Update "AKS RBAC Writer" role scope to managed ns#2003
Update "AKS RBAC Writer" role scope to managed ns#2003bosesuneha wants to merge 1 commit intoAzure:mainfrom
Conversation
Tatsinnit
requested review from
Copilot and
gambtho
and removed request for
gambtho
Tatsinnit
added
the
enhancement 🚀
There was a problem hiding this comment.
Pull request overview
This PR refactors managed-namespace role assignment scoping in the AKS OIDC setup flow, aiming to simplify scope handling by using the managed namespace scope for multiple role assignments.
Changes:
- Removes use of the Kubernetes namespace (
/namespaces/{ns}) scope for managed namespaces. - Uses the managed namespace (
/managedNamespaces/{ns}) scope for the AKS RBAC Writer assignment in managed namespaces.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| // Assign all roles concurrently — they are independent | ||
| const [rbacResult, nsContribResult, acrResult, acrTasksResult] = await Promise.all([ | ||
| // K8s data-plane access (deployments, configmaps, etc.) | ||
| createRoleAssignment( | ||
| authClient, | ||
| subscriptionId, | ||
| principalId, | ||
| AKS_RBAC_WRITER_ROLE_ID, | ||
| k8sNsScope, | ||
| managedNsScope, | ||
| "ServicePrincipal", |
There was a problem hiding this comment.
This PR changes the managed-namespace role assignment scope for AKS RBAC Writer, but there are no unit tests in oidcSetup.test.ts covering role assignment/scoping behavior. Adding a test that stubs createRoleAssignment and asserts the expected scope(s) for managed namespaces would help prevent regressions in deployment permissions.
| subscriptionId, | ||
| principalId, | ||
| AKS_RBAC_WRITER_ROLE_ID, | ||
| k8sNsScope, | ||
| managedNsScope, | ||
| "ServicePrincipal", |
There was a problem hiding this comment.
AKS_RBAC_WRITER_ROLE_ID is described elsewhere as a Kubernetes data-plane RBAC role that scopes to /namespaces/{ns} (not /managedNamespaces/{ns}). Switching the role assignment scope to managedNsScope here is likely to make the AKS RBAC Writer assignment ineffective for kubectl operations in managed namespaces, despite the comment saying this grants data-plane access. Consider restoring the /namespaces/{ns} scope for AKS RBAC Writer (and keep /managedNamespaces/{ns} for the ARM-only AKS Namespace Contributor role), or update the scope helpers/docs if Azure now truly supports data-plane RBAC on managedNamespaces.
This pull request refactors the role assignment logic for managed namespaces in the AKS OIDC setup command. The main change is to unify the scope used for both Kubernetes data-plane RBAC and ARM operations by removing the separate Kubernetes namespace scope and using the managed namespace scope instead.
Role assignment scope simplification:
getScopeForKubernetesNamespaceand now usegetScopeForManagedNamespacefor both RBAC and ARM role assignments, simplifying the logic and reducing potential confusion about scope usage. [1] [2] [3]