User "system:serviceaccount:kube-system:azure-cns" cannot list resource "clustersubnetstates" after update to 1.30.4 control plane

[petrkr]

Seems new azure-cns missing some roles/permissions. After update to Kubernetes 1.30.4 CNS is unable to authorize against API

W1010 10:54:07.200809       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1alpha1.ClusterSubnetState: clustersubnetstates.acn.azure.com is forbidden: User "system:serviceaccount:kube-system:azure-cns" cannot list resource "clustersubnetstates" in API group "acn.azure.com" at the cluster scope

E1010 10:54:07.200850       1 reflector.go:150] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: Failed to watch *v1alpha1.ClusterSubnetState: failed to list *v1alpha1.ClusterSubnetState: clustersubnetstates.acn.azure.com is forbidden: User "system:serviceaccount:kube-system:azure-cns" cannot list resource "clustersubnetstates" in API group "acn.azure.com" at the cluster scope

As result there can not be assigned new IP address to PODs which causes this error

Failed to create pod sandbox: rpc error: code = Unknown desc = failed to setup network for sandbox "b009a12325af4202a9094c60d3971fb6c562bfa975cb18845cdacc64ff527199": plugin type="azure-vnet" failed (add): IPAM Invoker Add failed with error: failed to add ipam invoker: Failed to get IP address from CNS: AllocateIPConfig failed: not enough IPs available for 82ca83b3-f5da-44f2-a766-2aefd70f192e, waiting on Azure CNS to allocate more with NC Status:

Maybe role binding is missing in https://github.com/Azure/azure-container-networking/blob/master/cns/azure-cns.yaml ?

As results is stuck cluster.