@feiyushi - Thanks for brining this to our attention. We will investigate it further and update you shortly.

Apologize on the delay. Are you trying to bring your own control plane managed identity?
A custom control plane identity enables access to be granted to the existing identity prior to cluster creation. This enables scenarios such as using an custom VNET or outboundType of UDR with a managed identity.
Please let me know.

For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see Delegate access to other Azure resources.

If the custom vnet resides outside of MC_ resource group, you must manually grant needed permission to the system assigned identity associated with the cluster. That’s because AKS resource provider can’t grant any permission outside of MC_ resource group.

Apologize on the delay. Are you trying to bring your own control plane managed identity?
A custom control plane identity enables access to be granted to the existing identity prior to cluster creation. This enables scenarios such as using an custom VNET or outboundType of UDR with a managed identity.
Please let me know.

For creating and using your own VNet, static IP address, or attached Azure disk where the resources are outside of the worker node resource group, use the PrincipalID of the cluster System Assigned Managed Identity to perform a role assignment. For more information on role assignment, see Delegate access to other Azure resources.

If the custom vnet resides outside of MC_ resource group, you must manually grant needed permission to the system assigned identity associated with the cluster. That’s because AKS resource provider can’t grant any permission outside of MC_ resource group.

It's not about the bring your own control plane managed identity, but about system assigned identity.
As you mentioned and in the documentation, the principal ID of the cluster system assigned identity needs to be granted permission on the public ip or vnet if outside the MC_ resource group. And this is the part I don't quite understand. When creating the cluster, AKS had no problem accessing the vnet and/or public ip if they are outside the MC_ resource group, why do I need to create role assignment again AFTER the cluster is created?

@palma21 Can you please share your insights on the customer's question? Thanks. :)

I have created a cluster with an existing vnet and system identity enabled and there's no error. After checking the vnet activity history, I saw that AKS first party service principal join the cluster nodes to the vnet without using system identity.

My question is since it's joined already, do we still need to grant system identity permissions to vnet? Same goes to public ip which is used as load balancer outbount ip.
When creating the cluster, AKS had no problem accessing the vnet and/or public ip if they are outside the MC_ resource group, why do I need to create role assignment again AFTER the cluster is created?

Adding @TomGeske

Yes you should still add, for additional operations done by kubernetes. The join was made by AKS service itself while the Managed Identity is used by kubernetes.

What kubernetes operations AFTER cluster is created require system identity to access/join pip/vnet etc?
If the part of documentation describing creating role assignment can be clearer it would be great.

Depends which networking plugin and which/how many resources you use in different RGs.

Generically: https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal#networking

Eg. when you scale or autoscale and need to read and join to the subnet or add more nodepools. Or depending if you need k8s to manipulate RTs etc.

Thank you @palma21. I have no more questions. You may leave the issue open for documentation improvement or close it.

please-close