Revert RP AKS cluster admin role assignment (#2389)

2022-09-13 01:59:06 +10:00 · 2022-09-13 01:59:06 +10:00 · 4241b9c01f
--- a/pkg/deploy/assets/rp-development.json
+++ b/pkg/deploy/assets/rp-development.json
@ -117,17 +117,6 @@
                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
            ]
        },
-        {
-            "name": "[guid(resourceGroup().id, parameters('rpServicePrincipalId'), 'RP / AKS Admin')]",
-            "type": "Microsoft.Authorization/roleAssignments",
-            "properties": {
-                "scope": "[resourceGroup().id]",
-                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]",
-                "principalId": "[parameters('rpServicePrincipalId')]",
-                "principalType": "ServicePrincipal"
-            },
-            "apiVersion": "2018-09-01-preview"
-        },
        {
            "name": "[concat(resourceGroup().location, '.', parameters('clusterParentDomainName'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.Network/dnsZones', concat(resourceGroup().location, '.', parameters('clusterParentDomainName'))), 'FP / DNS Zone Contributor'))]",
            "type": "Microsoft.Network/dnsZones/providers/roleAssignments",
--- a/pkg/deploy/assets/rp-production.json
+++ b/pkg/deploy/assets/rp-production.json
@ -1009,17 +1009,6 @@
                "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName'))]"
            ]
        },
-        {
-            "name": "[guid(resourceGroup().id, parameters('rpServicePrincipalId'), 'RP / AKS Admin')]",
-            "type": "Microsoft.Authorization/roleAssignments",
-            "properties": {
-                "scope": "[resourceGroup().id]",
-                "roleDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8')]",
-                "principalId": "[parameters('rpServicePrincipalId')]",
-                "principalType": "ServicePrincipal"
-            },
-            "apiVersion": "2018-09-01-preview"
-        },
        {
            "name": "[concat(resourceGroup().location, '.', parameters('clusterParentDomainName'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.Network/dnsZones', concat(resourceGroup().location, '.', parameters('clusterParentDomainName'))), 'FP / DNS Zone Contributor'))]",
            "type": "Microsoft.Network/dnsZones/providers/roleAssignments",
--- a/pkg/deploy/generator/resources_rp.go
+++ b/pkg/deploy/generator/resources_rp.go
@ -1841,11 +1841,6 @@ func (g *generator) rpRBAC() []*arm.Resource {
 			"parameters('databaseAccountName')",
 			"concat(parameters('databaseAccountName'), '/Microsoft.Authorization/', guid(resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('databaseAccountName')), parameters('rpServicePrincipalId'), 'RP / DocumentDB Account Contributor'))",
 		),
-		rbac.ResourceGroupRoleAssignmentWithName(
-			rbac.RoleAzureKubernetesServiceClusterAdminRole,
-			"parameters('rpServicePrincipalId')",
-			"guid(resourceGroup().id, parameters('rpServicePrincipalId'), 'RP / AKS Admin')",
-		),
 		rbac.ResourceRoleAssignmentWithName(
 			rbac.RoleDNSZoneContributor,
 			"parameters('fpServicePrincipalId')",
--- a/pkg/util/rbac/rbac.go
+++ b/pkg/util/rbac/rbac.go
@ -12,14 +12,13 @@ import (
 )

 const (
-	RoleACRPull                                = "7f951dda-4ed3-4680-a7ca-43fe172d538d"
-	RoleContributor                            = "b24988ac-6180-42a0-ab88-20f7382dd24c"
-	RoleDocumentDBAccountContributor           = "5bd9cd88-fe45-4216-938b-f97437e15450"
-	RoleDNSZoneContributor                     = "befefa01-2a29-4197-83a8-272ff33ce314"
-	RoleNetworkContributor                     = "4d97b98b-1d4f-4787-a291-c67834d212e7"
-	RoleOwner                                  = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
-	RoleReader                                 = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
-	RoleAzureKubernetesServiceClusterAdminRole = "0ab0b1a8-8aac-4efd-b8c2-3ee1fb270be8"
+	RoleACRPull                      = "7f951dda-4ed3-4680-a7ca-43fe172d538d"
+	RoleContributor                  = "b24988ac-6180-42a0-ab88-20f7382dd24c"
+	RoleDocumentDBAccountContributor = "5bd9cd88-fe45-4216-938b-f97437e15450"
+	RoleDNSZoneContributor           = "befefa01-2a29-4197-83a8-272ff33ce314"
+	RoleNetworkContributor           = "4d97b98b-1d4f-4787-a291-c67834d212e7"
+	RoleOwner                        = "8e3af657-a8ff-443c-a75c-2fe8c4bcb635"
+	RoleReader                       = "acdd72a7-3385-48ef-bd42-f606fba81ae7"
 )

 // ResourceRoleAssignment returns a Resource granting roleID on the resource of