCreate"
           }
         }
-        automount_service_account_token = true
+
         container {
-          name            = "nmi"
-          image           = "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.5.5"
+          name  = "nmi"
+          image = "mcr.microsoft.com/k8s/aad-pod-identity/nmi:1.6.2"
           image_pull_policy = "Always"
-          args = [
-            "--host-ip=$(HOST_IP)",
-            "--node=$(NODE_NAME)"
-          ]
+          args  = ["--node=$(NODE_NAME)", "--http-probe-port=8085"]
 
           env {
             name = "HOST_IP"
+
             value_from {
               field_ref {
                 field_path = "status.podIP"
               }
             }
           }
+
           env {
             name = "NODE_NAME"
+
             value_from {
               field_ref {
                 field_path = "spec.nodeName"
@@ -70,38 +68,45 @@ resource "kubernetes_daemonset" "nmi" {
               cpu    = "200m"
               memory = "512Mi"
             }
+
             requests {
               cpu    = "100m"
               memory = "256Mi"
             }
           }
 
-          security_context {
-            privileged = true
-            capabilities {
-              add = ["NET_ADMIN"]
-            }
-          }
-
           volume_mount {
+            name       = "iptableslock"
             mount_path = "/run/xtables.lock"
-            name      = "iptableslock"
           }
 
           liveness_probe {
             http_get {
               path = "/healthz"
-              port = 8080
+              port = "8085"
             }
 
             initial_delay_seconds = 10
             period_seconds        = 5
           }
+
+          security_context {
+            capabilities {
+              add = ["NET_ADMIN"]
+            }
+
+            privileged = true
+          }
         }
+
         node_selector = {
-          "beta.kubernetes.io/os" = "linux"
+          "kubernetes.io/os" = "linux"
         }
       }
     }
+
+    strategy {
+      type = "RollingUpdate"
+    }
   }
 }