Skip to content

Commit 2441185

Browse files
johnstairsjohnstairs
authored
Grant AKS managed identity Network Contributor on subnet route table and NAT gateway (#320)
1 parent a4035c4 commit 2441185

1 file changed

Lines changed: 40 additions & 8 deletions

File tree

cli/internal/install/cloudinstall/compute.go

Lines changed: 40 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -208,6 +208,8 @@ func (inst *Installer) createCluster(ctx context.Context, clusterConfig *Cluster
208208
var vnetId *string
209209
var vnetSubnetId *string
210210
var vnetSubnetNsgId *string
211+
var vnetSubnetRouteTableId *string
212+
var vnetSubnetNatGatewayId *string
211213
if clusterConfig.ExistingSubnet != nil {
212214
vnetClient, err := armnetwork.NewVirtualNetworksClient(inst.Config.Cloud.SubscriptionID, inst.Credential, nil)
213215
if err != nil {
@@ -240,6 +242,14 @@ func (inst *Installer) createCluster(ctx context.Context, clusterConfig *Cluster
240242
} else {
241243
return nil, fmt.Errorf("subnet '%s' must have a network security group associated with it", clusterConfig.ExistingSubnet.SubnetName)
242244
}
245+
246+
if subnet.Properties.RouteTable != nil && subnet.Properties.RouteTable.ID != nil {
247+
vnetSubnetRouteTableId = subnet.Properties.RouteTable.ID
248+
}
249+
250+
if subnet.Properties.NatGateway != nil && subnet.Properties.NatGateway.ID != nil {
251+
vnetSubnetNatGatewayId = subnet.Properties.NatGateway.ID
252+
}
243253
}
244254

245255
var aksIdentity *armmsi.Identity
@@ -271,24 +281,36 @@ func (inst *Installer) createCluster(ctx context.Context, clusterConfig *Cluster
271281
cluster.Properties.APIServerAccessProfile.PrivateDNSZone = &aksPrivateDnsZoneId
272282

273283
if err := assignRbacRole(ctx, []string{*aksIdentity.Properties.PrincipalID}, false, aksPrivateDnsZoneId, "Private DNS Zone Contributor", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
274-
return nil, fmt.Errorf("failed to assign Private DNS Zone Contributor role: %w", err)
284+
return nil, fmt.Errorf("failed to assign Private DNS Zone Contributor role on '%s': %w", aksPrivateDnsZoneId, err)
275285
}
276286

277287
if vnetId != nil {
278288
if err := assignRbacRole(ctx, []string{*aksIdentity.Properties.PrincipalID}, false, *vnetId, "Network Contributor", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
279-
return nil, fmt.Errorf("failed to assign Network Contributor role on VNet: %w", err)
289+
return nil, fmt.Errorf("failed to assign Network Contributor role on VNet '%s': %w", *vnetId, err)
280290
}
281291
}
282292

283293
if vnetSubnetNsgId != nil {
284294
if err := assignRbacRole(ctx, []string{*aksIdentity.Properties.PrincipalID}, false, *vnetSubnetNsgId, "Network Contributor", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
285-
return nil, fmt.Errorf("failed to assign Network Contributor role on NSG: %w", err)
295+
return nil, fmt.Errorf("failed to assign Network Contributor role on NSG '%s': %w", *vnetSubnetNsgId, err)
296+
}
297+
}
298+
299+
if vnetSubnetRouteTableId != nil {
300+
if err := assignRbacRole(ctx, []string{*aksIdentity.Properties.PrincipalID}, false, *vnetSubnetRouteTableId, "Network Contributor", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
301+
return nil, fmt.Errorf("failed to assign Network Contributor role on route table '%s': %w", *vnetSubnetRouteTableId, err)
302+
}
303+
}
304+
305+
if vnetSubnetNatGatewayId != nil {
306+
if err := assignRbacRole(ctx, []string{*aksIdentity.Properties.PrincipalID}, false, *vnetSubnetNatGatewayId, "Network Contributor", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
307+
return nil, fmt.Errorf("failed to assign Network Contributor role on NAT gateway '%s': %w", *vnetSubnetNatGatewayId, err)
286308
}
287309
}
288310

