-
Bug
-
Resolution: Unresolved
-
Undefined
-
4.14.z
-
Quality / Stability / Reliability
-
False
-
-
None
-
Moderate
-
None
-
None
-
None
-
CLOUD Sprint 275, CLOUD Sprint 276, CLOUD Sprint 277
-
3
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
There are permissions missing in the credentialsrequest for the cloud controller manager when attempting to exercise functionality in the CCM during a k8s service creation.
The missing permissions are:
- Microsoft.Network/virtualNetworks/subnets/write
- Microsoft.Network/privatelinkservices/write
- Microsoft.Network/privatelinkservices/read
- Microsoft.Network/privatelinkservices/delete
- Microsoft.Network/loadBalancers/loadBalancingRules/read
Version-Release number of selected component (if applicable):
4.14.z+
How reproducible:
Every time
Steps to Reproduce:
1. Create an Azure workload identity cluster with custom roles or the built-in ARO roles
2. Attempt to create a service of type load balancer with the below configuration.
apiVersion: v1
kind: Service
metadata:
name: my-service
annotations:
service.beta.kubernetes.io/azure-load-balancer-internal: "true" # Use an internal LB with PLS
service.beta.kubernetes.io/azure-pls-create: "true"
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancer
Actual results:
You'll first hit the missing subnet permission, followed by missing privatelinkservices permission.
2s Warning SyncLoadBalancerFailed service/my-service Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '<client-id>' with object id '<object-id>' does not have authorization to perform action 'Microsoft.Network/virtualNetworks/subnets/write' over scope '/subscriptions/<subscription-id>/resourceGroups/bvesel/providers/Microsoft.Network/virtualNetworks/vnet/subnets/worker' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
If you grant permissions at that scope, you then get:
0s Warning SyncLoadBalancerFailed service/my-service Error syncing load balancer: failed to ensure load balancer: Retriable: false, RetryAfter: 0s, HTTPStatusCode: 403, RawError: {"error":{"code":"AuthorizationFailed","message":"The client '<client-id>' with object id '<object-id>' does not have authorization to perform action 'Microsoft.Network/privatelinkservices/write' over scope '/subscriptions/<subscription-id>/resourceGroups/aro-hj8744wi/providers/Microsoft.Network/privatelinkservices/pls-adb2fefe3d02d4d83a279061f1ba6099' or the scope is invalid. If access was recently granted, please refresh your credentials."}}
Expected results:
The service is able to create and configure the load balancer.
Additional info:
Each permission missing was an iteration of adding a permission to a custom role, recreating the service, and then seeing where CCM got tripped up.
