Add Network Contributor role assignments scoped to AKS nodepools subnets#327
Merged
lonegunmanb merged 1 commit intoAzure:mainfrom Mar 24, 2023
Merged
Conversation
zioproto
force-pushed
the
aks-network-contributor-role-assignment
branch
from
a49e8ac to
9fc283d
Compare
lonegunmanb
requested changes
Mar 17, 2023
Member
lonegunmanb
left a comment
lonegunmanb
left a comment
There was a problem hiding this comment.
Thanks for opening this pr @zioproto!. Almost LGTM but only a few issues. It would be nice if we can assign this new variable in multiple_node_pools example.
zioproto
force-pushed
the
aks-network-contributor-role-assignment
branch
from
9fc283d to
b9f3c30
Compare
Member
…k Contributor on the subnets used for the AKS Cluster
zioproto
force-pushed
the
aks-network-contributor-role-assignment
branch
from
b9f3c30 to
3f848ac
Compare
Contributor
Author
|
Rebased on current |
lonegunmanb
approved these changes
Mar 24, 2023
Member
lonegunmanb
left a comment
lonegunmanb
left a comment
There was a problem hiding this comment.
Thanks @zioproto, LGTM! 🚀
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR creates a role assignment for the AKS Service Principal to be a Network Contributor on the subnets used for the AKS Cluster.
The AKS cluster identity has the Contributor role on the AKS second resource group (MC_myResourceGroup_myAKSCluster_eastus)
In this case no additional change is necessary.
However when using a custom VNET, the AKS cluster identity needs the Network Contributor role on the VNET subnets
used by the system node pool and by any additional node pools.
Docs:
This PR detects if a custom VNET is used looking at the values of the variable
var.vnet_subnet_idsand at the value ofvnet_subnet_idsin the map variable of the node pools.Issue number
Fixes #178
Checklist before requesting a review
CHANGELOG.mdfile