Azure Integrator requires "Owner" service principal

Hi,

When deploying Charmed Kubernetes the azure integrator assigns roles to VMs to be able to create LoadBalancers and PVCs, as well as other cloud actions. When using Service Principals with juju this presents a problem as a service principal that can assign roles to VMs (Managed Identities[1]) can also assign roles to any entity within in the azure subscription.

E.g.

Service Principal A "Owner"

A Assigns "Subscription Owner to B"

B or A are leaked/stolen/compromised.

Malicious user uses A or B to delete subscription (The Virtual Datacentre).

It is not possible in azure to assign "lesser" permissions to a Service Principal to grant role permissions without granting "Owner". Although, it is possible to configure the k8s-azure cloud provider to use the service principal directly.

The Azure cloud provider for k8s has two modes of authentication, Managed Identity (VM Identities) or using the service principal directly. [2]

The fix for this bug is to pass the azure credentials over the relations to the k8s masters so that they can render the azure configuration with useManagedIdentites: false. e.g.

/var/snap/kube-controller-manager/common/cloud-conf.conf
{

    "useManagedIdentityExtension": false,
    "aadClient": "MY-CLIENT-GUID",
    "aadClientSecret": "MY-SUPER-SECURE-CLIENT-SECRET",
    .... other configuration....
}

[1] https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview
[2] https://github.com/kubernetes/kubernetes/blob/80093635c618a62d3ffaa0aabb7b2e2f75393274/staging/src/k8s.io/legacy-cloud-providers/azure/auth/azure_auth.go#L58

Peter