Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add perms for ingress to update the public subnet as well #28

Merged
merged 1 commit into from
Oct 4, 2023
Merged

fix: Add perms for ingress to update the public subnet as well #28

merged 1 commit into from
Oct 4, 2023

Conversation

yogeshg
Copy link
Contributor

@yogeshg yogeshg commented Oct 4, 2023
edited
Loading

I created a new cluster, but its application gateway did not have the right listeners. After lots of digging around, I went into the ingress* pod and found the following logs:

E1003 23:59:28.456537       1 controller.go:141] network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="ApplicationGatewayInsufficientPermissionOnSubnet" Message="Client with object id 4a0f8c94-3307-45ce-aa28-8910e9dc0f1f does not have permission on the Virtual Network resource /subscriptions/c9dd8162-c274-4935-87d7-ccdb4b856b10/resourceGroups/testing-yo-lt02/providers/Microsoft.Network/virtualNetworks/testing-yo-lt02-vpc/subnets/testing-yo-lt02-public to perform action Microsoft.Network/virtualNetworks/subnets/join/action. For details on the required permissions, please visit https://aka.ms/agsubnetjoin." Details=[]
E1003 23:59:28.456557       1 worker.go:62] Error processing event.network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="ApplicationGatewayInsufficientPermissionOnSubnet" Message="Client with object id 4a0f8c94-3307-45ce-aa28-8910e9dc0f1f does not have permission on the Virtual Network resource /subscriptions/c9dd8162-c274-4935-87d7-ccdb4b856b10/resourceGroups/testing-yo-lt02/providers/Microsoft.Network/virtualNetworks/testing-yo-lt02-vpc/subnets/testing-yo-lt02-public to perform action Microsoft.Network/virtualNetworks/subnets/join/action. For details on the required permissions, please visit https://aka.ms/agsubnetjoin." Details=[]
I1003 23:59:28.456784       1 event.go:282] Event(v1.ObjectReference{Kind:"Pod", Namespace:"kube-system", Name:"ingress-appgw-deployment-5c5967d8b7-fgx62", UID:"1282d6ba-3344-4baf-bc84-ed5137166edd", APIVersion:"v1", ResourceVersion:"1088", FieldPath:""}): type: 'Warning' reason: 'FailedApplyingAppGwConfig' network.ApplicationGatewaysClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: autorest/azure: Service returned an error. Status=<nil> Code="ApplicationGatewayInsufficientPermissionOnSubnet" Message="Client with object id 4a0f8c94-3307-45ce-aa28-8910e9dc0f1f does not have permission on the Virtual Network resource /subscriptions/c9dd8162-c274-4935-87d7-ccdb4b856b10/resourceGroups/testing-yo-lt02/providers/Microsoft.Network/virtualNetworks/testing-yo-lt02-vpc/subnets/testing-yo-lt02-public to perform action Microsoft.Network/virtualNetworks/subnets/join/action. For details on the required permissions, please visit https://aka.ms/agsubnetjoin." Details=[]

This indicates that the AGIC now updates the public subnet too. Giving it the right permissions worked like a charm!

@yogeshg yogeshg requested a review from gls4 as a code owner October 4, 2023 03:36
@jsbroks jsbroks merged commit 959c50f into main Oct 4, 2023
5 checks passed
@jsbroks
Copy link
Member

jsbroks commented Oct 4, 2023

This PR is included in version 1.4.1 🎉

jsbroks pushed a commit that referenced this pull request Oct 4, 2023
@semantic-release-bot
chore(release): version 1.4.1 [skip ci]
989a66f 
### [1.4.1](v1.4.0...v1.4.1) (2023-10-04)

### Bug Fixes

* Add perms for ingress to update the public subnet as well ([#28](#28)) ([959c50f](959c50f))
yogeshg
yogeshg commented Oct 4, 2023
View reviewed changes
modules/app_aks/main.tf
@@ -56,3 +56,9 @@ resource "azurerm_role_assignment" "resource_group" {
role_definition_name = "Reader"
principal_id = local.ingress_gateway_principal_id
}

resource "azurerm_role_assignment" "gateway" {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huh, this was missing: 72d2c88

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsbroks jsbroks jsbroks approved these changes

@gls4 gls4 Awaiting requested review from gls4

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@yogeshg @jsbroks