kickstart: feat/kickstart rbac checks#2181
Merged
davidgamero merged 2 commits intoMay 26, 2026
Merged
Conversation
Adds a centralized helper that checks whether the signed-in user holds the
Azure role assignments required for a successful Kickstart deploy on the
Normal Namespace path:
Cluster scope (Azure RBAC for Kubernetes, when enabled):
- AKS RBAC Writer / RBAC Admin / RBAC Cluster Admin (kubectl apply)
ACR scope:
- AcrPush (docker push)
- Container Registry Tasks Contributor (az acr build)
The check uses listForScope with the atScope() filter so RG / subscription /
MG-inherited assignments count. A 403 on enumeration sets a *Inconclusive
flag so the UI warns rather than blocks.
CONFIGURE phase renders results as a single markdown table; DEPLOY phase
blocks only when the user definitively lacks an AKS RBAC Writer-tier role
on an Azure-RBAC-enabled cluster.
Refactors aksContainerAssist/oidcSetup.ts to consume the same role-ID
constants and isAzureRbacEnabled helper from the new shared module.
Self-assign / fix-it commands deferred to a follow-up PR.
- aksRbacHelpers: remove atScope() filter to include inherited roles; use assignedTo server-side filter instead of in-memory principalId check - configure: add 'warning' CheckStatus for AKS Automatic SKU info (distinct from 'inconclusive' which means 403/auth failure) - configure: render pre-flight table before kubeconfig failure so user sees all check results even when kubeconfig access is denied
Collaborator
Author
|
@Tatsinnit for visibility |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
continuing work from #2165