azure: Switch to user-assigned managed identity for control-plane#18142
azure: Switch to user-assigned managed identity for control-plane#18142hakman wants to merge 1 commit intokubernetes:masterfrom
Conversation
k8s-ci-robot
added
area/provider/azure
k8s-ci-robot
added
the
do-not-merge/work-in-progress
hakman
changed the title
hakman
changed the title
hakman
force-pushed
the
azure-user-assigned-identity
branch
2 times, most recently
from
2c01c37 to
9b5a6c8
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
1 similar comment
|
/test pull-kops-e2e-azure-cni-cilium |
hakman
requested review from
rifelpet
and removed request for
johngmyers and
zetaab
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/test pull-kops-e2e-azure-cni-cilium |
hakman
force-pushed
the
azure-user-assigned-identity
branch
from
131bba7 to
2ac91e0
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
Azure RBAC role assignment propagation can take minutes after creation. With system-assigned identity, the VMSS must be created first to get a PrincipalID, then the role assignment is created, and then RBAC must propagate before nodeup can read from blob storage. This causes 3-4 minutes of 403 errors during bootstrap. The switch to user-assigned managed identity allows the identity and role assignments to be created before the VMSS. By the time VMs boot, RBAC should already be propagated, eliminating the delay. Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
hakman
force-pushed
the
azure-user-assigned-identity
branch
from
2ac91e0 to
ccfd7cd
Compare
|
/test pull-kops-e2e-azure-cni-cilium |
|
|
||
| resource "azurerm_user_assigned_identity" "minimal-azure-example-com" { | ||
| location = "eastus" | ||
| name = "minimal-azure-example-com" |
There was a problem hiding this comment.
Should this identity be specific to the control plane rather than be for the entire cluster?
There was a problem hiding this comment.
If you mean the name, sure, it can be more suggestive.
|
/test pull-kops-e2e-azure-cni-cilium |
|
@hakman: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
3 participants
Azure RBAC role assignment propagation can take minutes after creation. With system-assigned identity, the VMSS must be created first to get a PrincipalID, then the role assignment is created, and then RBAC must propagate before nodeup can read from blob storage. This causes 3-4 minutes of 403 errors during bootstrap.
The switch to user-assigned managed identity allows the identity and role assignments to be created before the VMSS. By the time VMs boot, RBAC should already be propagated, eliminating the delay.