Skip to content

fix(up): idempotent AKS RBAC role assignments + Docker not required for --release (v0.1.15)#452

Merged
pallakatos merged 1 commit into
mainfrom
fix/aks-rbac-idempotency-docker-preflight
Jun 25, 2026
Merged

fix(up): idempotent AKS RBAC role assignments + Docker not required for --release (v0.1.15)#452
pallakatos merged 1 commit into
mainfrom
fix/aks-rbac-idempotency-docker-preflight

Conversation

@pallakatos

Copy link
Copy Markdown
Collaborator

Blocker: RoleAssignmentUpdateNotPermitted on kars up

aks.bicep named its role assignments guid(<resource>.id, …) — stable across an identity rotation. When the AKS kubelet identity rotates (fresh objectId on cluster recreate, e.g. --from-scratch after a teardown) or the sandbox UAMI is recreated with the same name, the GUID stayed constant but the principalId changed, so ARM tried to update an existing assignment's principal → RoleAssignmentUpdateNotPermitted ("principal ID … not allowed to be updated"), failing the whole deploy.

Fix

New modules/sandbox-rbac.bicep receives the principalIds as string params — legal in a roleAssignment name, unlike a runtime reference() (Bicep BCP120, which is why the obvious inline fix doesn't compile) — and names each assignment guid(scope, principalId, roleDefId). A rotated identity now yields a new name → a clean CREATE instead of a conflicting UPDATE.

Every role, principal, and scope is preserved exactly (kubelet AcrPull @ RG; sandbox AcrPull @ ACR; OpenAI User @ AOAI; KV Secrets User @ KV; MI Contributor @ UAMI). main.json recompiled in sync.

Also: kars up --release wrongly required Docker

Preflight auto-set build=true whenever a repo Dockerfile existed (dev-mode detection) without excluding --release — so running from a clone demanded Docker even though release mode only az acr imports published images (no local build). Fixed to skip the auto-build + Docker requirement under --release.

Verification

  • az bicep build --file deploy/bicep/main.bicep compiles clean (validates the module's existing/scope wiring + BCP120-safe names); main.json regenerated.
  • CLI tsc + oxlint clean; 821 vitest pass.
  • Module bundled into the npm package (dist/deploy/bicep/modules/).
  • Security audit: docs/internal/security-audits/2026-06-25-rbac-idempotency-docker-preflight.md (2 sign-offs).

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

…or --release (v0.1.15)

RoleAssignmentUpdateNotPermitted: aks.bicep named role assignments
guid(<resource>.id, ...) — stable across identity rotation. When the AKS
kubelet identity rotates (cluster recreate, e.g. --from-scratch) or the
sandbox UAMI is recreated with the same name, the GUID stayed constant but
the principalId changed → ARM tried to UPDATE an existing assignment's
principal and failed the whole deploy.

Fix: new modules/sandbox-rbac.bicep takes principalIds as STRING params
(legal in a roleAssignment name, unlike a runtime reference() — BCP120) and
names each guid(scope, principalId, roleDefId). A rotated identity now yields
a new name → clean CREATE instead of conflicting UPDATE. Every role,
principal, and scope is preserved exactly. main.json recompiled in sync.

Also: kars up --release no longer requires Docker. Preflight auto-enabled
build=true whenever a repo Dockerfile existed, without excluding --release —
but release mode only az-acr-imports published images (no local build). Now
skips the auto-build + Docker requirement when --release is set.

Security audit: docs/internal/security-audits/2026-06-25-rbac-idempotency-docker-preflight.md (2 sign-offs).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@pallakatos pallakatos merged commit f16599c into main Jun 25, 2026
32 checks passed
@pallakatos pallakatos deleted the fix/aks-rbac-idempotency-docker-preflight branch June 25, 2026 06:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant