Open Speeddymon opened 6 months ago
@Speeddymon Thanks for your feedback! We will investigate and update as appropriate.
I'm not sure I understand the scenario, might need some clarification, if these are AKS-owned VMSS then there shouldn't be any other identities assigned to them or operations performed in them that aren't via AKS.
This is in regards to assigning the kubelet identity to the VMSS nodes during creation of the cluster, upgrades, and node pool rotations
Hello,
I was reviewing the document in the details below and found it very helpful; however I would like to ask for an additional section covering cases where a principal may need the operation
Microsoft.ManagedIdentity/userAssignedIdentities/assign
Use-case: When using a managed identity for the cluster in one RG (we'll call it RG-A), and a cluster and a different managed identity for the VMSS nodes in a second RG (we'll call it RG-B), the managed identity in RG-A needs a role granting the above operation scoped to the managed identity in RG-B so that the RG-B identity can be assigned to the VMSS nodes as a user-assigned managed identity.
We have a high level of separation between teams in my org, so all of our resources will be grouped by who manages the resource rather than having many things in one resourcegroup; and so as a result we will need to do a lot of explicit role assignments to different identities for different use-cases and cross-team business and security functionality.
My org needs to be able to provide documentation for compliance team and auditors to justify the cross-RG permissions that AKS requires.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.