Hi team, thanks again for v0.1.0 — sharing one more observation from our Pi-rack edge demo.
What we observed
assignRBACRoles appears to write the four role assignments (Reader on the subscription, three on the cluster RG) serially. When the agent's credential is missing one of them, the call fails mid-way with a 403 and the agent exits, leaving the machine half-configured. The operator only finds out about the missing permission after several minutes of agent setup time.
Impact for our scenario
For sandboxed sub testing (which is how a lot of folks will first encounter the agent), the operator typically iterates a few times to get RBAC right. Each iteration costs the full setup time before the failure shows up, and they only learn about one missing role per iteration.
One possible direction
Would a small preflight phase before assignRBACRoles be in scope? Something that checks all required scope/role pairs in one pass and prints the full set of missing ones with copy-pasteable az role assignment create commands. Could also fold in a sanity check that AAD + Azure RBAC are enabled on the cluster (already validated later, just nicer to surface up front).
This may overlap with #92 in spirit — happy to consolidate if you'd prefer.
Version tested: v0.1.0 (git 65d8d38).
Other observations from the same Pi-rack edge demo
Hi team, thanks again for v0.1.0 — sharing one more observation from our Pi-rack edge demo.
What we observed
assignRBACRolesappears to write the four role assignments (Reader on the subscription, three on the cluster RG) serially. When the agent's credential is missing one of them, the call fails mid-way with a 403 and the agent exits, leaving the machine half-configured. The operator only finds out about the missing permission after several minutes of agent setup time.Impact for our scenario
For sandboxed sub testing (which is how a lot of folks will first encounter the agent), the operator typically iterates a few times to get RBAC right. Each iteration costs the full setup time before the failure shows up, and they only learn about one missing role per iteration.
One possible direction
Would a small preflight phase before
assignRBACRolesbe in scope? Something that checks all required scope/role pairs in one pass and prints the full set of missing ones with copy-pasteableaz role assignment createcommands. Could also fold in a sanity check that AAD + Azure RBAC are enabled on the cluster (already validated later, just nicer to surface up front).This may overlap with #92 in spirit — happy to consolidate if you'd prefer.
Version tested: v0.1.0 (git 65d8d38).
Other observations from the same Pi-rack edge demo
validateExclusiveAuthSettingstreats Arc and bootstrap-token as mutually exclusivekube1systemd-nspawn launcher passes--network-vethbut actually shares host netns