VNET Contributor CLI Role Assignment

[Bryce-Soghigian]

Tell us about your request

For the traditional aks experience with CustomVNET, when you create clusters with the cli, we use the customers credential to assign all the roles needed for the subnet here

• Microsoft.Network/virtualNetworks/subnets/join/action
• Microsoft.Network/virtualNetworks/subnets/read

But Unlike traditional AKS, Karpenter needs some additional vnet permissions. We need to be able to GET the vnet as well.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

We need to modify the azure cli to also include role assignments that karpenter needs for NAP. We rg level scoped rbac for vnet read. Or we could solve all of the network contribution perms by assigning Virtual Network Contributor to the cluster identity.

Are you currently working around this issue?

https://github.com/Azure/karpenter-provider-azure/pull/326/files

$(eval CLUSTER_IDENTITY_ID=$(shell az aks show --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP) | jq  -r ".identity.principalId"))
az role assignment create --assignee $(CLUSTER_IDENTITY_ID) --scope /subscriptions/$(AZURE_SUBSCRIPTION_ID)/resourceGroups/$(AZURE_RESOURCE_GROUP) --role "Network Contributor"

Additional Context

No response

Attachments

No response

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment