v0.0.10: Not clear why az cli and RBAC assignment is needed when using managed identity mode

[gaurav137]

I'm using aks-flex-node in an Azure VM with MI enabled. Following the steps in the usage guide for service principal and also looking at the e2e test pipeline flow its not clear why:

• We need to install az cli in the VM when using MI and do an az login
• Need to perform an RBAC assignment (owner role per usage guide for service principal)
• uninstall.sh script removes az cli so if one had installed it for other reasons this ends up removing it.

When using MI based auth for kubelet expectation would be that only the role binding creation is required for the AAD enabled cluster.

So would be nice if an option to skip az cli install/login/rbac assignment is enabled for MI mode.

[bcho]

@gaurav137 to confirm, you are not using arc in this case right?

If so, I think the latest version should have removed the legacy role assignment part and az cli dependency in MSI mode. A minimal config can be like this (we use this in CI as well):

{
    "azure": {
      "subscriptionId": "$SUBSCRIPTION_ID",
      "tenantId": "$TENANT_ID",
      "cloud": "AzurePublicCloud",
      "managedIdentity": {},
      "targetCluster": {
	"resourceId": "$CLUSTER_ID",
	"location": "$LOCATION"
      }
    },
    "node": {
      "kubelet": {
	"serverURL": "$SERVER_URL",
	"caCertData": "$CA_CERT_DATA"
      }
    },
    "agent": {
      "logLevel": "debug",
      "logDir": "/var/log/aks-flex-node"
    },
    "kubernetes": { "version": "1.35.0" },
    "containerd": { "version": "2.0.4" },
    "runc": { "version": "1.1.12" }
  }