Isolate identities for different tenants

[binbin-li]

What would you like to be added?

Currently Ratify is integrated with Azure workload identity by using service account to federate identity credentials from managed identity. However, Ratify only has one service account created and it belongs to a specific namespace, gatekeeper-system in most cases. Therefore, it's not natively working for multi-tenancy scenario. The same service account is shared by all namespaces.

In the meantime, we found it's possible to federate multiple identities with a single service account, so Ratify's service account could build federation with multiple identities. The remaining work is to figure out how to isolate access to different identities for each tenant while sharing the same service account.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

• Yes, I am willing to implement it.

[akashsinghal]

@binbin-li Is there a limit to the # of managed identities you can federate to a single Service Account? I thought there was a limitation on Azure MI end too

[akashsinghal]

@binbin-li Is there a limit to the # of managed identities you can federate to a single Service Account? I thought there was a limitation on Azure MI end too

Actually, it seems there's a limit of 20 federated credentials per MI but I don't see limit on the number of MI per service
https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet#limitationsaccount.

[susanshi]

Lower priority for Ratify 1.3