feat: add ServiceAccountImagePullProfile for identity-binding-based image pull #7596

qweeah · 2025-12-24T05:00:03Z

What type of PR is this?
/kind feature

What this PR does / why we need it:

This PR adds support for service-account-based image pull authentication (aka Identity Binding) from Azure Container Registry (ACR), implementing KEP-4412 projected service account tokens for kubelet image credential providers.

Changes

Data Model

Added ServiceAccountImagePullProfile to SecurityProfile with fields:

Enabled: Enable/disable service account-based image pull
DefaultClientID: Default managed identity client ID
DefaultTenantID: Default managed identity tenant ID
LocalAuthoritySNI: SNI endpoint for Identity Bindings Local Authority

Added getter methods to SecurityProfile for null-safe access.

Implementation Paths

1. Legacy CSE (Template-based)

pkg/agent/variables.go: Template variables for CSE scripts (using the naming convention serviceAccountImagePull...)
parts/linux/cloud-init/artifacts/cse_cmd.sh: Environment variable declarations (e.g., SERVICE_ACCOUNT_IMAGE_PULL_ENABLED, SERVICE_ACCOUNT_IMAGE_PULL_DEFAULT_CLIENT_ID)
parts/linux/cloud-init/artifacts/cse_config.sh: Credential provider config generation

2. AKSNodeConfig (Proto-based)

aks-node-controller/proto/aksnodeconfig/v1/security_profile.proto: Proto definitions (ServiceAccountImagePullProfile)
aks-node-controller/parser/parser.go: Environment variable generation
aks-node-controller/parser/helper.go: Null-safe helper functions

Both paths converge at cse_config.sh to generate /var/lib/kubelet/credential-provider-config.yaml with identity binding arguments (--ib-default-client-id, --ib-default-tenant-id, --ib-sni-name) and token attributes.

Testing

Unit Tests: Updated tests across variables_test.go, datamodel/types_test.go, and parser/helper_test.go to reflect the new naming convention.
E2E Tests: Verified scenarios (enabled, disabled, network isolated).

All tests validate that the credential provider config file contains the correct identity binding configuration.

Cluster Support

Public cloud (Azure Commercial)
AKS Custom Cloud
Network Isolated (NI/airgap) clusters

Which issue(s) this PR fixes:

Fixes #

Requirements:

uses conventional commit messages
includes documentation
adds unit tests
adds e2e tests
tested upgrade from previous version
commits are GPG signed and Github marks them as verified

Special notes for your reviewer:

Dual implementation approach (legacy CSE + modern AKSNodeConfig) for backward compatibility. Both paths are fully tested and generate identical credential provider configuration. The renaming from ImagePullIdentity to ServiceAccountImagePull ensures consistency with the upstream feature name.

Release note:

AgentBaker now supports service-account-based image pull authentication from Azure Container Registry (ACR) via ServiceAccountImagePullProfile in SecurityProfile, using projected service account tokens (KEP-4412) for authentication.

norshtein · 2025-12-29T03:20:29Z

This PR's logic LGTM. But I don't quiet understand what is step 2 "RP integration and configuration flow". Agentbaker won't rely on anything from AKS RP, I think you could make all changes in the same PR and add E2E for it? Here is an example PR: #7059 .

github-actions · 2025-12-29T08:52:56Z

The latest Buf updates on your PR. Results from workflow Buf CI / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
`✅ passed`	`✅ passed`	`✅ passed`	`✅ passed`	Jan 15, 2026, 4:01 AM

Copilot

Pull request overview

This pull request adds support for service-account-based image pull authentication (Identity Binding) from Azure Container Registry. The feature implements KEP-4412 projected service account tokens for kubelet image credential providers.

Changes:

Added ServiceAccountImagePullProfile data structure with fields for enabled status, default client/tenant IDs, and Local Authority SNI
Extended both legacy CSE (template-based) and modern AKSNodeConfig (proto-based) paths to support the new configuration
Modified credential provider configuration generation to include identity binding token attributes and CLI arguments when enabled

Reviewed changes

Copilot reviewed 44 out of 131 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
`pkg/agent/datamodel/types.go`	Added `ServiceAccountImagePullProfile` struct to Properties
`pkg/agent/variables.go`	Added getter functions for service account image pull configuration with null-safe access
`pkg/agent/variables_test.go`	Added unit tests for new variables in Windows CSE and custom data
`parts/linux/cloud-init/artifacts/cse_config.sh`	Refactored credential provider config generation to support identity binding parameters
`spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh`	Added comprehensive ShellSpec tests for all credential provider scenarios
`pkg/agent/testdata/*/CustomData`	Updated snapshot test data with new environment variables
`pkg/agent/testdata/*/CSECommand`	Updated snapshot test data with new environment variables

parts/linux/cloud-init/artifacts/cse_config.sh

Signed-off-by: Billy Zha <[email protected]>

Devinwong · 2026-01-15T06:02:57Z

Pending the e2e tests. Probably rebase/merge with main branch will resolve it

qweeah · 2026-01-15T11:49:15Z

Pending the e2e tests. Probably rebase/merge with main branch will resolve it

Already rebased to the latest main. Added E2Es are passing.

