Upstream azure disk CSI lists VMSS (virtual machine scale set) permissions required for the driver:

https://github.com/kubernetes-sigs/azuredisk-csi-driver/blob/master/docs/driver-parameters.md?plain=1#L15-L17

The permissions are as follows:

Microsoft.Compute/virtualMachineScaleSets/virtualMachines/write
Microsoft.Compute/virtualMachineScaleSets/virtualMachines/read
Microsoft.Compute/virtualMachineScaleSets/read

Those permissions also exist in our OCP credentialsrequest for the disk CSI: https://github.com/openshift/cluster-storage-operator/blob/main/manifests/03_credentials_request_azure.yaml#L28-L30

In the upstream driver, it makes sense that they would be required as other k8s distributions such as AKS utilize VMSS. But in OCP, standard/standalone VMs are hardcoded in the cloud provider config (https://github.com/openshift/installer/blob/main/pkg/asset/manifests/azure/cloudproviderconfig.go#L52) and as a result VMSS-level permissions will never be used in OpenShift.

Since ARO's built-in RBAC roles track credentialsrequests 1:1, it's important that we adhere to principle of least privilege in the credentialsrequest and ensure that only permissions required are asked for as to avoid granting an overly permissive role assignment.

If there is a very near term plan to add VMSS support in OCP, we should keep the permissions in there, but otherwise if my assessment is correct, they should be removed. 

Link to doc with specific code examples, if needed: https://docs.google.com/document/d/1vpVNyvJxd6YGl9f0PQzIJsLZqvXv6Zrdnsx-BdY8Pek/edit?tab=t.0 

    4.20

    Reproducible 

    1. Observe the credentialsrequest at https://github.com/openshift/cluster-storage-operator/blob/main/manifests/03_credentials_request_azure.yaml#L28-L30

   The credentialsrequest for disk CSI contains what appears to be unused permissions

    The permissions present in the credentialsrequest should only contain permissions explicitly used by the OpenShift platform