ARM/Bicep deployment does not remove Azure Policy add-on

fschmied commented 2 years ago

What happened: We have an existing AKS cluster. We added and enabled the Azure Policy add-on via the Defender for Containers provisioning Azure Policy Addon for Kubernetes Azure Policy Assignment. We later removed that Policy Assignment, but the Azure Policy add-on of course remained present and enabled.

We then redeployed the AKS cluster using the original Bicep file, which did not list the azurepolicy add-on under addonProfiles:

    addonProfiles: {
      omsagent: {
        enabled: true
        config: {
          logAnalyticsWorkspaceResourceID: logAnalyticsWorkspaceId
        }
      }
    }

Yet, the Azure Policy add-on still remained present and enabled on the cluster.

What you expected to happen: I expected the AKS cluster to be adapted to match the Bicep resource definition. I.e., I expected the azurepolicy addonProfile to be removed because it was not listed in the Bicep file.

How to reproduce it (as minimally and precisely as possible):

Create an AKS cluster without the azurepolicy add-on.
Enable the add-on via the Portal (under "Policies").
Wait and note that the Azure Policy add-on is configured and enabled on the cluster.
Export an ARM file for the cluster. Note that it contains the azurepolicy under addonProfiles.
Remove the azurepolicy add-on entry from addonProfiles in the ARM file.
Redeploy the ARM file.
Note that the azurepolicy add-on remains present and enabled, it was not removed in the previous step.

Environment:

Kubernetes version (use kubectl version): 1.22.6

ghost commented 2 years ago

Hi fschmied, AKS bot here :wave: Thank you for posting on the AKS Repo, I'll do my best to get a kind human from the AKS team to assist you.

I might be just a bot, but I'm told my suggestions are normally quite good, as such: 1) If this case is urgent, please open a Support Request so that our 24/7 support team may help you faster. 2) Please abide by the AKS repo Guidelines and Code of Conduct. 3) If you're having an issue, could it be described on the AKS Troubleshooting guides or AKS Diagnostics? 4) Make sure your subscribed to the AKS Release Notes to keep up to date with all that's new on AKS. 5) Make sure there isn't a duplicate of this issue already reported. If there is, feel free to close this one and '+1' the existing issue. 6) If you have a question, do take a look at our AKS FAQ. We place the most common ones there!

ghost commented 2 years ago

Triage required from @Azure/aks-pm

ghost commented 2 years ago

Action required from @Azure/aks-pm

ghost commented 2 years ago