-
Notifications
You must be signed in to change notification settings - Fork 431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
✨ add support for azure system assigned identities #565
Conversation
@devigned please take a look when you get a chance! Thanks |
/test pull-cluster-api-provider-azure-verify |
templates/flavors/system-assigned-identity/system-assigned-identity.yaml
Outdated
Show resolved
Hide resolved
config/crd/bases/infrastructure.cluster.x-k8s.io_azuremachinetemplates.yaml
Outdated
Show resolved
Hide resolved
8f1ad61
to
d0cd420
Compare
I'm not sure why the verify fails, everything seems to be updated, will look into it more |
@nader-ziada it looks like it's complaining that |
@CecileRobertMichon Thanks, seems my local kustomize is different than on ci, but I think I found something, trying it now |
4ab94cc
to
46f01bc
Compare
@CecileRobertMichon @devigned PR ready for another look. Thanks |
@nader-ziada, the code looks awesome ✨ . I have one question though. What rights does the identity have? I don't see any RBAC rights assigned to the identity. For example, the control plane machines will likely need subscription contributor access and the worker nodes might need resource group contributor and possibly subscription contributor too. I don't think this will work correctly with the Azure cloud provider with the current RBAC rights. |
@devigned I was able to to create a cluster and made sure the VMs has an identity of |
/retest |
1 similar comment
/retest |
/hold cancel |
56276ef
to
45cafc9
Compare
@CecileRobertMichon addressed the last comments |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/hold
/assign @devigned
Awesome work @nader-ziada !
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CecileRobertMichon, nader-ziada The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sry to do this, but there is one last thing. Please update https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/docs/getting-started.md#Prerequisites to specify --role owner
, so that developers creating a new service principal will have the correct rights to assign roles.
- add new field for IdentityType in AzureMachineSpec - add new flavor for VMs with system assigned identity - add a role assognment to the system generated identity
@devigned no worries, I made the change |
/lgtm Thank you, @nader-ziada. Great work! 🔥 |
/hold cancel |
Thanks @devigned for helping me understand how all this works on Azure :) |
What this PR does / why we need it:
Add support for azure managed
system assigned
identities when created a VMWhich issue(s) this PR fixes
Ref #312
Release note: