Share via

allow istio to join manually created public ip

Roy Brener 1 Reputation point
2021-11-09T17:02:38.81+00:00

I'm trying to create an AKS service with static pre-defined public IP. For that I'm using terraform.

The important parts

resource "azurerm_public_ip" "public_ip" {
  allocation_method   = "Static"
  location            = azurerm_resource_group.rg.location
  name                = "${local.resource_name_prefix}-PublicIp1"
  resource_group_name = azurerm_resource_group.rg.name
  sku = "Standard"

  tags = local.common_tags
}

resource "azurerm_kubernetes_cluster" "aks" {
  location            = azurerm_resource_group.rg.location
  name                = "${local.resource_name_prefix}-aks"
  resource_group_name = azurerm_resource_group.rg.name

  default_node_pool {
    name    = "system"
    vm_size = "Standard_DS2_v2"
    vnet_subnet_id = azurerm_subnet.app_subnet.id

    upgrade_settings {
      max_surge = "30"
    }

  }

  network_profile {
    network_plugin = "kubenet"
    load_balancer_sku = "Standard"
    load_balancer_profile {
      outbound_ip_address_ids = [ azurerm_public_ip.public_ip.id ]
    }
  }

  role_based_access_control {
    enabled = true
  }

}

the virtual network + subnets are also pre-defined.

now when trying to install istio using istioctl install, istio-ingressgateway Loadbalancer is failing on

{
  "error": {
    "code": "LinkedAuthorizationFailed",
    "message": "The client 'xxxxx' with object id 'xxxx' has permission to perform action 'Microsoft.Network/loadBalancers/write' on scope '/subscriptions/xxxx/resourceGroups/xxx_rg/providers/Microsoft.Network/loadBalancers/kubernetes'; however, it does not have permission to perform action 'Microsoft.Network/publicIPAddresses/join/action' on the linked scope(s) '/subscriptions/xxx/resourceGroups/xxx-rg/providers/Microsoft.Network/publicIPAddresses/xxx-PublicIp1' or the linked scope(s) are invalid."
  }
}

Any help will be greatly appreciated

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. shiva patpi 13,376 Reputation points Microsoft Employee Moderator
    2021-11-09T18:57:27.157+00:00

    Hello @Roy Brener ,
    Can you try giving "Network Contributor" access to the client mentioned in that error message ?
    Try out providing Network Contributor access on the resource group level under which that PublicIP address is there.

    Azure CLI Commands:

    az role assignment create --assignee xxx --scope /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/ --role Contributor
    az role assignment create --assignee xxx --scope /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/ --role NetworkContributor

    Regards,
    Shiva.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.