OCPBUGS-78118: Add delete permission for Azure load balancers in credentials request

[RadekManak]

No description provided.

[openshift-ci-robot]

@RadekManak: This pull request references Jira Issue OCPBUGS-78118, which is invalid:

• expected the bug to target the "4.22.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 609f28e8-3194-4a1b-bbb8-50fda8510baa

📥 Commits

Reviewing files that changed from the base of the PR and between b108246 and c6f1319.

📒 Files selected for processing (1)

• manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml

---

Walkthrough

Two Azure permissions are added to the CredentialsRequest manifest file for the cloud-controller-manager-operator. The additions extend the spec.providerSpec.permissions list with Microsoft.Network/loadBalancers/delete and Microsoft.Network/privatelinkservices/privateEndpointConnections/delete capabilities.

Changes

Cohort / File(s)	Summary
Azure CredentialsRequest Permissions manifests/0000_26_cloud-controller-manager-operator_14_credentialsrequest-azure.yaml	Added two Azure permissions: Microsoft.Network/loadBalancers/delete and Microsoft.Network/privatelinkservices/privateEndpointConnections/delete to the spec.providerSpec.permissions list.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[RadekManak]

/jira refresh

[openshift-ci-robot]

@RadekManak: This pull request references Jira Issue OCPBUGS-78118, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @sunzhaohua2

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[nrb]

/lgtm
/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nrb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [nrb]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[sunzhaohua2]

/verified by @sunzhaohua2

I can reproduce in sts cluster when deleting svc, ccm log

	RESPONSE 403: 403 Forbidden
	ERROR CODE: AuthorizationFailed
	--------------------------------------------------------------------------------
	{
	  "error": {
	    "code": "AuthorizationFailed",
	    "message": "The client '3d720e3c-8f13-4695-a5a0-e981de4251ca' with object id '2b1fdda4-6bef-44db-a4ef-2808eb47dde4' does not have authorization to perform action 'Microsoft.Network/privateLinkServices/privateEndpointConnections/delete' over scope '/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/ci-op-wxcijc0p-e5fc3/providers/Microsoft.Network/privateLinkServices/test-pls-verification/privateEndpointConnections/test.d8362cdf-2bb2-41bd-84b0-bf3acfac16bc' or the scope is invalid. If access was recently granted, please refresh your credentials."
	  }
	}

verify step

• Make sure CredentialsRequest contains new permissions
• Add same permissions to customer role ci-op-wxcijc0p-e5fc3-openshift-cloud-controller-manager-azure-cloud-credentials.
• Create svc with annotation

  annotations:
    service.beta.kubernetes.io/azure-pls-create: "true"
    service.beta.kubernetes.io/azure-pls-name: "test-pls-verify"
    service.beta.kubernetes.io/azure-load-balancer-internal: "true"

• Create Private Endpoint
• Delete Service and Check CCM Logs, service should be deleted successfully and logs no AuthorizationFailed error

[openshift-ci-robot]

@sunzhaohua2: This PR has been marked as verified by @sunzhaohua2.

Details

In response to this:

/verified by @sunzhaohua2

I can reproduce in sts cluster when deleting svc, ccm log

  RESPONSE 403: 403 Forbidden
  ERROR CODE: AuthorizationFailed
  --------------------------------------------------------------------------------
  {
    "error": {
      "code": "AuthorizationFailed",
      "message": "The client '3d720e3c-8f13-4695-a5a0-e981de4251ca' with object id '2b1fdda4-6bef-44db-a4ef-2808eb47dde4' does not have authorization to perform action 'Microsoft.Network/privateLinkServices/privateEndpointConnections/delete' over scope '/subscriptions/53b8f551-f0fc-4bea-8cba-6d1fefd54c8a/resourceGroups/ci-op-wxcijc0p-e5fc3/providers/Microsoft.Network/privateLinkServices/test-pls-verification/privateEndpointConnections/test.d8362cdf-2bb2-41bd-84b0-bf3acfac16bc' or the scope is invalid. If access was recently granted, please refresh your credentials."
    }
  }

verify step

• Make sure CredentialsRequest contains new permissions
• Add same permissions to customer role ci-op-wxcijc0p-e5fc3-openshift-cloud-controller-manager-azure-cloud-credentials.
• Create svc with annotation

 annotations:
   service.beta.kubernetes.io/azure-pls-create: "true"
   service.beta.kubernetes.io/azure-pls-name: "test-pls-verify"
   service.beta.kubernetes.io/azure-load-balancer-internal: "true"

• Create Private Endpoint
• Delete Service and Check CCM Logs, service should be deleted successfully and logs no AuthorizationFailed error

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[sunzhaohua2]

/test e2e-aws-ovn

[openshift-ci]

@RadekManak: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@RadekManak: Jira Issue Verification Checks: Jira Issue OCPBUGS-78118
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-78118 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in accepted release 4.22.0-0.nightly-2026-04-01-092906

[RadekManak]

/cherry-pick release-4.21

[openshift-cherrypick-robot]

@RadekManak: new pull request created: #441

Details

In response to this:

/cherry-pick release-4.21

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.