Fix wrong-formatted command + add RBAC-related command/note in limit-egress-traffic.md

[JoeyC-Dev]

Proposed change:

1. Fix missing \ in the original command, which will split the command into two parts.
2. Add RBAC command/note to indicate 403 issue (also directly related to change 3).
3. The statement "If you create your own VNet and route table where the resources are outside of the worker node resource group, the CLI will add the role assignment automatically. " is wrong. Az-cli will ask user to manually assign the role.
4. "Get the service IP using the kubectl get svc voting-app command.", which is referring to the wrong service name.

Context: Using user-assigned managed identity for AKS.

Basis: Part 2 Part 3 Environment: Cloud Shell

joey [ ~ ]$  az version
{
  "azure-cli": "2.60.0",
  "azure-cli-core": "2.60.0",
  "azure-cli-telemetry": "1.1.0",
  "extensions": {
    "ai-examples": "0.2.5",
    "azure-firewall": "1.0.1",
    "ml": "2.25.1",
    "ssh": "2.0.3"
  }
}

Issue occurred if following current document:

joey [ ~ ]$ az aks create -g $RG -n $AKSNAME -l $LOC --node-count 3 --network-plugin kubenet --outbound-type userDefinedRouting --vnet-subnet-id $SUBNETID --api-server-authorized-ip-ranges $FWPUBLIC_IP  --enable-managed-identity --assign-identity /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity --assign-kubelet-identity /subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myKubeletIdentity --no-ssh-key
docker_bridge_cidr is not a known attribute of class <class 'azure.mgmt.containerservice.v2024_02_01.models._models_py3.ContainerServiceNetworkProfile'> and will be ignored
AAD role propagation done[############################################]  100.0000%

(CustomRouteTableMissingPermission) Managed identity or service principle must be given permission to read and write to custom route table /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/routeTables/joey-aks-fw-fwrt. Please see https://aka.ms/aks/customrt for more information
Code: CustomRouteTableMissingPermission
Message: Managed identity or service principle must be given permission to read and write to custom route table /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/routeTables/joey-aks-fw-fwrt. Please see https://aka.ms/aks/customrt for more information

Result after changes: Environment: Cloud Shell Change 1

az aks create -g $RG -n $AKSNAME -l $LOC \
  --node-count 3 \
  --network-plugin kubenet \
  --outbound-type userDefinedRouting \
  --vnet-subnet-id $SUBNETID \
  --api-server-authorized-ip-ranges $FWPUBLIC_IP \
  --enable-managed-identity \
  --assign-identity <redacted>  \
  --assign-kubelet-identity <redacted>

docker_bridge_cidr is not a known attribute of class <class 'azure.mgmt.containerservice.v2024_02_01.models._models_py3.ContainerServiceNetworkProfile'> and will be ignored
 | Running ..

Change 2&3

myIdentity_objId=$(az identity show --name myIdentity --resource-group $RG --query principalId -o tsv)
az role assignment create --assignee-object-id $myIdentity_objId --assignee-principal-type ServicePrincipal --role "Network Contributor" --scope $SUBNETID
{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2024-05-02T09:08:26.559936+00:00",
(...no need to expand more result)

az role assignment create --assignee-object-id $myIdentity_objId --assignee-principal-type ServicePrincipal --role "Network Contributor" --scope $FWROUTE_TABLE_ID
{
  "condition": null,
  "conditionVersion": null,
(...no need to expand more result)

Role assignment can be successfully found: Route table: Subnet:

RoleAssignmentId,Scope,DisplayName,SignInName,RoleDefinitionName,RoleDefinitionId,ObjectId,ObjectType,RoleAssignmentDescription,ConditionVersion,Condition
6d6ac5fd-9a17-4a89-9849-21d79b4d7672,/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/joey-aks-fw-rg/providers/Microsoft.Network/virtualNetworks/joey-aks-fw-vnet/subnets/aks-subnet,myIdentity,/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/joey-aks-fw-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myIdentity,Network Contributor,/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7,b3cdb87f-a803-4dc6-ab6b-ef9d48b34b54,ServicePrincipal,,,

Wait 5 mins then deploy service:

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Service
metadata:
  name: another-store-front
spec:
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: store-front
  type: LoadBalancer
EOF

No issue at all:

I also test system-assigned managed identity, it does auto-assign the role. Only user-assigned managed identity will not auto assign the role.