Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix wrong-formatted command + add RBAC-related command/note in limit-egress-traffic.md #122166

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Fix wrong-formatted command + add RBAC-related command/note in limit-egress-traffic.md #122166

wants to merge 2 commits into from
+14 −3

Conversation

JoeyC-Dev
Copy link
Contributor

@JoeyC-Dev JoeyC-Dev commented May 2, 2024
edited

Proposed change:

  1. Fix missing \ in the original command, which will split the command into two parts.
  2. Add RBAC command/note to indicate 403 issue (also directly related to change 3).
  3. The statement "If you create your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. " is wrong. Az-cli will ask user to manually assign the role.
  4. "Get the service IP using the kubectl get svc voting-app command.", which is referring to the wrong service name.

Context:
Using user-assigned managed identity for AKS.

Basis:
Part 2
image
Part 3
Environment: Cloud Shell

joey [ ~ ]$  az version
{
  "azure-cli": "2.60.0",
  "azure-cli-core": "2.60.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "ai-examples": "0.2.5",
    "azure-firewall": "1.0.1",
    "ml": "2.25.1",
    "ssh": "2.0.3"
  }
}

Issue occurred if following current document:

joey [ ~ ]$ az aks create -g $RG -n $AKSNAME -l $LOC --node-count 3 --network-plugin kubenet --outbound-type userDefinedRouting --vnet-subnet-id $SUBNETID --api-server-authorized-ip-ranges $FWPUBLIC_IP  --enable-managed-identity --assign-identity /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity --assign-kubelet-identity /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myKubeletIdentity --no-ssh-key
docker_bridge_cidr is not a known attribute of class <class 'azure.mgmt.containerservice.v2024_02_01.models._models_py3.ContainerServiceNetworkProfile'> and will be ignored
AAD role propagation done[############################################]  100.0000%

(CustomRouteTableMissingPermission) Managed identity or service principle must be given permission to read and write to custom route table /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/routeTables/joey-aks-fw-fwrt. Please see https://aka.ms/aks/customrt for more information
Code: CustomRouteTableMissingPermission
Message: Managed identity or service principle must be given permission to read and write to custom route table /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/routeTables/joey-aks-fw-fwrt. Please see https://aka.ms/aks/customrt for more information

Result after changes:
Environment: Cloud Shell
Change 1

az aks create -g $RG -n $AKSNAME -l $LOC \
  --node-count 3 \
  --network-plugin kubenet \
  --outbound-type userDefinedRouting \
  --vnet-subnet-id $SUBNETID \
  --api-server-authorized-ip-ranges $FWPUBLIC_IP \
  --enable-managed-identity \
  --assign-identity <redacted>  \
  --assign-kubelet-identity <redacted>

docker_bridge_cidr is not a known attribute of class <class 'azure.mgmt.containerservice.v2024_02_01.models._models_py3.ContainerServiceNetworkProfile'> and will be ignored
 | Running ..

Change 2&3

myIdentity_objId=$(az identity show --name myIdentity --resource-group $RG --query principalId -o tsv)
az role assignment create --assignee-object-id $myIdentity_objId --assignee-principal-type ServicePrincipal --role "Network Contributor" --scope $SUBNETID
{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2024-05-02T09:08:26.559936+00:00",
(...no need to expand more result)

az role assignment create --assignee-object-id $myIdentity_objId --assignee-principal-type ServicePrincipal --role "Network Contributor" --scope $FWROUTE_TABLE_ID
{
  "condition": null,
  "conditionVersion": null,
(...no need to expand more result)

Role assignment can be successfully found:
Route table:
image
Subnet:

RoleAssignmentId,Scope,DisplayName,SignInName,RoleDefinitionName,RoleDefinitionId,ObjectId,ObjectType,RoleAssignmentDescription,ConditionVersion,Condition
6d6ac5fd-9a17-4a89-9849-21d79b4d7672,/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/virtualNetworks/joey-aks-fw-vnet/subnets/aks-subnet,myIdentity,/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity,Network Contributor,/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7,b3cdb87f-a803-4dc6-ab6b-ef9d48b34b54,ServicePrincipal,,,

Wait 5 mins then deploy service:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
  name: another-store-front
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: store-front
  type: LoadBalancer
EOF

No issue at all:
image

I also test system-assigned managed identity, it does auto-assign the role. Only user-assigned managed identity will not auto assign the role.

@prmerger-automator PRMerger Automator
Copy link
Contributor

@JoeyC-Dev : Thanks for your contribution! The author(s) have been notified to review your proposed change.

@learn-build-service-prod Learn Build Service (PROD)
Copy link
Contributor

Learn Build status updates of commit e140920:

✅ Validation status: passed

File Status Preview URL Details
articles/aks/limit-egress-traffic.md ✅Succeeded

For more details, please refer to the build report.

For any questions, please:

@JoeyC-Dev JoeyC-Dev changed the title Update wrong-formatted command in limit-egress-traffic.md Fix wrong-formatted command + add RBAC-related note in limit-egress-traffic.md May 2, 2024
@JoeyC-Dev JoeyC-Dev changed the title Fix wrong-formatted command + add RBAC-related note in limit-egress-traffic.md Fix wrong-formatted command + add RBAC-related command/note in limit-egress-traffic.md May 2, 2024
@learn-build-service-prod Learn Build Service (PROD)
Copy link
Contributor

Learn Build status updates of commit c08ec44:

✅ Validation status: passed

File Status Preview URL Details
articles/aks/limit-egress-traffic.md ✅Succeeded

For more details, please refer to the build report.

For any questions, please:

@Court72
Copy link
Contributor

Court72 commented May 2, 2024

@asudbring

Can you review the proposed changes?

When the changes are ready for publication, add a #sign-off comment to signal that the PR is ready for the review team to merge.

#label:"aq-pr-triaged"
@MicrosoftDocs/public-repo-pr-review-team

@prmerger-automator prmerger-automator bot added the aq-pr-triaged tracking label for the PR review team label May 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asudbring asudbring Awaiting requested review from asudbring

Assignees

@asudbring asudbring

Labels
aks-networking/subsvc aq-pr-triaged tracking label for the PR review team azure-kubernetes-service/svc Change sent to author do-not-merge qualifies-for-auto-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@JoeyC-Dev @Court72 @asudbring