Open dan-dimitrov opened 1 year ago
dan-dimitrov
commented
1 year ago Is there an update or an acknowledgement of this? We would place this issue somewhere on the boundary between feature-request and bug, as customers are forced to enable Contributor permissions for service principals, whereas this is not always possible in locked down and secure environments.
charlieedwards7
commented
1 year ago This is also causing issues for my customer. They are very restrictive on the use of contributor and rely heavily on custom roles. Any update on this would be most appreciated.
marvinbuss
commented
8 months ago I am working with another customer with the same challenges. The customer would also prefer to rely on their own custom role instead of the Contributor role assignment.
microsoft-github-policy-service[bot]
commented
1 month ago Action required from @aritraghosh, @julia-yin, @AllenWen-at-Azure
microsoft-github-policy-service[bot]
commented
1 month ago Issue needing attention of @Azure/aks-leads
microsoft-github-policy-service[bot]
commented
4 weeks ago Issue needing attention of @Azure/aks-leads
microsoft-github-policy-service[bot]
commented
1 week ago Issue needing attention of @Azure/aks-leads
Is your feature request related to a problem? Please describe. Based on previous issues raised (https://github.com/Azure/AKS/issues/2961 and https://github.com/Azure/AKS/issues/444), AKS only deploys successfully if its identity is assigned the Contributor role for each resource group that it deploys to (including the resource group that it creates for it's node pool. The only instance in which the deployment does not attempt to assign the Contributor permissions is if the identity already has these permissions at a higher scope (such as subscription).
Describe the solution you'd like In our organisation the built-in role for Owner, Contributor and Network Contributor are all blocked by Policy due to security reasons. We instead have custom roles for everyone to use.
The solution we require is to be able to deploy AKS with custom roles instead of relying on the Contributor role for a successful deployment. We have based a custom role on the permission set described in the Microsoft Docs (https://learn.microsoft.com/en-us/azure/aks/concepts-identity#aks-service-permissions) and have assigned this at subscription scope, but the deployment still fails when it attempts to create a Contributor assignment on the node pool "MC_" resource group.
In an ideal scenario, the AKS deployment would check for permissions of individual actions and will not attempt to assign the Contributor role unless it does not already have access to the individual actions documented.
Describe alternatives you've considered We have attempted to create a custom role based on the permissions documented in https://learn.microsoft.com/en-us/azure/aks/concepts-identity#aks-service-permissions, but this has not been successful. When we attempt a deployment with this, the AKS deployment still attempts to assign Contributor rights.
Additional context Not applicable.