289311
if outboundIpAddress != nil {
290312
if err := assignRbacRole(ctx, []string{*aksIdentity.Properties.PrincipalID}, false, *outboundIpAddress.ID, "Network Contributor", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
291-
return nil, fmt.Errorf("failed to assign Network Contributor role on outbound IP: %w", err)
313+
return nil, fmt.Errorf("failed to assign Network Contributor role on outbound IP '%s': %w", *outboundIpAddress.ID, err)
292314
}
293315
}
294316
}
@@ -520,14 +542,14 @@ func (inst *Installer) createCluster(ctx context.Context, clusterConfig *Cluster
520542
}
521543

522544
if err := assignRbacRole(ctx, inst.Config.Cloud.Compute.GetManagementPrincipalIds(), true, *createdCluster.ID, "Azure Kubernetes Service Cluster User Role", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
523-
return nil, fmt.Errorf("failed to assign RBAC role on cluster: %w", err)
545+
return nil, fmt.Errorf("failed to assign Azure Kubernetes Service Cluster User Role on cluster '%s': %w", *createdCluster.ID, err)
524546
}
525547

526548
// When using private networking, RBAC roles were pre-assigned to the user-assigned identity.
527549
// When not using private networking, assign roles to the system-assigned identity post-creation.
528550
if !inst.Config.Cloud.PrivateNetworking && outboundIpAddress != nil {
529551
if err := assignRbacRole(ctx, []string{*createdCluster.Identity.PrincipalID}, false, *outboundIpAddress.ID, "Network Contributor", inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
530-
return nil, fmt.Errorf("failed to assign RBAC role on outbound IP address: %w", err)
552+
return nil, fmt.Errorf("failed to assign Network Contributor role on outbound IP '%s': %w", *outboundIpAddress.ID, err)
531553
}
532554
}
533555

@@ -957,7 +979,7 @@ func (inst *Installer) onDeleteCluster(ctx context.Context, clusterConfig *Clust
957979

958980
if clusterPrincipalID != "" {
959981
if err := removeRbacRoleAssignments(ctx, clusterPrincipalID, *vnet.ID, inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
960-
return fmt.Errorf("failed to remove RBAC role assignments on VNet: %w", err)
982+
return fmt.Errorf("failed to remove RBAC role assignments on VNet '%s': %w", *vnet.ID, err)
961983
}
962984
subnetIndex := slices.IndexFunc(vnet.Properties.Subnets, func(s *armnetwork.Subnet) bool {
963985
return s.Name != nil && *s.Name == clusterConfig.ExistingSubnet.SubnetName
@@ -967,7 +989,17 @@ func (inst *Installer) onDeleteCluster(ctx context.Context, clusterConfig *Clust
967989
subnet := vnet.Properties.Subnets[subnetIndex]
968990
if subnet.Properties.NetworkSecurityGroup != nil && subnet.Properties.NetworkSecurityGroup.ID != nil {
969991
if err := removeRbacRoleAssignments(ctx, clusterPrincipalID, *subnet.Properties.NetworkSecurityGroup.ID, inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
970-
return fmt.Errorf("failed to remove RBAC role assignments on subnet NSG: %w", err)
992+
return fmt.Errorf("failed to remove RBAC role assignments on subnet NSG '%s': %w", *subnet.Properties.NetworkSecurityGroup.ID, err)
993+
}
994+
}
995+
if subnet.Properties.RouteTable != nil && subnet.Properties.RouteTable.ID != nil {
996+
if err := removeRbacRoleAssignments(ctx, clusterPrincipalID, *subnet.Properties.RouteTable.ID, inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
997+
return fmt.Errorf("failed to remove RBAC role assignments on subnet route table '%s': %w", *subnet.Properties.RouteTable.ID, err)
998+
}
999+
}
1000+
if subnet.Properties.NatGateway != nil && subnet.Properties.NatGateway.ID != nil {
1001+
if err := removeRbacRoleAssignments(ctx, clusterPrincipalID, *subnet.Properties.NatGateway.ID, inst.Config.Cloud.SubscriptionID, inst.Credential); err != nil {
1002+
return fmt.Errorf("failed to remove RBAC role assignments on subnet NAT gateway '%s': %w", *subnet.Properties.NatGateway.ID, err)
9711003
}
9721004
}
9731005
}

0 commit comments

Comments
 (0)