원클릭으로
kickstart-handoff
Pre-deploy check playbook — verify cluster, ACR, permissions, and tooling before deployment.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Pre-deploy check playbook — verify cluster, ACR, permissions, and tooling before deployment.
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
ACR integration for AKS Automatic. Teaches attaching an ACR, image reference conventions (digest pinning, no :latest), and pull-secret-free authentication via the managed identity.
Writing idiomatic, safe, and reviewable Bicep templates for Azure resources.
Non-blocking cluster status peek — run at the end of Phases 3, 4, 5 to check AKS provisioning progress without hanging.
Voice, tone, and interaction patterns for Kickstart agents.
Configure Infrastructure phase playbook — launch the dedicated Kickstart cluster-setup view, which collects and creates the Azure resources (subscription, resource group, AKS Automatic cluster, ACR) and hands the results back to the chat.
Deploy phase playbook — build, push, apply with Azure CLI and kubectl.
| name | kickstart-handoff |
| description | Pre-deploy check playbook — verify cluster, ACR, permissions, and tooling before deployment. |
| disable-model-invocation | true |
Ensure cluster, ACR, permissions, and tooling are all ready before deploying. Follow this strict order.
If already confirmed ready in a prior status check, skip. Otherwise:
az aks show --name <cluster> --resource-group <rg> --subscription <sub> --query "provisioningState" --output tsv
az aks wait --name <cluster> --resource-group <rg> --subscription <sub> --created --interval 30 --timeout 600vscode_askQuestions.Record cluster properties to gate subsequent checks:
az aks show --name <cluster> --resource-group <rg> --subscription <sub> --query "{sku:sku.tier, azureRbac:aadProfile.enableAzureRBAC, localAccountsDisabled:disableLocalAccounts}" --output json
For existing clusters, use these flags to determine behavior. For new AKS Automatic clusters expect sku=Automatic, azureRbac=true, localAccountsDisabled=true.
First, check whether the registry is already attached — when the cluster was created through the Kickstart cluster-setup view, it already granted the cluster's kubelet identity AcrPull on the registry, so this step is usually a no-op:
KUBELET_ID=$(az aks show --name <cluster> --resource-group <rg> --subscription <sub> --query "identityProfile.kubeletidentity.objectId" --output tsv)
az role assignment list --assignee "$KUBELET_ID" --role "AcrPull" --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr>" --query "[].id" --output tsv
If that prints a role-assignment id, the registry is already attached — report "✓ Registry already attached" and skip to 6d. Otherwise attach it now.
Do NOT assume the user is Owner. az aks update --attach-acr requires Owner/Account Admin/Co-Admin on the subscription. Try approaches in order:
az aks update --name <cluster> --resource-group <rg> --attach-acr <acr> --subscription <sub>$KUBELET_ID from the check above):
az role assignment create --assignee "$KUBELET_ID" --role "AcrPull" --scope "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ContainerRegistry/registries/<acr>"
roleAssignments/write), follow /kickstart-pim-activation to check for PIM-eligible roles and guide activation. If none eligible, print an admin hand-off block with the exact az role assignment create command.AKS Automatic disables local accounts.
which kubelogin
If missing: az aks install-cli. If that fails: brew install Azure/kubelogin/kubelogin or https://github.com/Azure/kubelogin/releases.
Never use az aks get-credentials --admin (will fail). Never suggest az aks command invoke (same user identity, same Forbidden error).
Invoke the bundled VS Code command aks.checkDeploymentPermissions via vscode/runCommand. It runs all five remaining permission gates against the Azure ARM API (no kubectl / az acr build round-trip) and returns a self-contained markdown report you can render directly in chat.
Args:
{
"subscriptionId": "<sub>",
"resourceGroup": "<rg>",
"clusterName": "<cluster>",
"acrName": "<acr>"
}
Returns:
{
cancelled: boolean,
allPassed?: boolean,
scope?: { clusterScopeId, acrScopeId? },
probes?: Array<{ id, label, status: "pass" | "fail" | "unknown", reason, recommendedRoles?, remediation? }>,
markdown: string // render verbatim
}
Probes performed:
| ID | Gate | Required role on fail |
|---|---|---|
cluster-user | 6e — can download kubeconfig (listClusterUserCredential) | Azure Kubernetes Service Cluster User Role |
aks-dataplane-write | 6f — can create K8s workloads on the cluster | Azure Kubernetes Service RBAC Writer |
acr-push | 6g — user can push images to the ACR | AcrPush |
acr-tasks | 6g — user can run az acr build server-side | Container Registry Tasks Contributor |
acr-pull-kubelet | Cluster's kubelet identity can pull from the ACR | AcrPull |
How to use the result:
allPassed === true: render markdown and proceed to Confirm.remediation is a ready-to-run az role assignment create command. Offer to run it.az role assignment create then returns 403 (user lacks Microsoft.Authorization/roleAssignments/write), follow /kickstart-pim-activation — that skill calls aks.checkRoleAssignmentPermissions to surface PIM-eligible roles or generate an admin hand-off block.acrName is omitted (no ACR in scope), the three ACR probes are skipped and the report says so.Fallback (only if the command is unavailable in this build): fall back to the manual probes —
az aks get-credentials --resource-group <rg> --name <cluster> --overwrite-existing
kubectl auth can-i get namespaces
kubectl auth can-i create deployments --namespace <namespace>
az acr build --registry <acr> --image kickstart-probe:probe --file /dev/null /dev/null 2>&1 | head -5
With the same remediation roles as listed in the table above.
Confirm readiness via vscode_askQuestions: "Yes, deploy" (recommended), "Review artifacts first", "Not yet".