You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As defined in the article "Make major changes to Microsoft Learn documentation", "adding new images or updating images" is considered as major change. As defined in "issue template", it is required to "submit an issue that describes the details of the proposed large change".
So this is why I am submitting this issue before actually making edits.
Purposed change:
Update outdated image under section "Configure just-in-time cluster access with Microsoft Entra ID and AKS", which is talking about how to use PIM.
Add section to introduce how to level permissions(role) under "apply(active)-approve" mode.
Add brief introduction on how to set basic/default role for group, then add external link to the existing how-to tutorial.
If approved, I will submit a PR for it.
For the change 1, since the name of the feature has already been changed, the screenshot should be relatively updated. For example:
This will avoid confusion.
For the change 2 and 3, this proposal is based on real scenario. When user wants to set base role and privileged role for PIM, the user is very confusing and have a hard time to combine these concepts together.
Meantime, in most situation, when user wants to use PIM, an approver should be there. There is no introduction/steps or external link directly pointing to that, and this will cost user more time to discover. I believe for a new-comer who only know AKS, it will be ridiculously hard to find the correct method to set-up. For example: it is hard to know that "set role settings" is the correct direction of setting PIM approver, instead of this "approve" chapter.
Also, some details are hard for a general user to know: like must use kubelogin to force re-login, build-in roles are not giving default access to scaling nodepool, etc.
Hence, I believe some more steps should be added here. But since the content for these parts is way too much, I decide to create a new article to introduce it.
For the full content of purposed change on 2 and 3, see: main...JoeyC-Dev:azure-docs:aks-pim-with-approver
Another justification of creating a new document instead of replacing: The content of PIM in current document is using "active" to temporarily grant access. However, using "eligible" method and set with approver is common too. There should be two different articles to introduce them in different way. More obviously, steps required to set-up for "apply-approve" mode are more than "temp-directly-grant" mode. It will be confusion if the user only want to set in "temp-directly-grant" mode when user see steps required for "apply-approve" mode (if combining both steps in only one document).
In case you need to verify the last important note in the article, which is regarding to PIM cannot set lower than 60 mins for CLI tools:
(Note: I set the max duration of the PIM as 0.5 hours.)
This screenshot is to prove the content of important note in my article:
[!IMPORTANT] Due to the design of token lifetime, if you are granting roles to users who use CLI tools, like kubectl/kubelogin, the duration of activating (granting) roles during approval process technically can not be lower than 60 minutes. Even the duration is being set as 0.5 hours, the actual effective time is still between 60-75 minutes. This is because when kubelogin is trying to get aad tokens from Microsoft identity platform, access_token and refresh_token will be returned for further use. access_token is used to make request to API, and refresh_token is used to get new access_token if the original one is invalid. The access_token cannot be revoked once being generated. Only the refresh_token can be revoked.
In order to manually revoke refresh_token, use Revoke-AzureADUserAllRefreshToken.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
ID: 53eaee4b-cec8-9064-6b83-7a4de694848d
Version Independent ID: f3a55dd1-2b7b-8087-59b8-3afa0966fd65
@JoeyC-Dev
Thank you for bringing this to our attention.
I've delegated this to content author @MGoedtel, who will review it and offer their insightful opinions.
Taking this offline with Joey to coordinate and implement the recommended changes. Creating a work item to represent the work we'll be doing to update the article(s).
#please-close
As defined in the article "Make major changes to Microsoft Learn documentation", "adding new images or updating images" is considered as major change. As defined in "issue template", it is required to "submit an issue that describes the details of the proposed large change".
So this is why I am submitting this issue before actually making edits.
Purposed change:
If approved, I will submit a PR for it.
For the change 1, since the name of the feature has already been changed, the screenshot should be relatively updated. For example:
This will avoid confusion.
For the change 2 and 3, this proposal is based on real scenario. When user wants to set base role and privileged role for PIM, the user is very confusing and have a hard time to combine these concepts together.
Meantime, in most situation, when user wants to use PIM, an approver should be there. There is no introduction/steps or external link directly pointing to that, and this will cost user more time to discover. I believe for a new-comer who only know AKS, it will be ridiculously hard to find the correct method to set-up. For example: it is hard to know that "set role settings" is the correct direction of setting PIM approver, instead of this "approve" chapter.
Also, some details are hard for a general user to know: like must use
kubelogin
to force re-login, build-in roles are not giving default access to scaling nodepool, etc.Hence, I believe some more steps should be added here. But since the content for these parts is way too much, I decide to create a new article to introduce it.
For the full content of purposed change on 2 and 3, see: main...JoeyC-Dev:azure-docs:aks-pim-with-approver
Another justification of creating a new document instead of replacing: The content of PIM in current document is using "active" to temporarily grant access. However, using "eligible" method and set with approver is common too. There should be two different articles to introduce them in different way. More obviously, steps required to set-up for "apply-approve" mode are more than "temp-directly-grant" mode. It will be confusion if the user only want to set in "temp-directly-grant" mode when user see steps required for "apply-approve" mode (if combining both steps in only one document).
In case you need to verify the last important note in the article, which is regarding to PIM cannot set lower than 60 mins for CLI tools:
(Note: I set the max duration of the PIM as 0.5 hours.)
This screenshot is to prove the content of important note in my article:
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: