Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-54490

Missing Azure Permissions in Cloud Controller Manager CredentialsRequest

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • CLOUD Sprint 275, CLOUD Sprint 276, CLOUD Sprint 277
    • 3
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

          There are permissions missing in the credentialsrequest for the cloud controller manager when attempting to exercise functionality in the CCM during a k8s service creation. 
      
      The missing permissions are:
      - Microsoft.Network/virtualNetworks/subnets/write
      - Microsoft.Network/privatelinkservices/write
      - Microsoft.Network/privatelinkservices/read
      - Microsoft.Network/privatelinkservices/delete
      - Microsoft.Network/loadBalancers/loadBalancingRules/read

      Version-Release number of selected component (if applicable):

          4.14.z+ 

      How reproducible:

          Every time

      Steps to Reproduce:

          1. Create an Azure workload identity cluster with custom roles or the built-in ARO roles
          2. Attempt to create a service of type load balancer with the below configuration.
      
      apiVersion: v1
      kind: Service
      metadata:
        name: my-service
        annotations:
          service.beta.kubernetes.io/azure-load-balancer-internal: "true" # Use an internal LB with PLS
          service.beta.kubernetes.io/azure-pls-create: "true"
      spec:
        selector:
          app.kubernetes.io/name: MyApp
        ports:
          - protocol: TCP
            port: 80
            targetPort: 9376
        type: LoadBalancer
          

      Actual results:

         You'll first hit the missing subnet permission, followed by missing privatelinkservices permission.
      
      2s          Warning   SyncLoadBalancerFailed   service/my-service   Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '<client-id>' with object id '<object-id>' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/write' over scope '/subscriptions/<subscription-id>/resourceGroups/bvesel/providers/Microsoft.Network/virtualNetworks/vnet/subnets/worker' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
      
      If you grant permissions at that scope, you then get:
      
      0s          Warning   SyncLoadBalancerFailed   service/my-service     Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '<client-id>' with object id '<object-id>' does not have authorization to perform action 'Microsoft.Network/privatelinkservices/write' over scope '/subscriptions/<subscription-id>/resourceGroups/aro-hj8744wi/providers/Microsoft.Network/privatelinkservices/pls-adb2fefe3d02d4d83a279061f1ba6099' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
      

      Expected results:

          The service is able to create and configure the load balancer.  

      Additional info:

          Each permission missing was an iteration of adding a permission to a custom role, recreating the service, and then seeing where CCM got tripped up.  

              rmanak@redhat.com Radek Manak
              bvesel.openshift Ben Vesel
              None
              None
              Zhaohua Sun Zhaohua Sun
              None
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: