From 92657ec852fd639d2612a8391b4e10c936734147 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radek=20Ma=C5=88=C3=A1k?= Date: Tue, 17 Mar 2026 10:37:02 +0100 Subject: [PATCH 1/2] Add delete permission for Azure load balancers in credentials request --- ...-controller-manager-operator_14_credentialsrequest-azure.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml b/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml index 17084c222..c5706e972 100644 --- a/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml +++ b/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml @@ -21,6 +21,7 @@ spec: - Microsoft.Network/loadBalancers/write - Microsoft.Network/loadBalancers/inboundNatRules/join/action - Microsoft.Network/loadBalancers/loadBalancingRules/read + - Microsoft.Network/loadBalancers/delete - Microsoft.Network/natGateways/join/action - Microsoft.Network/networkIntentPolicies/join/action - Microsoft.Network/networkInterfaces/read From c6f1319cdf0abc4f14fd2ae17887caa42ac60d5a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Radek=20Ma=C5=88=C3=A1k?= Date: Tue, 17 Mar 2026 11:14:27 +0100 Subject: [PATCH 2/2] Add privateEndpointConnections/delete permission for Azure PLS cleanup The cloud-provider-azure CCM calls safeDeletePLS() when removing a Private Link Service (e.g. when a LoadBalancer Service with the azure-pls-create annotation is deleted). This function iterates over all PrivateEndpointConnections on the PLS and deletes each one before deleting the PLS itself, because Azure does not allow deleting a PLS that has active Private Endpoint connections from consumers. Without this permission, PLS cleanup fails when an external consumer has connected to the service via a Private Endpoint. --- ...-controller-manager-operator_14_credentialsrequest-azure.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml b/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml index c5706e972..6881e5dce 100644 --- a/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml +++ b/manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml @@ -31,6 +31,7 @@ spec: - Microsoft.Network/networkSecurityGroups/write - Microsoft.Network/networkSecurityGroups/join/action - Microsoft.Network/privatelinkservices/delete + - Microsoft.Network/privatelinkservices/privateEndpointConnections/delete - Microsoft.Network/privatelinkservices/read - Microsoft.Network/privatelinkservices/write - Microsoft.Network/publicIPAddresses/delete