qweeah temporarily deployed to test December 24, 2025 05:00 — with GitHub Actions Inactive

qweeah changed the title ~~feat: Add ImagePullIdentityProfile to SecurityProfile for identity binding-based image pull~~ feat: add ImagePullIdentityProfile for identity binding-based image pull Dec 24, 2025

qweeah force-pushed the qweeah/ibip branch from eeda6d4 to a5c0347 Compare December 28, 2025 23:40

qweeah temporarily deployed to test December 28, 2025 23:40 — with GitHub Actions Inactive

qweeah marked this pull request as ready for review December 29, 2025 00:35

qweeah requested review from AbelHu, Devinwong, awesomenix, cameronmeissner, djsly, ganeshkumarashok, juan-lee, junjiezhang1997, lilypan26, phealy, r2k1, timmy-wright and zachary-bailey as code owners December 29, 2025 00:35

qweeah force-pushed the qweeah/ibip branch from a5c0347 to 8509f07 Compare December 29, 2025 08:52

qweeah temporarily deployed to test December 29, 2025 08:52 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 8509f07 to 209b35b Compare December 29, 2025 09:11

qweeah temporarily deployed to test December 29, 2025 09:11 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 209b35b to 38f22bb Compare December 29, 2025 09:37

qweeah temporarily deployed to test December 29, 2025 09:37 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 38f22bb to 88a21dd Compare December 30, 2025 02:31

qweeah temporarily deployed to test December 30, 2025 02:31 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 88a21dd to 3c2f0ed Compare December 30, 2025 04:08

qweeah temporarily deployed to test December 30, 2025 04:08 — with GitHub Actions Inactive

qweeah temporarily deployed to test January 14, 2026 04:59 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from eb66ea2 to 2f4ab4d Compare January 14, 2026 06:51

qweeah temporarily deployed to test January 14, 2026 06:51 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 2f4ab4d to f75d52c Compare January 14, 2026 10:51

qweeah temporarily deployed to test January 14, 2026 10:51 — with GitHub Actions Inactive

qweeah temporarily deployed to test January 14, 2026 11:16 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 65e9576 to 82bc725 Compare January 14, 2026 11:24

qweeah temporarily deployed to test January 14, 2026 11:24 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 82bc725 to 8447029 Compare January 14, 2026 21:31

qweeah requested review from YaoC and yewmsft as code owners January 14, 2026 21:31

qweeah temporarily deployed to test January 14, 2026 21:31 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from 8447029 to caff049 Compare January 14, 2026 21:51

qweeah temporarily deployed to test January 14, 2026 21:51 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from caff049 to b81d0b6 Compare January 14, 2026 22:05

qweeah temporarily deployed to test January 14, 2026 22:05 — with GitHub Actions Inactive

qweeah force-pushed the qweeah/ibip branch from b81d0b6 to 240418a Compare January 14, 2026 22:58

qweeah temporarily deployed to test January 14, 2026 22:59 — with GitHub Actions Inactive

awesomenix requested a review from Copilot January 15, 2026 02:08

Copilot started reviewing on behalf of awesomenix January 15, 2026 02:09 View session

Copilot AI reviewed Jan 15, 2026

View reviewed changes

parts/linux/cloud-init/artifacts/cse_config.sh Outdated Show resolved Hide resolved

parts/linux/cloud-init/artifacts/cse_config.sh Outdated Show resolved Hide resolved

qweeah force-pushed the qweeah/ibip branch from 240418a to d601520 Compare January 15, 2026 03:45

qweeah temporarily deployed to test January 15, 2026 03:45 — with GitHub Actions Inactive

qweeah added 2 commits January 15, 2026 04:00

feat: setup kubelet config to support ib-based image pull

fb23b9c

Signed-off-by: Billy Zha <[email protected]>

test: data

e5b74fb

Signed-off-by: Billy Zha <[email protected]>

qweeah force-pushed the qweeah/ibip branch from d601520 to e5b74fb Compare January 15, 2026 04:01

qweeah temporarily deployed to test January 15, 2026 04:01 — with GitHub Actions Inactive

Devinwong approved these changes Jan 15, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: add ServiceAccountImagePullProfile for identity-binding-based image pull #7596

feat: add ServiceAccountImagePullProfile for identity-binding-based image pull #7596

qweeah commented Dec 24, 2025 •

edited

Loading

Uh oh!

norshtein commented Dec 29, 2025

Uh oh!

github-actions bot commented Dec 29, 2025 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Devinwong commented Jan 15, 2026

Uh oh!

qweeah commented Jan 15, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

feat: add ServiceAccountImagePullProfile for identity-binding-based image pull #7596

Are you sure you want to change the base?

feat: add ServiceAccountImagePullProfile for identity-binding-based image pull #7596

Conversation

qweeah commented Dec 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Changes

Data Model

Implementation Paths

Testing

Cluster Support

Uh oh!

norshtein commented Dec 29, 2025

Uh oh!

github-actions bot commented Dec 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Devinwong commented Jan 15, 2026

Uh oh!

qweeah commented Jan 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

qweeah commented Dec 24, 2025 •

edited

Loading

github-actions bot commented Dec 29, 2025 •

edited

Loading

qweeah commented Jan 15, 2026 •

edited

Loading