search

Azure / application-gateway-kubernetes-ingress

This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.
https://azure.github.io/application-gateway-kubernetes-ingress
MIT License
677 stars 420 forks source link

AGIC Behaviour Change for Managed Identity #1566

Closed umurkaraduman closed 10 months ago

umurkaraduman commented 1 year ago

I wanted to create Azure Kubernetes Service with my own VNET. But, Ingress Application Gateway deployment failed with an error about not having the permission for Microsoft.Network/virtualNetworks/subnets/join/action on the VNET that I wanted to use. I was able to fix this by giving Network Contributor role to the Managed Identity assigned to Application Gateway.

I was wondering, I didn't need to give this role before when I was creating clusters with my own VNET. Has the behaviour changed? If so can you please point me to that release notes?

A related issue describing a similar situation is https://github.com/Azure/application-gateway-kubernetes-ingress/issues/1463

rbnmk commented 11 months ago

This is not caused by AGIC, but by a change on the Azure side.

It was actually mentioned in Azure Advisor that this change was going to happen. It is now also written in the Application Gateway docs: https://learn.microsoft.com/en-us/azure/application-gateway/configuration-infrastructure#identifying-affected-users-or-service-principals-for-your-subscription