Azure Integrator requires "Owner" service principal
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Azure Integrator Charm |
Fix Released
|
High
|
Cory Johns |
Bug Description
Hi,
When deploying Charmed Kubernetes the azure integrator assigns roles to VMs to be able to create LoadBalancers and PVCs, as well as other cloud actions. When using Service Principals with juju this presents a problem as a service principal that can assign roles to VMs (Managed Identities[1]) can also assign roles to any entity within in the azure subscription.
E.g.
Service Principal A "Owner"
A Assigns "Subscription Owner to B"
B or A are leaked/
Malicious user uses A or B to delete subscription (The Virtual Datacentre).
It is not possible in azure to assign "lesser" permissions to a Service Principal to grant role permissions without granting "Owner". Although, it is possible to configure the k8s-azure cloud provider to use the service principal directly.
The Azure cloud provider for k8s has two modes of authentication, Managed Identity (VM Identities) or using the service principal directly. [2]
The fix for this bug is to pass the azure credentials over the relations to the k8s masters so that they can render the azure configuration with useManagedIdent
/var/snap/
{
"useManaged
"aadClient": "MY-CLIENT-GUID",
"aadClientS
.... other configuration....
}
[1] https:/
[2] https:/
Peter
description: | updated |
Changed in charm-azure-integrator: | |
importance: | Undecided → High |
status: | New → Triaged |
Changed in charm-azure-integrator: | |
milestone: | none → 1.22 |
Changed in charm-azure-integrator: | |
status: | Fix Committed → Fix Released |
Changed in charm-azure-integrator: | |
assignee: | nobody → Cory Johns (johnsca) |
Subscribing field medium.
PRs: /github. com/juju- solutions/ interface- azure-integrati on/pull/ 6 /github. com/juju- solutions/ charm-azure- integrator/ pull/30
- https:/
- https:/