From 905201dedd63437d46cc266e604e75af6cc2db34 Mon Sep 17 00:00:00 2001 From: Matthew Christopher Date: Fri, 14 Feb 2025 09:35:39 -0800 Subject: [PATCH] Further authentication fixes (missed in #685) (#693) --- Makefile-az.mk | 4 ++-- hack/deploy/create-cluster.sh | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Makefile-az.mk b/Makefile-az.mk index f1c893ea5..ed034a1dd 100755 --- a/Makefile-az.mk +++ b/Makefile-az.mk @@ -143,7 +143,7 @@ az-perm-subnet-custom: az-perm ## Create role assignments to let Karpenter manag $(eval VNET_SUBNET_ID=$(shell az aks show --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP) | jq -r ".agentPoolProfiles[0].vnetSubnetId")) $(eval KARPENTER_USER_ASSIGNED_CLIENT_ID=$(shell az identity show --resource-group "${AZURE_RESOURCE_GROUP}" --name "${AZURE_KARPENTER_USER_ASSIGNED_IDENTITY_NAME}" --query 'principalId' -otsv)) $(eval SUBNET_RESOURCE_GROUP=$(shell az network vnet subnet show --id $(VNET_SUBNET_ID) | jq -r ".resourceGroup")) - az role assignment create --assignee $(KARPENTER_USER_ASSIGNED_CLIENT_ID) --scope /subscriptions/$(AZURE_SUBSCRIPTION_ID)/resourceGroups/$(SUBNET_RESOURCE_GROUP) --role "Network Contributor" + az role assignment create --assignee-object-id $(KARPENTER_USER_ASSIGNED_CLIENT_ID) --assignee-principal-type "ServicePrincipal" --scope /subscriptions/$(AZURE_SUBSCRIPTION_ID)/resourceGroups/$(SUBNET_RESOURCE_GROUP) --role "Network Contributor" az-perm-savm: ## Create role assignments to let Karpenter manage VMs and Network # Note: savm has not been converted over to use a workload identity @@ -157,7 +157,7 @@ az-perm-savm: ## Create role assignments to let Karpenter manage VMs and Network az-perm-acr: $(eval KARPENTER_USER_ASSIGNED_CLIENT_ID=$(shell az identity show --resource-group "${AZURE_RESOURCE_GROUP}" --name "${AZURE_KARPENTER_USER_ASSIGNED_IDENTITY_NAME}" --query 'principalId' -otsv)) $(eval AZURE_ACR_ID=$(shell az acr show --name $(AZURE_ACR_NAME) --resource-group $(AZURE_RESOURCE_GROUP) | jq -r ".id")) - az role assignment create --assignee $(KARPENTER_USER_ASSIGNED_CLIENT_ID) --scope $(AZURE_ACR_ID) --role "AcrPull" + az role assignment create --assignee-object-id $(KARPENTER_USER_ASSIGNED_CLIENT_ID) --assignee-principal-type "ServicePrincipal" --scope $(AZURE_ACR_ID) --role "AcrPull" az-aks-check-acr: az aks check-acr --name $(AZURE_CLUSTER_NAME) --resource-group $(AZURE_RESOURCE_GROUP) --acr $(AZURE_ACR_NAME) diff --git a/hack/deploy/create-cluster.sh b/hack/deploy/create-cluster.sh index 69764fa47..a95efbcdc 100755 --- a/hack/deploy/create-cluster.sh +++ b/hack/deploy/create-cluster.sh @@ -26,7 +26,7 @@ az aks get-credentials --name "${CLUSTER_NAME}" --resource-group "${RG}" --overw echo "Creating federated credential linked to the Karpenter service account ..." az identity federated-credential create --name KARPENTER_FID --identity-name karpentermsi --resource-group "${RG}" \ --issuer "$(jq -r ".oidcIssuerProfile.issuerUrl" <<< "$AKS_JSON")" \ - --subject system:serviceaccount:${KARPENTER_NAMESPACE}:karpenter-sa \ + --subject "system:serviceaccount:${KARPENTER_NAMESPACE}:karpenter-sa" \ --audience api://AzureADTokenExchange echo "Creating role assignments to let Karpenter manage VMs and Network resources ..." @@ -34,5 +34,5 @@ KARPENTER_USER_ASSIGNED_CLIENT_ID=$(jq -r '.principalId' <<< "$KMSI_JSON") RG_MC=$(jq -r ".nodeResourceGroup" <<< "$AKS_JSON") RG_MC_RES=$(az group show --name "${RG_MC}" --query "id" -otsv) for role in "Virtual Machine Contributor" "Network Contributor" "Managed Identity Operator"; do - az role assignment create --assignee "${KARPENTER_USER_ASSIGNED_CLIENT_ID}" --scope "${RG_MC_RES}" --role "$role" + az role assignment create --assignee-object-id "${KARPENTER_USER_ASSIGNED_CLIENT_ID}" --assignee-principal-type "ServicePrincipal" --scope "${RG_MC_RES}" --role "$role" done