ワンクリックで
kickstart-handoff
Pre-deploy check playbook — verify cluster, ACR, permissions, and tooling before deployment.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
Pre-deploy check playbook — verify cluster, ACR, permissions, and tooling before deployment.
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
ACR integration for AKS Automatic. Teaches attaching an ACR, image reference conventions (digest pinning, no :latest), and pull-secret-free authentication via the managed identity.
Writing idiomatic, safe, and reviewable Bicep templates for Azure resources.
Non-blocking cluster status peek — run at the end of Phases 3, 4, 5 to check AKS provisioning progress without hanging.
Voice, tone, and interaction patterns for Kickstart agents.
Configure Infrastructure phase playbook — launch the dedicated Kickstart cluster-setup view, which collects and creates the Azure resources (subscription, resource group, AKS Automatic cluster, ACR) and hands the results back to the chat.
Deploy phase playbook — build, push, apply with Azure CLI and kubectl.
| name | kickstart-handoff |
| description | Pre-deploy check playbook — verify cluster, ACR, permissions, and tooling before deployment. |
| disable-model-invocation | true |
Ensure cluster, ACR, permissions, and tooling are all ready before deploying. Follow this strict order.
If already confirmed ready in a prior status check, skip. Otherwise:
az aks show --name <cluster> --resource-group <rg> --subscription <sub> --query "provisioningState" --output tsv
az aks wait --name <cluster> --resource-group <rg> --subscription <sub> --created --interval 30 --timeout 600vscode_askQuestions.Record cluster properties to gate subsequent checks:
az aks show --name <cluster> --resource-group <rg> --subscription <sub> --query "{sku:sku.tier, azureRbac:aadProfile.enableAzureRBAC, localAccountsDisabled:disableLocalAccounts}" --output json
For existing clusters, use these flags to determine behavior. For new AKS Automatic clusters expect sku=Automatic, azureRbac=true, localAccountsDisabled=true.
First, check whether the registry is already attached — when the cluster was created through the Kickstart cluster-setup view, it already granted the cluster's kubelet identity AcrPull on the registry, so this step is usually a no-op:
KUBELET_ID=$(az aks show --name <cluster> --resource-group <rg> --subscription <sub> --query "identityProfile.kubeletidentity.objectId" --output tsv)
az role assignment list --assignee "$KUBELET_ID" --role "AcrPull" --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr>" --query "[].id" --output tsv
If that prints a role-assignment id, the registry is already attached — report "✓ Registry already attached" and skip to 6d. Otherwise attach it now.
Do NOT assume the user is Owner. az aks update --attach-acr requires Owner/Account Admin/Co-Admin on the subscription. Try approaches in order:
az aks update --name <cluster> --resource-group <rg> --attach-acr <acr> --subscription <sub>$KUBELET_ID from the check above):
az role assignment create --assignee "$KUBELET_ID" --role "AcrPull" --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr>"
roleAssignments/write), follow /kickstart-pim-activation to check for PIM-eligible roles and guide activation. If none eligible, print an admin hand-off block with the exact az role assignment create command.AKS Automatic disables local accounts.
which kubelogin
If missing: az aks install-cli. If that fails: brew install Azure/kubelogin/kubelogin or https://github.com/Azure/kubelogin/releases.
Never use az aks get-credentials --admin (will fail). Never suggest az aks command invoke (same user identity, same Forbidden error).
Invoke the bundled VS Code command aks.checkDeploymentPermissions via vscode/runCommand. It runs all five remaining permission gates against the Azure ARM API (no kubectl / az acr build round-trip) and returns a self-contained markdown report you can render directly in chat.
Args:
{
"subscriptionId": "<sub>",
"resourceGroup": "<rg>",
"clusterName": "<cluster>",
"acrName": "<acr>"
}
Returns:
{
cancelled: boolean,
allPassed?: boolean,
scope?: { clusterScopeId, acrScopeId? },
probes?: Array<{ id, label, status: "pass" | "fail" | "unknown", reason, recommendedRoles?, remediation? }>,
markdown: string // render verbatim
}
Probes performed:
| ID | Gate | Required role on fail |
|---|---|---|
cluster-user | 6e — can download kubeconfig (listClusterUserCredential) | Azure Kubernetes Service Cluster User Role |
aks-dataplane-write | 6f — can create K8s workloads on the cluster | Azure Kubernetes Service RBAC Writer |
acr-push | 6g — user can push images to the ACR | AcrPush |
acr-tasks | 6g — user can run az acr build server-side | Container Registry Tasks Contributor |
acr-pull-kubelet | Cluster's kubelet identity can pull from the ACR | AcrPull |
How to use the result:
allPassed === true: render markdown and proceed to Confirm.remediation is a ready-to-run az role assignment create command. Offer to run it.az role assignment create then returns 403 (user lacks Microsoft.Authorization/roleAssignments/write), follow /kickstart-pim-activation — that skill calls aks.checkRoleAssignmentPermissions to surface PIM-eligible roles or generate an admin hand-off block.acrName is omitted (no ACR in scope), the three ACR probes are skipped and the report says so.Fallback (only if the command is unavailable in this build): fall back to the manual probes —
az aks get-credentials --resource-group <rg> --name <cluster> --overwrite-existing
kubectl auth can-i get namespaces
kubectl auth can-i create deployments --namespace <namespace>
az acr build --registry <acr> --image kickstart-probe:probe --file /dev/null /dev/null 2>&1 | head -5
With the same remediation roles as listed in the table above.
Confirm readiness via vscode_askQuestions: "Yes, deploy" (recommended), "Review artifacts first", "Not yet".