Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-29956

Azure MAO CredentialsRequest Contains Unnecessary virtualMachines/extensions Permissions

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Machine API Operator requested unnecessary `virtualMachines/extensions` permissions on {azure-first} clusters.
      The unnecessary credentials request is removed in this release.
      (link:https://issues.redhat.com/browse/OCPBUGS-29956[*OCPBUGS-29956*])
      Show
      * Previously, the Machine API Operator requested unnecessary `virtualMachines/extensions` permissions on {azure-first} clusters. The unnecessary credentials request is removed in this release. (link: https://issues.redhat.com/browse/OCPBUGS-29956 [* OCPBUGS-29956 *])
    • Bug Fix
    • Done

      Description of problem:

      CredentialsRequest for Azure AD workload identity contains unnecessary permissions under `virtualMachines/extensions`.   Specifically write and delete.  
          

      Version-Release number of selected component (if applicable):

      4.14.0+
          

      How reproducible:

      Every time
          

      Steps to Reproduce:

          1. Create a cluster without the CredentialsRequest permissions mentioned
          2. Scale machineset
          3. See no permission errors
          

      Actual results:

      We have unnecessary permissions, but still no errors
          

      Expected results:

      Still no permission errors after removal.
          

      Additional info:

      RHCOS doesn't leverage virtual machine extensions.  It appears as though the code path is dead.  
          

            bvesel@redhat.com Benjamin Vesel
            bvesel@redhat.com Benjamin Vesel
            Zhaohua Sun Zhaohua Sun
            Jeana Routh Jeana Routh
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: