search

MicrosoftDocs / azure-docs

Open source documentation of Microsoft Azure
https://docs.microsoft.com/azure
Creative Commons Attribution 4.0 International
10.01k stars 21k forks source link

Fix wrong-formatted command + add RBAC-related command/note in limit-egress-traffic.md #122166

Open JoeyC-Dev opened 2 weeks ago

JoeyC-Dev commented 2 weeks ago

Proposed change:

  1. Fix missing \ in the original command, which will split the command into two parts.
  2. Add RBAC command/note to indicate 403 issue (also directly related to change 3).
  3. The statement "If you create your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. " is wrong. Az-cli will ask user to manually assign the role.
  4. "Get the service IP using the kubectl get svc voting-app command.", which is referring to the wrong service name.

Context: Using user-assigned managed identity for AKS.

Basis: Part 2 image Part 3 Environment: Cloud Shell

joey [ ~ ]$  az version
{
  "azure-cli": "2.60.0",
  "azure-cli-core": "2.60.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "ai-examples": "0.2.5",
    "azure-firewall": "1.0.1",
    "ml": "2.25.1",
    "ssh": "2.0.3"
  }
}

Issue occurred if following current document:

joey [ ~ ]$ az aks create -g $RG -n $AKSNAME -l $LOC --node-count 3 --network-plugin kubenet --outbound-type userDefinedRouting --vnet-subnet-id $SUBNETID --api-server-authorized-ip-ranges $FWPUBLIC_IP  --enable-managed-identity --assign-identity /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity --assign-kubelet-identity /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myKubeletIdentity --no-ssh-key
docker_bridge_cidr is not a known attribute of class <class 'azure.mgmt.containerservice.v2024_02_01.models._models_py3.ContainerServiceNetworkProfile'> and will be ignored
AAD role propagation done[############################################]  100.0000%

(CustomRouteTableMissingPermission) Managed identity or service principle must be given permission to read and write to custom route table /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/routeTables/joey-aks-fw-fwrt. Please see https://aka.ms/aks/customrt for more information
Code: CustomRouteTableMissingPermission
Message: Managed identity or service principle must be given permission to read and write to custom route table /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/routeTables/joey-aks-fw-fwrt. Please see https://aka.ms/aks/customrt for more information

Result after changes: Environment: Cloud Shell Change 1

az aks create -g $RG -n $AKSNAME -l $LOC \
  --node-count 3 \
  --network-plugin kubenet \
  --outbound-type userDefinedRouting \
  --vnet-subnet-id $SUBNETID \
  --api-server-authorized-ip-ranges $FWPUBLIC_IP \
  --enable-managed-identity \
  --assign-identity <redacted>  \
  --assign-kubelet-identity <redacted>

docker_bridge_cidr is not a known attribute of class <class 'azure.mgmt.containerservice.v2024_02_01.models._models_py3.ContainerServiceNetworkProfile'> and will be ignored
 | Running ..

Change 2&3

myIdentity_objId=$(az identity show --name myIdentity --resource-group $RG --query principalId -o tsv)
az role assignment create --assignee-object-id $myIdentity_objId --assignee-principal-type ServicePrincipal --role "Network Contributor" --scope $SUBNETID
{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2024-05-02T09:08:26.559936+00:00",
(...no need to expand more result)

az role assignment create --assignee-object-id $myIdentity_objId --assignee-principal-type ServicePrincipal --role "Network Contributor" --scope $FWROUTE_TABLE_ID
{
  "condition": null,
  "conditionVersion": null,
(...no need to expand more result)

Role assignment can be successfully found: Route table: image Subnet:

RoleAssignmentId,Scope,DisplayName,SignInName,RoleDefinitionName,RoleDefinitionId,ObjectId,ObjectType,RoleAssignmentDescription,ConditionVersion,Condition
6d6ac5fd-9a17-4a89-9849-21d79b4d7672,/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/virtualNetworks/joey-aks-fw-vnet/subnets/aks-subnet,myIdentity,/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity,Network Contributor,/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7,b3cdb87f-a803-4dc6-ab6b-ef9d48b34b54,ServicePrincipal,,,

Wait 5 mins then deploy service:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
  name: another-store-front
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: store-front
  type: LoadBalancer
EOF

No issue at all: image

I also test system-assigned managed identity, it does auto-assign the role. Only user-assigned managed identity will not auto assign the role.

prmerger-automator[bot] commented 2 weeks ago

@JoeyC-Dev : Thanks for your contribution! The author(s) have been notified to review your proposed change.

learn-build-service-prod[bot] commented 2 weeks ago

Learn Build status updates of commit e140920:

:white_check_mark: Validation status: passed

File Status Preview URL Details
articles/aks/limit-egress-traffic.md :white_check_mark:Succeeded

For more details, please refer to the build report.

For any questions, please:

learn-build-service-prod[bot] commented 2 weeks ago

Learn Build status updates of commit c08ec44:

:white_check_mark: Validation status: passed

File Status Preview URL Details
articles/aks/limit-egress-traffic.md :white_check_mark:Succeeded

For more details, please refer to the build report.

For any questions, please:

Court72 commented 2 weeks ago

@asudbring

Can you review the proposed changes?

When the changes are ready for publication, add a #sign-off comment to signal that the PR is ready for the review team to merge.

label:"aq-pr-triaged"

@MicrosoftDocs/public-repo-pr-review-team