Permissions issue with log Analytics Workspace During Istio Upgrade

[ngemi-bread]

We encountered a permissions issue during an Istio upgrade on a cluster connected to a Log Analytics Workspace. The issue occurred when a user without sufficient access right attempted the upgrade. Despite not actively trying to modify or interact with the workspace, it seems the upgrade process requires access to the workspace.

This behavior was unexpected, as we didn't anticipate that the workspace permissions would impact the Istio upgrade process.

Additional Context The Log Analytic Workspace is a shared enterprise resource and reside in a separate resource group from the AKS cluster. This separation likely contributed to the permission issue, as the workspace has different access control from those in the AKS resource group.

Missing Permission The missing permission was Microsoft.OperationalInsights/workspace/write, and the scope was the Log Analytics Workspace.

Steps to Reproduce

1. Initiate the AKS mesh upgrade to the desire ASM version: az aks mesh upgrade start --resource-group --name --revision asm-1-22
2. Note: Ensure your cluster has container insight enable

[microsoft-github-policy-service[bot]]

@azure/aks-traffic would you be able to assist?

[microsoft-github-policy-service[bot]]

@kaarthis, @sdesai345 would you be able to assist?

[nshankar13]

@ngemi-bread what is the exact error you are seeing?

Also, is this happening only for Istio upgrade commands - i.e are other cluster / addon update commands succeeding?