Add privateEndpointConnections/delete permission for Azure PLS cleanup

RadekManak · RadekManak · commit c6f1319cdf0a · 2026-03-17T12:09:55.000+01:00
The cloud-provider-azure CCM calls safeDeletePLS() when removing a
Private Link Service (e.g. when a LoadBalancer Service with the
azure-pls-create annotation is deleted). This function iterates over
all PrivateEndpointConnections on the PLS and deletes each one before
deleting the PLS itself, because Azure does not allow deleting a PLS
that has active Private Endpoint connections from consumers.

Without this permission, PLS cleanup fails when an external consumer
has connected to the service via a Private Endpoint.
diff --git a/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml b/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml
@@ -31,6 +31,7 @@ spec:
     - Microsoft.Network/networkSecurityGroups/write
     - Microsoft.Network/networkSecurityGroups/join/action
     - Microsoft.Network/privatelinkservices/delete
+    - Microsoft.Network/privatelinkservices/privateEndpointConnections/delete
     - Microsoft.Network/privatelinkservices/read
     - Microsoft.Network/privatelinkservices/write
     - Microsoft.Network/publicIPAddresses/delete
