TPavanBalaji
commented
6 months ago @Speeddymon Thanks for your feedback! We will investigate and update as appropriate.
Open Speeddymon opened 6 months ago
TPavanBalaji
commented
6 months ago @Speeddymon Thanks for your feedback! We will investigate and update as appropriate.
palma21
commented
6 months ago I'm not sure I understand the scenario, might need some clarification, if these are AKS-owned VMSS then there shouldn't be any other identities assigned to them or operations performed in them that aren't via AKS.
Speeddymon
commented
6 months ago This is in regards to assigning the kubelet identity to the VMSS nodes during creation of the cluster, upgrades, and node pool rotations
Hello,
I was reviewing the document in the details below and found it very helpful; however I would like to ask for an additional section covering cases where a principal may need the operation
Microsoft.ManagedIdentity/userAssignedIdentities/assignUse-case: When using a managed identity for the cluster in one RG (we'll call it RG-A), and a cluster and a different managed identity for the VMSS nodes in a second RG (we'll call it RG-B), the managed identity in RG-A needs a role granting the above operation scoped to the managed identity in RG-B so that the RG-B identity can be assigned to the VMSS nodes as a user-assigned managed identity.
We have a high level of separation between teams in my org, so all of our resources will be grouped by who manages the resource rather than having many things in one resourcegroup; and so as a result we will need to do a lot of explicit role assignments to different identities for different use-cases and cross-team business and security functionality.
My org needs to be able to provide documentation for compliance team and auditors to justify the cross-RG permissions that AKS requires.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.