Skip to content

Commit 9050057

Browse files
RadekManakRadekManak
committed
Add Azure permissions for Private Link Service operations
1. Microsoft.Network/privatelinkservices/write - Code: pkg/provider/privatelinkservice/repo.go:93 - API: client.CreateOrUpdate(ctx, resourceGroup, *pls.Name, pls) 2. Microsoft.Network/privatelinkservices/read - Code: Various PLS Get operations and cache management 3. Microsoft.Network/privatelinkservices/delete - Code: pkg/provider/privatelinkservice/repo.go:109 - API: client.Delete(ctx, resourceGroup, plsName) 4. Microsoft.Network/virtualNetworks/subnets/write - Code: pkg/provider/azure_privatelinkservice.go:232 - API: subnetRepo.CreateOrUpdate(ctx, rg, vnetName, subnetName, subnet) - Purpose: Disable PrivateLinkServiceNetworkPolicies on subnet 5. Microsoft.Network/loadBalancers/loadBalancingRules/read - Required for Azure internal validation when PLS references LoadBalancerFrontendIPConfigurations **Additional Join Permissions:** When modifying subnets, Azure requires join permissions for networking resources that may be associated with the subnet: 6. Microsoft.Network/serviceEndpointPolicies/join/action 7. Microsoft.Network/natGateways/join/action 8. Microsoft.Network/networkIntentPolicies/join/action 9. Microsoft.Network/networkSecurityGroups/join/action 10. Microsoft.Network/routeTables/join/action 11. Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action These are not direct API calls from cloud-provider code, but Azure ARM requirements when subnet modifications might affect associated resources.
1 parent 86f8c6d commit 9050057

1 file changed

Lines changed: 10 additions & 0 deletions

File tree

manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,16 +20,26 @@ spec:
2020
- Microsoft.Network/loadBalancers/read
2121
- Microsoft.Network/loadBalancers/write
2222
- Microsoft.Network/loadBalancers/inboundNatRules/join/action
23+
- Microsoft.Network/loadBalancers/loadBalancingRules/read
24+
- Microsoft.Network/natGateways/join/action
25+
- Microsoft.Network/networkIntentPolicies/join/action
2326
- Microsoft.Network/networkInterfaces/read
2427
- Microsoft.Network/networkInterfaces/write
28+
- Microsoft.Network/networkManagers/ipamPools/associateResourcesToPool/action
2529
- Microsoft.Network/networkSecurityGroups/read
2630
- Microsoft.Network/networkSecurityGroups/write
2731
- Microsoft.Network/networkSecurityGroups/join/action
32+
- Microsoft.Network/privatelinkservices/delete
33+
- Microsoft.Network/privatelinkservices/read
34+
- Microsoft.Network/privatelinkservices/write
2835
- Microsoft.Network/publicIPAddresses/join/action
2936
- Microsoft.Network/publicIPAddresses/read
3037
- Microsoft.Network/publicIPAddresses/write
38+
- Microsoft.Network/routeTables/join/action
39+
- Microsoft.Network/serviceEndpointPolicies/join/action
3140
- Microsoft.Network/virtualNetworks/subnets/join/action
3241
- Microsoft.Network/virtualNetworks/subnets/read
42+
- Microsoft.Network/virtualNetworks/subnets/write
3343
- Microsoft.Network/publicIPPrefixes/join/action
3444
- Microsoft.Network/applicationSecurityGroups/joinNetworkSecurityRule/action
3545
serviceAccountNames:

0 commit comments

Comments
 (0)