azure: Add Workload Identity support#18204
Conversation
Signed-off-by: Ciprian Hacman <ciprian@hakman.dev>
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
the
do-not-merge/work-in-progress
k8s-ci-robot
added
the
size/XXL
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
area/addons
area/api
area/provider/azure
|
|
||
| // AzureNetworkSecurityGroupName returns the name of the network security group for the cluster. | ||
| // The NSG shares its name with the virtual network; callers relying on this invariant | ||
| // should prefer this helper over re-deriving the name inline. |
| // Azure built-in role definition IDs. | ||
| // See: https://learn.microsoft.com/azure/role-based-access-control/built-in-roles | ||
| const ( | ||
| // azureContributorRoleDefID is the ID of the built-in "Contributor" role. |
There was a problem hiding this comment.
Idea for future: add a summary of the contributor role and why we need it
| namespace string | ||
| sa string | ||
| }{ | ||
| {name: "fic-ccm", namespace: "kube-system", sa: "cloud-controller-manager"}, |
There was a problem hiding this comment.
Nit: construct the name from the namespace & sa? I think it's only used internally in kOps so it shouldn't be a breaking change, so not a blocker
| break | ||
| } | ||
| } | ||
| if foundVMSS == nil { |
There was a problem hiding this comment.
I'm not 100% sure what's going on here - but does it matter if there is more than one match?
|
lgtm, some comments / questions but not blocking |
3 participants
Lots of assistance from Claude Opus on this one 😄.
/cc @justinsb @rifelpet