allow istio to join manually created public ip

Roy Brener 1 Reputation point
2021-11-09T17:02:38.81+00:00

I'm trying to create an AKS service with static pre-defined public IP. For that I'm using terraform.

The important parts

resource "azurerm_public_ip" "public_ip" {
  allocation_method   = "Static"
  location            = azurerm_resource_group.rg.location
  name                = "${local.resource_name_prefix}-PublicIp1"
  resource_group_name = azurerm_resource_group.rg.name
  sku = "Standard"

  tags = local.common_tags
}

resource "azurerm_kubernetes_cluster" "aks" {
  location            = azurerm_resource_group.rg.location
  name                = "${local.resource_name_prefix}-aks"
  resource_group_name = azurerm_resource_group.rg.name

  default_node_pool {
    name    = "system"
    vm_size = "Standard_DS2_v2"
    vnet_subnet_id = azurerm_subnet.app_subnet.id

    upgrade_settings {
      max_surge = "30"
    }

  }

  network_profile {
    network_plugin = "kubenet"
    load_balancer_sku = "Standard"
    load_balancer_profile {
      outbound_ip_address_ids = [ azurerm_public_ip.public_ip.id ]
    }
  }

  role_based_access_control {
    enabled = true
  }

}

the virtual network + subnets are also pre-defined.

now when trying to install istio using istioctl install, istio-ingressgateway Loadbalancer is failing on

{
  "error": {
    "code": "LinkedAuthorizationFailed",
    "message": "The client 'xxxxx' with object id 'xxxx' has permission to perform action 'Microsoft.Network/loadBalancers/write' on scope '/subscriptions/xxxx/resourceGroups/xxx_rg/providers/Microsoft.Network/loadBalancers/kubernetes'; however, it does not have permission to perform action 'Microsoft.Network/publicIPAddresses/join/action' on the linked scope(s) '/subscriptions/xxx/resourceGroups/xxx-rg/providers/Microsoft.Network/publicIPAddresses/xxx-PublicIp1' or the linked scope(s) are invalid."
  }
}

Any help will be greatly appreciated

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,110 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. shiva patpi 9,171 Reputation points Microsoft Employee
    2021-11-09T18:57:27.157+00:00

    Hello @Roy Brener ,
    Can you try giving "Network Contributor" access to the client mentioned in that error message ?
    Try out providing Network Contributor access on the resource group level under which that PublicIP address is there.

    Azure CLI Commands:

    az role assignment create --assignee xxx --scope /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/ --role Contributor
    az role assignment create --assignee xxx --scope /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/ --role NetworkContributor

    Regards,
    Shiva.

    No comments